Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PhraseExpressSetup.exe

Overview

General Information

Sample Name:PhraseExpressSetup.exe
Analysis ID:452773
MD5:ce7db25979fb3cd61fca4a9e8f6d0c30
SHA1:d5ccf69c83cbbbbdeffc9805ec3f4abf6d02a847
SHA256:f8b33571fb06d4c68c5feb41750229ff48f0a8035749970f6462873ea6ed55aa
Infos:

Most interesting Screenshot:

Detection

Score:28
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Installs a global event hook (focus changed)
Installs a global keyboard hook
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64
  • PhraseExpressSetup.exe (PID: 4064 cmdline: 'C:\Users\user\Desktop\PhraseExpressSetup.exe' MD5: CE7DB25979FB3CD61FCA4A9E8F6D0C30)
    • PhraseExpressSetup.tmp (PID: 5552 cmdline: 'C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp' /SL5='$D0256,32684378,1115136,C:\Users\user\Desktop\PhraseExpressSetup.exe' MD5: B6F63D25BC114A183946CFE0BBC792D8)
      • regsvr32.exe (PID: 1008 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\Program Files (x86)\PhraseExpress\pexmsol.dll' MD5: 426E7499F6A7346F0410DEAD0805586B)
      • netsh.exe (PID: 6124 cmdline: 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • phraseexpress.exe (PID: 2524 cmdline: C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe MD5: 07DC3423C4D131DFFB08BA7BBDC44C0D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\PhraseExpress\is-S3THG.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Netsh Port or Application AllowedShow sources
      Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes, CommandLine: 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes, CommandLine|base64offset|contains: ijY, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp' /SL5='$D0256,32684378,1115136,C:\Users\user\Desktop\PhraseExpressSetup.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp, ParentProcessId: 5552, ProcessCommandLine: 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes, ProcessId: 6124

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: PhraseExpressSetup.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
      Source: PhraseExpressSetup.exeStatic PE information: certificate valid
      Source: PhraseExpressSetup.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb(9G source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmp
      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0040B268 FindFirstFileW,FindClose,0_2_0040B268
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040AC9C
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005EA2D0 FindFirstFileW,GetLastError,3_2_005EA2D0
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0040CBFC FindFirstFileW,FindClose,3_2_0040CBFC
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_00642484 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,3_2_00642484
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,3_2_0040C630
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.facebook.com/phraseexpressopen equals www.facebook.com (Facebook)
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.youtube.com/user/bartelsmediagmbhopenSVW equals www.youtube.com (Youtube)
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/services/language/detect?v=1.0&ie=UTF8&q=%s
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: http://api.bit.ly/v3/shorten?login=%s&apiKey=%s&uri=%s&format=xml
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0:
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/l3.
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/l3.crl0a
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
      Source: PhraseExpressSetup.tmp, 00000003.00000003.216463651.0000000003510000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.certum.pl0.
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/l3.cer0
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: http://twitter.com/statuses/update.xmlU
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: http://www.indyproject.org/
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmp, PhraseExpressSetup.tmp, PhraseExpressSetup.tmp, 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://www.innosetup.com/
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: http://www.jrsoftware.org/0
      Source: PhraseExpressSetup.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
      Source: PhraseExpressSetup.exe, 00000000.00000000.210426138.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
      Source: PhraseExpressSetup.exe, 00000000.00000003.210754526.0000000002560000.00000004.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000003.357828202.000000000257B000.00000004.00000001.sdmpString found in binary or memory: http://www.kymoto.org
      Source: PhraseExpressSetup.exe, 00000000.00000003.210754526.0000000002560000.00000004.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000003.357174649.0000000003784000.00000004.00000001.sdmpString found in binary or memory: http://www.kymoto.orgAbout
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357539729.0000000002514000.00000004.00000001.sdmpString found in binary or memory: http://www.kymoto.orgaKQ
      Source: PhraseExpressSetup.exe, 00000000.00000003.364421453.00000000023EA000.00000004.00000001.sdmpString found in binary or memory: http://www.kymoto.orgg
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: http://www.macrorecorder.comopen
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: http://www.phraseexpress.com/scripts/dropboxauthorization.php?version=%s
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: http://www.phraseexpress.com/scripts/dropboxauthorization.php?version=%sU
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmp, PhraseExpressSetup.tmpString found in binary or memory: http://www.remobjects.com/ps
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: http://www.test.de/phrases.pxp
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: http://www.test.de/phrases.pxpU
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api-content.dropbox.com/1/files/%s/%s
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api-content.dropbox.com/1/files_put/%s/%s
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api-free.deepl.com
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api.deepl.com
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api.dropbox.com/1/fileops/copy?
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api.dropbox.com/1/metadata/%s/%s
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api.dropbox.com/1/oauth/access_token
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://api.dropbox.com/1/oauth/request_token
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://lib.mydban.de/pdapi/dban/%s/%s
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://mail.google.com/mail/?view=cm&ui=1&tf=0&to=%s&su=%s&body=%s&cc=%s&bcc=%s&fs=1open
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://tools.google.com/dlpage/driveopen
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://twitter.com/phraseexpressopenU
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358205768.0000000002641000.00000004.00000001.sdmpString found in binary or memory: https://www.bartelsmedia.com
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358165128.000000000262C000.00000004.00000001.sdmpString found in binary or memory: https://www.bartelsmedia.com/de/I
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/de/datenschutz//
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/forum/viewforum.php?f=232openhttps://www.bartelsmedia.com/forum/viewfor
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/forum/viewtopic.php?f=170&t=13939
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/forum/viewtopic.php?f=171&t=13938
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/license/authorize.php?license=%s&hwid=%s&hs=%s&version=%s&langid=%s
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/license/deregister.php?license=%s&version=%s&hwid=%s&hs=%s&langid=%sU
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.bartelsmedia.com/privacy/S
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358205768.0000000002641000.00000004.00000001.sdmpString found in binary or memory: https://www.bartelsmedia.comrt
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
      Source: PhraseExpressSetup.tmp, 00000003.00000003.216463651.0000000003510000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/repository.0
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://www.deepl.com/pro.htmlopenSV
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://www.dropbox.com/1/oauth/authorize
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357991328.00000000025C4000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/de/doc/lizenz/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/docs/%d
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/docs/%d/gemeinsam-nutzen/sql/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/docs/%d/gemeinsam-nutzen/sql/konfiguration/lizenzschluessel/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/docs/%d/makros/externe-daten/#sprachuebersetzung
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/download/
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358187584.000000000263A000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/de/download/Q
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/download/kostenlose-erweiterungen/openhttps://www.phraseexpress.com
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/download/versionshistorie/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/faq/#ist-phraseexpress-sicher-8820
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/funktionen/outlook-add-in/openhttps://www.phraseexpress.com/feature
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/shop/
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/shop/freeware/openhttps://www.phraseexpress.com/shop/freeware/
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/shop/freeware/openhttps://www.phraseexpress.com/shop/freeware/(
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/shop/upgrade/
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/shop/upgrade/openhttps://www.phraseexpress.com/shop/upgrade/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/shop/wartung/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/support/
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358187584.000000000263A000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/de/support/1
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/de/support/openhttps://www.phraseexpress.com/support/
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357174649.0000000003784000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/doc/license/
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358187584.000000000263A000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/doc/license/Y
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/docs/%d
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/docs/%d/macros/external-data/#language-translationU
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/docs/%d/share/sql/S
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/docs/%d/share/sql/configuration/licenses/#registration
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358138232.000000000261D000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/download/
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/download/S
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/download/changelog/U
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/faq/#is-phraseexpress-safe-to-use-8820S
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/shop/U
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/shop/maintenance/U
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/shop/upgrade/S
      Source: PhraseExpressSetup.tmp, 00000003.00000003.357174649.0000000003784000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/support/
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358138232.000000000261D000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/support/A
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/support/S
      Source: PhraseExpressSetup.tmp, 00000003.00000003.358138232.000000000261D000.00000004.00000001.sdmpString found in binary or memory: https://www.phraseexpress.com/support/a
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.phraseexpress.com/update%d.php?license=%s&version=%s&hwid=%s&hs=%s&langid=%s&priority=%d
      Source: phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpString found in binary or memory: https://www.trichview.com
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpString found in binary or memory: https://www.youtube.com/user/bartelsmediagmbhopenSVW

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global event hook (focus changed)Show sources
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeWindows user hook set: Path: unknown Event Start:focus Event End: focus Module: unknownJump to behavior
      Installs a global keyboard hookShow sources
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\PhraseExpress\pexkey.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeWindows user hook set: 0 mouse low level C:\Program Files (x86)\PhraseExpress\pexkey.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeWindows user hook set: 1276 get message C:\Windows\system32\UIRibbon.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeWindows user hook set: 1276 call wnd proc C:\Windows\system32\UIRibbon.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeWindows user hook set: 0 mouse low level C:\Program Files (x86)\PhraseExpress\pexkey.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A0E28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004A0E28
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005ED36C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_005ED36C
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004254D00_2_004254D0
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A86600_2_004A8660
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0040ECB40_2_0040ECB4
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00431F500_2_00431F50
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0041073E3_2_0041073E
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_00640F383_2_00640F38
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0040AFF43_2_0040AFF4
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: String function: 005D3C90 appears 60 times
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: String function: 005EAD48 appears 31 times
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: String function: 005F4020 appears 36 times
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: String function: 005F3D9C appears 39 times
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: String function: 005D39AC appears 46 times
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: String function: 005BC634 appears 40 times
      Source: PhraseExpressSetup.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: PhraseExpressSetup.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: is-VC5Q1.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: is-VC5Q1.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
      Source: is-M0D71.tmp.3.drStatic PE information: Resource name: RT_STRING type: x86 executable (TV) not stripped
      Source: is-M0D71.tmp.3.drStatic PE information: Resource name: RT_STRING type: 370 sysV pure executable not stripped
      Source: is-S3THG.tmp.3.drStatic PE information: Number of sections : 11 > 10
      Source: PhraseExpressSetup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PhraseExpressSetup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PhraseExpressSetup.tmp.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: PhraseExpressSetup.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PhraseExpressSetup.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: is-VC5Q1.tmp.3.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: is-VC5Q1.tmp.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: is-VC5Q1.tmp.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PhraseExpressSetup.exe, 00000000.00000002.365788724.0000000002470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PhraseExpressSetup.exe
      Source: PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs PhraseExpressSetup.exe
      Source: PhraseExpressSetup.exe, 00000000.00000003.364481481.0000000002418000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs PhraseExpressSetup.exe
      Source: PhraseExpressSetup.exe, 00000000.00000000.210538406.00000000004B8000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs PhraseExpressSetup.exe
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeSection loaded: pexkey.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeSection loaded: atlthunk.dllJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeSection loaded: msimg32.dllJump to behavior
      Source: PhraseExpressSetup.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
      Source: classification engineClassification label: sus28.spyw.evad.winEXE@10/48@0/0
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A0E28 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004A0E28
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005ED36C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_005ED36C
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0041A5FC GetDiskFreeSpaceW,0_2_0041A5FC
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_00601C6C GetVersion,CoCreateInstance,3_2_00601C6C
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A1700 FindResourceW,SizeofResource,LoadResource,LockResource,0_2_004A1700
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpressJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$9dc
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeMutant created: \Sessions\1\BaseNamedObjects\HookTThread$9dc
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_01
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeMutant created: \Sessions\1\BaseNamedObjects\PhraseExpress
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmpJump to behavior
      Source: Yara matchFile source: C:\Program Files (x86)\PhraseExpress\is-S3THG.tmp, type: DROPPED
      Source: Yara matchFile source: C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmp, type: DROPPED
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile read: C:\Program Files (x86)\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpBinary or memory string: SELECT * FROM sys.syslogins;
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpBinary or memory string: SELECT MIN(w1."did") ind, w2."did" dupind FROM domains w1 INNER JOIN domains w2 ON (w1."value" = w2."value") WHERE w2."did" > w1."did" GROUP BY w2."did";
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpBinary or memory string: SELECT MIN(w1."wid") ind, w2."wid" dupind FROM workgroups w1 INNER JOIN workgroups w2 ON (w1."value" = w2."value") WHERE w2."wid" > w1."wid" GROUP BY w2."wid";
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpBinary or memory string: SELECT MIN(w1."uid") ind, w2."uid" dupind FROM users w1 INNER JOIN users w2 ON (w1."value" = w2."value") WHERE w2."uid" > w1."uid" GROUP BY w2."uid";
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
      Source: phraseexpress.exe, 00000015.00000000.337159239.0000000001B74000.00000008.00020000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
      Source: PhraseExpressSetup.exeString found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeFile read: C:\Users\user\Desktop\PhraseExpressSetup.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PhraseExpressSetup.exe 'C:\Users\user\Desktop\PhraseExpressSetup.exe'
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp 'C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp' /SL5='$D0256,32684378,1115136,C:\Users\user\Desktop\PhraseExpressSetup.exe'
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\Program Files (x86)\PhraseExpress\pexmsol.dll'
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Program Files (x86)\PhraseExpress\phraseexpress.exe C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp 'C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp' /SL5='$D0256,32684378,1115136,C:\Users\user\Desktop\PhraseExpressSetup.exe' Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\Program Files (x86)\PhraseExpress\pexmsol.dll'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Program Files (x86)\PhraseExpress\phraseexpress.exe C:\Program Files (x86)\PhraseExpress\PhraseExpress.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpWindow found: window name: TSelectLanguageFormJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: OK
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpAutomated click: Next >
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\10.0\OutlookJump to behavior
      Source: PhraseExpressSetup.exeStatic PE information: certificate valid
      Source: PhraseExpressSetup.exeStatic file information: File size 34303472 > 1048576
      Source: PhraseExpressSetup.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb(9G source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmp
      Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmp
      Source: PhraseExpressSetup.exeStatic PE information: real checksum: 0x20c075e should be:
      Source: is-VC5Q1.tmp.3.drStatic PE information: real checksum: 0x2d1937 should be: 0x2cf5da
      Source: PhraseExpressSetup.exeStatic PE information: section name: .didata
      Source: PhraseExpressSetup.tmp.0.drStatic PE information: section name: .didata
      Source: is-VC5Q1.tmp.3.drStatic PE information: section name: .didata
      Source: is-S3THG.tmp.3.drStatic PE information: section name: .didata
      Source: is-AFL57.tmp.3.drStatic PE information: section name: .didata
      Source: is-MBKTQ.tmp.3.drStatic PE information: section name: .didata
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\Program Files (x86)\PhraseExpress\pexmsol.dll'
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A7000 push 004A70DEh; ret 0_2_004A70D6
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A7980 push 004A7A43h; ret 0_2_004A7A3B
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0043007C push ecx; mov dword ptr [esp], eax0_2_0043007D
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004990E0 push ecx; mov dword ptr [esp], edx0_2_004990E1
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00456090 push ecx; mov dword ptr [esp], ecx0_2_00456094
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00430094 push ecx; mov dword ptr [esp], eax0_2_00430095
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00498144 push ecx; mov dword ptr [esp], edx0_2_00498145
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0045A170 push ecx; mov dword ptr [esp], edx0_2_0045A171
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00454110 push 00454166h; ret 0_2_0045415E
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004251C8 push ecx; mov dword ptr [esp], eax0_2_004251CD
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0041A1D4 push ecx; mov dword ptr [esp], ecx0_2_0041A1D8
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00459264 push ecx; mov dword ptr [esp], edx0_2_00459265
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00430214 push ecx; mov dword ptr [esp], eax0_2_00430215
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00494224 push 00494303h; ret 0_2_004942FB
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004223E4 push 004224E8h; ret 0_2_004224E0
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00458384 push ecx; mov dword ptr [esp], edx0_2_00458385
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00458394 push ecx; mov dword ptr [esp], edx0_2_00458395
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004953B0 push ecx; mov dword ptr [esp], edx0_2_004953B1
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00493454 push ecx; mov dword ptr [esp], edx0_2_00493457
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00458468 push ecx; mov dword ptr [esp], ecx0_2_0045846C
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00499474 push ecx; mov dword ptr [esp], edx0_2_00499475
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00457424 push ecx; mov dword ptr [esp], eax0_2_00457426
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004544B0 push ecx; mov dword ptr [esp], edx0_2_004544B1
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0048D548 push ecx; mov dword ptr [esp], edx0_2_0048D54A
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0045A524 push ecx; mov dword ptr [esp], edx0_2_0045A525
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00429520 push ecx; mov dword ptr [esp], edx0_2_00429522
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004595B8 push ecx; mov dword ptr [esp], edx0_2_004595B9
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00498608 push ecx; mov dword ptr [esp], edx0_2_00498609
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0041A6D8 push ecx; mov dword ptr [esp], ecx0_2_0041A6DB
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00497750 push ecx; mov dword ptr [esp], edx0_2_00497751
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00498760 push ecx; mov dword ptr [esp], edx0_2_00498761
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-ITQ7B.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-9929J.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-9UM50.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-LP8N7.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-ROS3A.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-U3PJH.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-N9NC9.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-S3THG.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-M708D.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-AFL57.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-5664E.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SQJ41.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SQJ41.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-VC5Q1.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-TSPG7.tmpJump to dropped file
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\Program Files (x86)\PhraseExpress\is-M0D71.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PhraseExpress.lnkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhraseExpress.lnkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PhraseExpress.lnkJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PhraseExpress.lnkJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_00630418 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,3_2_00630418
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005A57A4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,3_2_005A57A4
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-9929J.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-ITQ7B.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-9UM50.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-LP8N7.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-U3PJH.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-ROS3A.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-N9NC9.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-S3THG.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-5664E.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-AFL57.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SQJ41.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SQJ41.tmp\_isetup\_isdecmp.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-TSPG7.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-VC5Q1.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\PhraseExpress\is-M0D71.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-24000
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0040B268 FindFirstFileW,FindClose,0_2_0040B268
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040AC9C
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005EA2D0 FindFirstFileW,GetLastError,3_2_005EA2D0
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0040CBFC FindFirstFileW,FindClose,3_2_0040CBFC
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_00642484 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,3_2_00642484
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,3_2_0040C630
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A162C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_004A162C
      Source: PhraseExpressSetup.exe, 00000000.00000002.365788724.0000000002470000.00000002.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000002.360988485.0000000002650000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: PhraseExpressSetup.exe, 00000000.00000002.365788724.0000000002470000.00000002.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000002.360988485.0000000002650000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: PhraseExpressSetup.exe, 00000000.00000002.365788724.0000000002470000.00000002.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000002.360988485.0000000002650000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: PhraseExpressSetup.exe, 00000000.00000002.365788724.0000000002470000.00000002.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000002.360988485.0000000002650000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpBinary or memory string: VMwareHostOpen.exe
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0062FC50 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,3_2_0062FC50
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005A522C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,3_2_005A522C
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_005A43D0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,3_2_005A43D0
      Source: phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpBinary or memory string: TrayNotifyWndShell_TrayWndSVWU
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_00405AC0 cpuid 0_2_00405AC0
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040B3B8
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: GetLocaleInfoW,0_2_0041E154
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: GetLocaleInfoW,0_2_0041E1A0
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040A840
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: GetLocaleInfoW,0_2_004A0F30
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,3_2_0040CD4C
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: GetLocaleInfoW,3_2_005EE07C
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_0040C1D4
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\PhraseExpress\phraseexpress.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpCode function: 3_2_0060D02C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,3_2_0060D02C
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_0041C4F8 GetLocalTime,0_2_0041C4F8
      Source: C:\Users\user\Desktop\PhraseExpressSetup.exeCode function: 0_2_004A7114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,0_2_004A7114

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Modifies the windows firewallShow sources
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes
      Uses netsh to modify the Windows network and firewall settingsShow sources
      Source: C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmpProcess created: C:\Windows\SysWOW64\netsh.exe 'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Startup Items1Startup Items1Disable or Modify Tools2Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsCommand and Scripting Interpreter2DLL Side-Loading1Exploitation for Privilege Escalation1Deobfuscate/Decode Files or Information1Input Capture111File and Directory Discovery2Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2DLL Side-Loading1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery36SMB/Windows Admin SharesInput Capture111Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Access Token Manipulation1DLL Side-Loading1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptProcess Injection3Masquerading2LSA SecretsSecurity Software Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder2Access Token Manipulation1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection3DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobRegsvr321Proc FilesystemSystem Owner/User Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 process2 2 Behavior Graph ID: 452773 Sample: PhraseExpressSetup.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 28 7 PhraseExpressSetup.exe 2 2->7         started        file3 23 C:\Users\user\...\PhraseExpressSetup.tmp, PE32 7->23 dropped 10 PhraseExpressSetup.tmp 40 59 7->10         started        process4 file5 25 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 10->25 dropped 27 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 10->27 dropped 29 C:\Program Files (x86)\...\is-VC5Q1.tmp, PE32 10->29 dropped 31 14 other files (none is malicious) 10->31 dropped 33 Uses netsh to modify the Windows network and firewall settings 10->33 35 Modifies the windows firewall 10->35 14 phraseexpress.exe 1 12 10->14         started        17 netsh.exe 3 10->17         started        19 regsvr32.exe 24 10->19         started        signatures6 process7 signatures8 37 Installs a global keyboard hook 14->37 39 Installs a global event hook (focus changed) 14->39 21 conhost.exe 17->21         started        process9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PhraseExpressSetup.exe0%VirustotalBrowse
      PhraseExpressSetup.exe3%MetadefenderBrowse
      PhraseExpressSetup.exe0%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\PhraseExpress\is-5664E.tmp0%MetadefenderBrowse
      C:\Program Files (x86)\PhraseExpress\is-5664E.tmp3%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-9929J.tmp0%MetadefenderBrowse
      C:\Program Files (x86)\PhraseExpress\is-9929J.tmp0%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-9UM50.tmp0%MetadefenderBrowse
      C:\Program Files (x86)\PhraseExpress\is-9UM50.tmp0%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-AFL57.tmp0%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-ITQ7B.tmp0%MetadefenderBrowse
      C:\Program Files (x86)\PhraseExpress\is-ITQ7B.tmp2%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-LP8N7.tmp0%MetadefenderBrowse
      C:\Program Files (x86)\PhraseExpress\is-LP8N7.tmp0%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-M0D71.tmp4%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-M708D.tmp0%ReversingLabs
      C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmp0%MetadefenderBrowse
      C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmp0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.innosetup.com/0%URL Reputationsafe
      http://www.innosetup.com/0%URL Reputationsafe
      http://www.innosetup.com/0%URL Reputationsafe
      http://www.innosetup.com/0%URL Reputationsafe
      http://www.macrorecorder.comopen0%Avira URL Cloudsafe
      http://www.kymoto.orgAbout0%URL Reputationsafe
      http://www.kymoto.orgAbout0%URL Reputationsafe
      http://www.kymoto.orgAbout0%URL Reputationsafe
      http://www.kymoto.orgAbout0%URL Reputationsafe
      http://ocsp.certum.pl0.0%Avira URL Cloudsafe
      https://www.bartelsmedia.comrt0%Avira URL Cloudsafe
      https://www.trichview.com0%Avira URL Cloudsafe
      https://www.bartelsmedia.com0%Avira URL Cloudsafe
      https://www.bartelsmedia.com/forum/viewtopic.php?f=170&t=139390%Avira URL Cloudsafe
      http://www.indyproject.org/0%URL Reputationsafe
      http://www.indyproject.org/0%URL Reputationsafe
      http://www.indyproject.org/0%URL Reputationsafe
      http://www.kymoto.orgg0%Avira URL Cloudsafe
      https://www.bartelsmedia.com/de/datenschutz//0%Avira URL Cloudsafe
      https://www.bartelsmedia.com/forum/viewtopic.php?f=171&t=139380%Avira URL Cloudsafe
      https://www.bartelsmedia.com/license/authorize.php?license=%s&hwid=%s&hs=%s&version=%s&langid=%s0%Avira URL Cloudsafe
      https://lib.mydban.de/pdapi/dban/%s/%s0%Avira URL Cloudsafe
      https://www.bartelsmedia.com/de/I0%Avira URL Cloudsafe
      http://www.kymoto.orgaKQ0%Avira URL Cloudsafe
      https://www.bartelsmedia.com/forum/viewforum.php?f=232openhttps://www.bartelsmedia.com/forum/viewfor0%Avira URL Cloudsafe
      http://www.remobjects.com/ps0%URL Reputationsafe
      http://www.remobjects.com/ps0%URL Reputationsafe
      http://www.remobjects.com/ps0%URL Reputationsafe
      https://www.bartelsmedia.com/privacy/S0%Avira URL Cloudsafe
      https://www.bartelsmedia.com/license/deregister.php?license=%s&version=%s&hwid=%s&hs=%s&langid=%sU0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.innosetup.com/PhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmp, PhraseExpressSetup.tmp, PhraseExpressSetup.tmp, 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      		unknown
      http://www.jrsoftware.org/0PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
        		high
        http://www.macrorecorder.comopenphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://api-content.dropbox.com/1/files/%s/%sphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
          		high
          https://www.dropbox.com/1/oauth/authorizephraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
            		high
            https://api.dropbox.com/1/oauth/access_tokenphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
              		high
              http://www.kymoto.orgAboutPhraseExpressSetup.exe, 00000000.00000003.210754526.0000000002560000.00000004.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000003.357174649.0000000003784000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://ocsp.certum.pl0.PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUPhraseExpressSetup.exe, 00000000.00000000.210426138.0000000000401000.00000020.00020000.sdmpfalse
                		high
                https://www.bartelsmedia.comrtPhraseExpressSetup.tmp, 00000003.00000003.358205768.0000000002641000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.trichview.comphraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/soap/envelope/phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpfalse
                  		high
                  http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinePhraseExpressSetup.exefalse
                    		high
                    https://www.bartelsmedia.comPhraseExpressSetup.tmp, 00000003.00000003.358205768.0000000002641000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.bartelsmedia.com/forum/viewtopic.php?f=170&t=13939phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.indyproject.org/phraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.kymoto.orgPhraseExpressSetup.exe, 00000000.00000003.210754526.0000000002560000.00000004.00000001.sdmp, PhraseExpressSetup.tmp, 00000003.00000003.357828202.000000000257B000.00000004.00000001.sdmpfalse
                      		high
                      https://www.certum.pl/CPS0PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
                        		high
                        https://api.deepl.comphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                          		high
                          https://api-content.dropbox.com/1/files_put/%s/%sphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                            		high
                            https://api.dropbox.com/1/fileops/copy?phraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                              		high
                              https://api.dropbox.com/1/oauth/request_tokenphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                		high
                                http://twitter.com/statuses/update.xmlUphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                  		high
                                  https://www.certum.pl/repository.0PhraseExpressSetup.tmp, 00000003.00000003.216463651.0000000003510000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crl.certum.pl/l3.crl0aPhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
                                      		high
                                      https://api-free.deepl.comphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                        		high
                                        http://api.bit.ly/v3/shorten?login=%s&apiKey=%s&uri=%s&format=xmlphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                          		high
                                          http://www.kymoto.orggPhraseExpressSetup.exe, 00000000.00000003.364421453.00000000023EA000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.certum.pl/ca.crl0:PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.bartelsmedia.com/de/datenschutz//phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.bartelsmedia.com/forum/viewtopic.php?f=171&t=13938phraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.youtube.com/user/bartelsmediagmbhopenSVWphraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpfalse
                                              		high
                                              https://www.bartelsmedia.com/license/authorize.php?license=%s&hwid=%s&hs=%s&version=%s&langid=%sphraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.deepl.com/pro.htmlopenSVphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                                		high
                                                https://lib.mydban.de/pdapi/dban/%s/%sphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.bartelsmedia.com/de/IPhraseExpressSetup.tmp, 00000003.00000003.358165128.000000000262C000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.kymoto.orgaKQPhraseExpressSetup.tmp, 00000003.00000003.357539729.0000000002514000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.bartelsmedia.com/forum/viewforum.php?f=232openhttps://www.bartelsmedia.com/forum/viewforphraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.remobjects.com/psPhraseExpressSetup.exe, 00000000.00000003.211610481.000000007FBE0000.00000004.00000001.sdmp, PhraseExpressSetup.tmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://mail.google.com/mail/?view=cm&ui=1&tf=0&to=%s&su=%s&body=%s&cc=%s&bcc=%s&fs=1openphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                                  		high
                                                  https://www.bartelsmedia.com/privacy/Sphraseexpress.exe, 00000015.00000000.331605321.0000000000451000.00000020.00020000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.bartelsmedia.com/license/deregister.php?license=%s&version=%s&hwid=%s&hs=%s&langid=%sUphraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://repository.certum.pl/l3.cer0PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://crl.certum.pl/l3.PhraseExpressSetup.tmp, 00000003.00000003.357345652.00000000037F1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://api.dropbox.com/1/metadata/%s/%sphraseexpress.exe, 00000015.00000000.332731414.0000000000E51000.00000020.00020000.sdmpfalse
                                                        		high
                                                        https://tools.google.com/dlpage/driveopenphraseexpress.exe, 00000015.00000000.336004809.0000000001851000.00000020.00020000.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          No contacted IP infos

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:452773
                                                          Start date:22.07.2021
                                                          Start time:20:13:04
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 45s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:PhraseExpressSetup.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:29
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:SUS
                                                          Classification:sus28.spyw.evad.winEXE@10/48@0/0
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HDC Information:
                                                          • Successful, ratio: 16.9% (good quality ratio 16.5%)
                                                          • Quality average: 76.7%
                                                          • Quality standard deviation: 23.1%
                                                          HCA Information:Failed
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          C:\Program Files (x86)\PhraseExpress\is-5664E.tmpcamaleones-capitulo-_444546424.exeGet hashmaliciousBrowse
                                                            camaleones-capitulo-_444546424.exeGet hashmaliciousBrowse
                                                              PortPSuitePro20082.0.4283_softarchive.net.exeGet hashmaliciousBrowse

                                                                Created / dropped Files

                                                                C:\Program Files (x86)\PhraseExpress\dict\is-1CMDO.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):155340
                                                                Entropy (8bit):4.495629622822482
                                                                Encrypted:false
                                                                SSDEEP:3072:9RcPZHrjW38zbABUCnGR+OQcHvPE3ehYIwkTHDCBxtpm:9RcPZHrjW38zbqXOlCa
                                                                MD5:F9BB3516C1AC429C5919926A196D96B7
                                                                SHA1:3ED628CF5E86DB03322F9606E7B67A77D2EA7B35
                                                                SHA-256:F27F55CD1DC1AD68696EE86AC83358027EE624F8E5BA4096533E9346C734FB2D
                                                                SHA-512:BB6A937475605114C534EADF205C70990FD880536A2BF4CDC82B7F7468B986031D288F58984908D3FE0B9CB02693EDD691DD8C9501A01133D3933B7221285D66
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: SET ISO8859-1.TRY aeroinsctldumpbgfvhz..j.q..xy..kwAEROINSCTLDUMPBGFVHZ..J.Q..XY..KW.REP 20.REP .s az.REP az .s.REP cc x.REP .s ez.REP ez .s.REP g.e hue.REP g.i hui.REP hue g.e.REP hui g.i.REP .s iz.REP .o ido.REP ke que.REP ki qui.REP ll y.REP mb nv.REP nv mb.REP seci cesi.REP x cc.REP y ll.REP v.monos vay.monos.MAP 5.MAP a.A..MAP e.E..MAP i.I..MAP o.O..MAP u..U...PFX a Y 2.PFX a 0 a [^aeiou].PFX a 0 an [aeiou].PFX b Y 1.PFX b 0 ante ..PFX c Y 2.PFX c 0 anti [^r].PFX c 0 antir r.PFX d Y 2.PFX d 0 auto [^r].PFX d 0 autor r.PFX e Y 2.PFX e 0 bi [^r].PFX e 0 bir r.PFX f Y 6.PFX f 0 con [^abehilopru].PFX f 0 con ll.PFX f 0 com pb.PFX f 0 co [aehiou].PFX f 0 co l[^l].PFX f 0 cor r.PFX g Y 3.PFX g 0 de [^er].PFX g 0 d e.PFX g 0 der r.PFX h Y 2.PFX h 0 des [^s].PFX h 0 de s.PFX i Y 2.PFX i 0 em [bp].PFX i 0 en [^bp].PFX j Y 2.PFX j 0 entre [^r].PFX j 0 entrer r.PFX k Y 4.PFX k 0 i l.PFX k 0 im [bp].PFX k 0 in [^blpr].PFX k 0 ir r.PFX l Y 1.PFX l 0 inter ..PFX m Y 2.PFX m 0 micro [^r].PFX m 0
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-1NQ3D.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):655388
                                                                Entropy (8bit):4.624476519112588
                                                                Encrypted:false
                                                                SSDEEP:12288:tn5qxhntLD5p92NMNzNVLncDnCbSewKCJfa0gCqO3sp1vlNunVb1Y8vlKRYmvEnG:55WtLD5p92NMNzNVLnc+bQa0gCqyGnNP
                                                                MD5:3A109232EED12F63184354682599B5E1
                                                                SHA1:E03786F7C35C97EDD07BED0555753B69CE2ACC7F
                                                                SHA-256:25FAC3F759E091986723393A3788F9282363B0298C7CD942C18DAD03F4E9D856
                                                                SHA-512:6A2856452765076506BDA1D90E1B6A464BA7C145DB12154EED7D00D07FB17D1AC23372EAE3146F165B159879D1C70484F21122D616C7D2E18578811924F59A7A
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: 54669.a.ababa/S.ababol/S.abacer.a/S.abacero/GS..baco/S.abada/S.abadejo/S.abadengo/GS.abadengo/S.abadernar/RED.abadesa/S.abad.a/S.abadiato/S.abad/S.abajadero/S.abajamiento/S.abajar/RED.abajo.abalanzar/RED.....abalar/RED.abaldonar.abalear/RED.abalizar/RED.aballar/RED.aballestar/RED.abalorio/S.abaluartar/RED.abanar/RED.aba.ar/RED.abancalar/RED.abanderado/GS.abanderamiento/S.abanderar/RED.abanderizar/RED.abandonadamente.abandonado/GS.abandonar/RED...........abandonismo/S.abandonista/S.abandono/S.abanear/RED.abanicar/RED........abanico/HS.abaniqueo/S.abaniquero/GS.abanto/S.abaos.abara.ar/RED.abaratamiento/S.abaratar/RED..abarbechar/RED.abarcable/Sk.abarcado/GS.abarcador/GS.abarcadura/S.abarcamiento/S.abarcar/RED.....abarca/S.abarcuzar/RED.abarloar/RED.abarquillado/GS.abarquillamiento/S.abarquillar/RED.abarraganar/RED.abarrajar/RED.abarrancadero/S.abarrancamiento/S.abarrancar/RED.abarrar.abarrederas.abarrenar.abarrotadamente.abarrotar/RED.abarse.abastardar/RED.abastar/RED.abastecedor/GS.abas
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-47GIT.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:UTF-8 Unicode text
                                                                Category:dropped
                                                                Size (bytes):328899
                                                                Entropy (8bit):4.948690688652743
                                                                Encrypted:false
                                                                SSDEEP:3072:YRwiEF13ni2ABC3rd/UJ107UL5ouZLJWZCCa++F5fJx5TsgbBgrascEyIJrUG6aQ:d3nifQ8mQkd6eo4uT8a5tYpyOIkYF2Kl
                                                                MD5:FEB4DBD3B828C24C70EBF2517B99DC6C
                                                                SHA1:31EFB464130BD942DDA2A0790DC88A17C2223D68
                                                                SHA-256:1B05088BB26F70D72595AF1DD80E2B940AF09586A45FADD4B1382CC1439E6514
                                                                SHA-512:9D945ECD143E0AD82937CF5CAE14840D1DCE2CBDB5B44382957A30DEB0B9F0157F82A600E22BD3F1174368C0CD8FA0C2527C7D566B66E74C14A55F38ABDEEDD2
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: # AFFIXES DU DICTIONNAIRE FRAN.AIS .Moderne. v4.2.# par Olivier R. -- licences LGPL, GPL, MPL.# G.n.r. le 04.07.2011 20:18:43.# Pour am.liorer le dictionnaire, allez sur http://www.dicollecte.org/....SET UTF-8..WORDCHARS -....TRY a...bc.de....fghi..jklmno..pqrstu...vwxyz..A...BC.DE....FGHI..JKLMNO..PQRSTU...VWXYZ...........MAP 12.MAP a....MAP e.....MAP i..y.MAP o...MAP u....MAP c..MAP A....MAP E.....MAP I..Y.MAP O...MAP U....MAP C...REP 66.REP f ph.REP ph f.REP c qu.REP qu c.REP k qu.REP qu k.REP x ct.REP ct x.REP bb b.REP b bb.REP cc c.REP c cc.REP ff f.REP f ff.REP ll l.REP l ll.REP mm m.REP m mm.REP nn n.REP n nn.REP pp p.REP p pp.REP rr r.REP r rr.REP ss s.REP s ss.REP ss c.REP c ss.REP ss ..REP . ss.REP tt t.REP t tt.REP . oe.REP oe ..REP . ae.REP ae ..REP ai ..REP . ai.REP ai ..REP . ai.REP ai ..REP . ai.REP ei ..REP . ei.REP ei ..REP . ei.REP ei ..REP . ei.REP o au.REP au o.REP o e
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-95SP6.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text, with CRLF, LF line terminators
                                                                Category:dropped
                                                                Size (bytes):1969349
                                                                Entropy (8bit):5.004672306807787
                                                                Encrypted:false
                                                                SSDEEP:24576:jWiEX/7wG5tVceyfmvqYZoQPoQDTcsvJZkiObOxinq+:jWiEXDp5r7qYZDvcsBZkiObOxq
                                                                MD5:CF83969667690E74BA12CE4C7229BA79
                                                                SHA1:37FD9C60C18DC0F9E7B7CBDAA32AF78A7BB9A3CF
                                                                SHA-256:C0D81126B0A905CCC6FD891C923B43D39B4CE449DA5A333859229354C510168F
                                                                SHA-512:1AE4D8DFEA88C83B3C926D2484C04AC18095F4E0E6B5227384FE52EDCE7FCC5C211A25E3C526CDD30A62975BA96C767738E01E41CD5396B18784CD08BD8D2F32
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: 146269..................................../H..../H......./J......../H......../H................................................................../J...../H......../J............................/E......../O........./O.........../J.........../H............./H........../J........./J................../J........./O........../G...................../O........./O.................../J....../O...................../G............./H....../H....../J......../G......./G........../O......./J...................../J......../J....../H.........../G............../J................................./H......../J....../H...../H......../H....../J........../H......./J....../J........./J......../H...../J...../J......./J.........../J....../J.............../J............../J............./I............................/K........./J...../I........../I....................../K....../J......./I......./J......../I......../J....../H...../H................/H........./H......../J........../J............../J........../J.....
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-A9289.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:UTF-8 Unicode text
                                                                Category:dropped
                                                                Size (bytes):3090
                                                                Entropy (8bit):4.265508394688043
                                                                Encrypted:false
                                                                SSDEEP:48:NrVEN1hml41/nRnIvpU0GcH1kcpdBin5Nz5NKtGhykCM1Ap:nq7yldATX4GhykBAp
                                                                MD5:EAAE9BAE63B305440B412A48E1653A26
                                                                SHA1:E22BE4B305584C419DBFDAD2F69BFA1BB181D239
                                                                SHA-256:C7A8C4D08C29D237880844B1623099F59092602F189BE38CE3912E457FF38BC1
                                                                SHA-512:B18126F63BAE384CD32786093F462A5DBC906E47A4A3B93C90E394A2282AF2A0E3E9A817D0087659DCD951D61F5522CB1A498E208A626FA5738E236A62506406
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: SET UTF-8.TRY esianrtolcdugmphbyfvkwzESIANRTOLCDUGMPHBYFVKWZ'.ICONV 1.ICONV . '.NOSUGGEST !..# ordinal numbers.COMPOUNDMIN 1.# only in compounds: 1th, 2th, 3th.ONLYINCOMPOUND c.# compound rules:.# 1. [0-9]*1[0-9]th (10th, 11th, 12th, 56714th, etc.).# 2. [0-9]*[02-9](1st|2nd|3rd|[4-9]th) (21st, 22nd, 123rd, 1234th, etc.).COMPOUNDRULE 2.COMPOUNDRULE n*1t.COMPOUNDRULE n*mp.WORDCHARS 0123456789..PFX A Y 1.PFX A 0 re ...PFX I Y 1.PFX I 0 in ...PFX U Y 1.PFX U 0 un ...PFX C Y 1.PFX C 0 de ...PFX E Y 1.PFX E 0 dis ...PFX F Y 1.PFX F 0 con ...PFX K Y 1.PFX K 0 pro ...SFX V N 2.SFX V e ive e.SFX V 0 ive [^e]..SFX N Y 3.SFX N e ion e.SFX N y ication y .SFX N 0 en [^ey] ..SFX X Y 3.SFX X e ions e.SFX X y ications y.SFX X 0 ens [^ey]..SFX H N 2.SFX H y ieth y.SFX H 0 th [^y] ..SF
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-D5OEA.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):18991
                                                                Entropy (8bit):4.020891948531528
                                                                Encrypted:false
                                                                SSDEEP:384:fHU628Q7qUS5OvlnzMmYiQ8JDlPBVU2AMLZUO8zaGUOr0Lmk5T2xqTP:i+OwUhLmYP
                                                                MD5:601A05D0785CA99FDBDF712CA9326302
                                                                SHA1:52E8AAD2278B84AC228B2456172761A35FED27AB
                                                                SHA-256:089A1B446A91D51B19D9B7B9529C3D2EE48678E0443BD50E56CC9EC2155A4C38
                                                                SHA-512:9D7BA7DD30308817B31A3F79BB081BCE805254CC0D1CA022E3BDE77EA8BDA83F861277600DCF363F1F9FEE781B4030AC94EFFC17A514AFF74958DB2D02B69EF1
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: # this is the affix file of the de_DE Hunspell dictionary.# derived from the igerman98 dictionary.#.# Version: 20161207+frami20170109.#.# Copyright (C) 1998-2016 Bj.rn Jacke <bjoern@j3e.de>.#.# License: GPLv2, GPLv3.# There should be a copy of both of this licenses included.# with every distribution of this dictionary. Modified.# versions using the GPL may only include the GPL..SET ISO8859-1.TRY esijanrtolcdugmphbyfvkwqxz..........ESIJANRTOLCDUGMPHBYFVKWQXZ....-...PFX U Y 1.PFX U 0 un ...PFX V Y 1.PFX V 0 ver ...SFX F Y 35.SFX F 0 nen in.SFX F e in e.SFX F e innen e.SFX F 0 in [^i]n.SFX F 0 innen [^i]n.SFX F 0 in [^enr].SFX F 0 innen [^enr].SFX F 0 in [^e]r.SFX F 0 innen [^e]r.SFX F 0 in [^r]er.SFX F 0 innen [^r]er.SFX F 0 in [^e]rer.SFX F 0 innen [^e]rer.SFX F 0 in ierer.SFX F 0 inn
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-E6VRM.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):2791345
                                                                Entropy (8bit):4.876632567625412
                                                                Encrypted:false
                                                                SSDEEP:49152:TmVHSjaevALKkFeRvVTSxM75uxR59W6EgK1j:h
                                                                MD5:B1914E30DC189EC8387ED024F575A632
                                                                SHA1:D30277909419CE485B9F8B201FEFCEAF7ED0FECE
                                                                SHA-256:4844EE949166D94D577DB3BE224A0B953209B664BA47184E90D3A5D0D06040B4
                                                                SHA-512:8ECC17E722B3B15A3A47E7FB0838F1865904BA595799762A4691B4A31CE4618E1E8C9BF769051535F58617E70395E5A2052AB84D4E42A2E30BD36974FCFD2592
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: 174156..This is the dictionary file of the de_CH Hunspell dictionary..derived from the igerman98 dictionary....Version: 20110321+frami20110505 (build 20110505)....Copyright (C) 1998-2011 Bjoern Jacke <bjoern@j3e.de>, for the addon Franz Michael Baumann <fm.baumann@uni-muenster.de>....License: GPLv2, GPLv3 or OASIS distribution license agreement There..should be a copy of all of this licenses included with every distribution..of this dictionary. Modified versions using the GPL may only include the..GPL. This dictionary is compiled from igerman98. For the purpose of the..GPL modifications of this dictionary should be made public as a patch..for igerman98 allowing to regenerate the modified dictionary.....bte/Nm..btissin/Fm..btissinnenst.be/Nm..btissinnenstab/STm..chten/SJm..cker/Nm..derchen/Sm..dikula..dikularrahmen/Sm..dikulen..dil/EPS..ffchen/Sm..ffin/Fm..g.is/m..g.isbereich/EPSTm..g.isinsel/Nm..g.iskreuzfahrt/Pm..gide/m..gidii..gidisch/Am..gidius..gypten/Sm..gyptenfeldzug/STm..gyptenr
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-ES1C5.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):1290710
                                                                Entropy (8bit):4.666515012454063
                                                                Encrypted:false
                                                                SSDEEP:12288:/sHZKNqSbC68xT/RVKzoaHvKWBFpgULIGfgHpUFUS3uWettSy/5gkSMracFqjZ+k:axrrULIGfgHpI3y2kSSFqIXOC0fN
                                                                MD5:5F1DE292FC9E1B624C7ECFB11285464A
                                                                SHA1:353FCE4DFDCE9A2A17AEFDE77AB9A27941BCE65B
                                                                SHA-256:C6AFAB90B90B48BD929041CD0C2A8655DB201AF508AB1437AC4BEFCA7D39AB60
                                                                SHA-512:6F74938E35C062866C1546EEC806EE5C69B1F8C284864CBC2BA75FCC7B69A6D5503F5A6A120A588DACCA252AB1F7D6F02AEAC30DA9AC9F4BCD8088E78669219D
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: 95187./ Estensione linguistica italiana - Italian Writing Aids extension./ Forked from: Dizionario italiano, see README.txt for details./ ./ Copyright (C) 2001, 2002 Gianluca Turconi./ Copyright (C) 2002, 2003, 2004 Gianluca Turconi and Davide Prina./ Copyright (C) 2004, 2005, 2006, 2007 Davide Prina./ Copyright (C) 2010, 2011, 2012 Andrea Pescetti././ E-Mail: pescetti<AT>apache<DOT>org./ Home: http://extensions.services.openoffice.org/project/dict-it./ License: GNU GPL 3././ Version 3.3.1 (24/03/2011) (DD/MM/YYYY)././ This file is distributed under the GPL license.././ This file is part of the "Estensione linguistica italiana - Italian./ Writing Aids extension".././ The "Estensione linguistica italiana - Italian Writing Aids extension"./ is free software; you can redistribute it and/or./ modify it under the terms of the GNU General Public License, version 3,./ as published by the Free Software Foundation.././ The "Estensione linguistica italiana - Italian Writing Aids extension"./ is
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-FANAG.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):53019
                                                                Entropy (8bit):3.550334150836068
                                                                Encrypted:false
                                                                SSDEEP:1536:Mqxd6yfKadJOT+NNxlLcS7GGN1gz2hNGe1IVk:F/lLcStt
                                                                MD5:0924281462DFB8EBCF65FEAE1ED3FE59
                                                                SHA1:AF784DBA46BFA11FC9294A00B7ED5A7BE3DE0EF9
                                                                SHA-256:709CF9B41208961226E995A3AB75A2DA834AAF4F9707CB87CBB37D4943B6A50D
                                                                SHA-512:DCED13C3E236C9DAB6BE2D40F0E26DBFCF592340DD7B292A004E62BA01DB517802B9CFE6AD30BF8561237E485C85B7FF826114B6FC091270B57C01A457D78121
                                                                Malicious:false
                                                                Preview: SET KOI8-R.TRY ...............................................................SFX Z Y 4.SFX Z .. . [.....]...SFX Z .. . .....SFX Z .. . [..]....SFX Z .. . .....SFX Y Y 435.SFX Y .. .... ...SFX Y .. .... ...SFX Y .. ... ...SFX Y .. ... ...SFX Y .. ... ...SFX Y .. .. ...SFX Y ...... ..... .......SFX Y ...... .... .......SFX Y ...... ...... .......SFX Y ...... ..... .......SFX Y ...... ...... .......SFX Y ...... ..... .......SFX Y .... ... .....SFX Y .... .. .....SFX Y .... .... .....SFX Y .... .... .....SFX Y .... ... .....SFX Y .... ... .....SFX Y ..... ...... .......SFX Y ..... ..... .......SFX Y ..... ....... .......SFX Y ..... ...... .......SFX Y ..... ....... .......SFX Y ..... ...... .
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-FNBHK.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:UTF-8 Unicode text
                                                                Category:dropped
                                                                Size (bytes):1881063
                                                                Entropy (8bit):4.889832423906744
                                                                Encrypted:false
                                                                SSDEEP:49152:aAt8wyofrh8Ce7DeAk2ksixkLlTMitYcXPpwj30yPtvBmJre2VcskBHMlqNb/tbD:D
                                                                MD5:ABC98493971B329AC9B899849BF5DB09
                                                                SHA1:E622DAD3384FAA37A1B1B40266EF7FCA155F0E7B
                                                                SHA-256:24782020D0D0BD465270027F51443B752F8DDAECF7C612A225E8668E1746AA24
                                                                SHA-512:F83EFDB2615B9A37F4951CBA84F361B228B2CC20DBAF9669C70B994D9308506B162442881D0EC2D918527A1C418793F7AA149BA59EAA98C43E8A61E44A9981FF
                                                                Malicious:false
                                                                Preview: 142519.06/ClCw.0/G0.1/G1G0ClCw.2/G1G0ClCw.3-c.ferig/Aa.3D/ClCw.3/G1G0ClCw.3M/ClCw.3VO/ClCw.4/G1G0ClCw.5/G1G0ClCw.6/G1G0ClCw.7/G1G0ClCw.8/G1G0ClCw.9/G1G0ClCw.A4/ClCwYg.Aad/PN.Aafje/PN.Aafke/PN.Aaftink/PN.Aagje/PN.aagtappel/Za.aagt/ZbC1.aaibaar/Al.aaibaarheid/C1.aaien/ViPr.aaiing/Zb.Aa./PN.aai/V3Vp.aak/Zf.Aalbers/PN.Aalberts/PN.aalbes/ZeC1.Aalbrecht/PN.Aalbregt/PN.Aaldering/PN.Aalderink/PN.Aalders/PN.Aaldert/PN.Aald.k/PN.Aalfs/PN.aalfuik/Zb.aalglad/An.Aaliyah/PN.aalkorf/Zh.aalkuip/Zb.aalmoes/Zh.aalmoezenier/CcCdZaC1.Aalpoel/PN.aalpomp/Zb.aalput/Ze.aalscholver/ZaCAC1.Aalsmeer/PNCAPIC0.aalspeer/Zf.aalstal/Ze.aalsteker/Za.Aalstenaar/Za.aalstreep/Zf.Aaltenaar/Za.Aalten/PNPI.Aalteraar/Za.Aalter/PNSvPI.Aaltjen/PN.Aalt/PN.aalvlug/An.aalvormig/Aa.aal/YaZf.aambeeld/Zb.aambei/Zb.aamborstig/Aa.aamborstigheid/C1.aanaard/C1.aanaarding/ZbC1.aanaardploeg/Zb.aanbaksel/Za.aanbeeldsblok/Ze.aanbeeld/Zb.aanbelang/Zb.aanberming/ZbC1.aanbesteder/Za.aanbesteding/ZbCcC1.aanbetaling/ZbC1.aanbevelenswaardig/Aa
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-FPTGM.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:UTF-8 Unicode text
                                                                Category:dropped
                                                                Size (bytes):1094698
                                                                Entropy (8bit):4.915559898530455
                                                                Encrypted:false
                                                                SSDEEP:6144:5iRgGvDCPYWGVXgX1lelzaDqG4TAVPCDnjQbywe96AEgNWM35yCi9e/xlN/HaGs6:5qgCDPoHEFn5Egj/1gSVznE50xV
                                                                MD5:4AC919DD4E9209805A158FF9878DC707
                                                                SHA1:C515EDC7E16A05A61F38418C97736AAEECA1665B
                                                                SHA-256:788B9B15545924C1D94EAACF027AF53A6895CF451915B9AA7D76648FC9BC4691
                                                                SHA-512:B2C25D242C5E6D12A1388DC4D373A24536BF1BC7C0040BAE947C23A106EFE96486253043932FA7C61B2B6609C87BE2E724F6FFFCE373AC5FF493FF1FE876B0A6
                                                                Malicious:false
                                                                Preview: 67498.2D.87.3D.87.A/51.86../52.86.ADN/54.86.ADSL/67.102.AIEA/67.102.ARN/54.86.ASBL/54.87.ASC/67.102.ASCII/67.102.AUD/111.86.Aarhus/54.89.Aaron/54.90.Aarschot/54.89.Abbeville/54.89.Abd/54.90.Abdelkader/54.90.Abel/54.90.Abidjan/54.89.Abitibi-T.miscamingue/67.111.Abkhazie/60.111.Abraham/54.90.Abu/54.89.Abuja/54.89.Abymes.122.Abyssinie/60.111.Acadie/60.111.Acapulco/54.89.Accra/54.89.Acha.e/60.111.Achgabat/54.89.Achille/54.90.Aconcagua/67.131.A.ores.132.Adam/54.90.Adamov/54.134.Adams/54.134.Adana/54.89.Addis-Abeba/54.89.Ad.la.de/54.135.Adelbert/54.90.Ad.le/54.135.Adeline/54.135.Adige/60.131.Adolphe/54.90.Adona./54.90.Adonis/54.90.Adour/60.131.Adriatique/67.111.Adrien/54.90.Adrienne/54.135.Afghanistan/60.131.Afrique/60.111.Agamemnon/54.90.Agatha/54.135.Agathe/54.135.Agde/54.89.Agen/54.89.Agg.e/54.90.Agla./54.135.Agn.s/54.135.Agrippine/54.135.Ah/52.86.Ahmed/54.90.Ahmedabad/54.89.A.cha/54.135.A.d-el-Adha/67.87.A.d-el-K.bir/67.87.Aigoual/60.131.Aim./54.90.Aim.e/54.135.Ain/67.13
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-HCBT5.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):550782
                                                                Entropy (8bit):4.741353111909164
                                                                Encrypted:false
                                                                SSDEEP:12288:9/zY86Hl5VHNCZC9S/rWFgMrmCkjnQPxYzaHyPHC:5086F/CC93LeQpYzaSPHC
                                                                MD5:2C146B2BC850D6FF52448E8DD3F71919
                                                                SHA1:B1D9DECCD17BF0137CF99813912C2173DD5DA721
                                                                SHA-256:27E06871AA723E03F82A13FBA31D3117048C81DFC41920C72E347C06208D6CDE
                                                                SHA-512:538F9185ED41183B2143784B0D2E810D0FBA93C5DBFED84ECF1BE5029CC0B48EDCABA0EFDFABBAADF37AD7B388AB3490638AA19B065BB6CF5FF2A0C18E635D4A
                                                                Malicious:false
                                                                Preview: 49486.0/nm.0th/pt.1/n1.1st/p.1th/tc.2/nm.2nd/p.2th/tc.3/nm.3rd/p.3th/tc.4/nm.4th/pt.5/nm.5th/pt.6/nm.6th/pt.7/nm.7th/pt.8/nm.8th/pt.9/nm.9th/pt.A/SM.AA/M.AAA.AB/M.ABA.ABC/SM.ABM/SM.ABS.AC/M.ACLU/M.ACT.ACTH/M.AD/M.ADC.ADD.ADM.ADP/M.AF.AFAIK.AFB.AFC/M.AFDC.AFN.AFT.AI/SM.AIDS/M.AK.AL.AM/M.AMA.AMD/M.ANSI/S.ANZUS/M.AOL/M.AP/M.APB.APC.API.APO.APR.AR.ARC.ASAP.ASCII/SM.ASL/M.ASPCA.ATM/M.ATP/M.ATV.AV.AVI.AWACS/M.AWOL/M.AWS/M.AZ/M.AZT/M.Aachen/M.Aaliyah/M.Aaron/M.Abbas/M.Abbasid/M.Abbott/M.Abby/M.Abdul/M.Abe/M.Abel/M.Abelard/M.Abelson/M.Aberdeen/M.Abernathy/M.Abidjan/M.Abigail/M.Abilene/M.Abner/M.Aborigine/MS.Abraham/M.Abram/MS.Abrams/M.Absalom/M.Abuja/M.Abyssinia/M.Abyssinian/M.Ac/M.Acadia/M.Acapulco/M.Accenture/M.Accra/M.Acevedo/M.Achaean/M.Achebe/M.Achernar/M.Acheson/M.Achilles/M.Aconcagua/M.Acosta/M.Acropolis.Acrux/M.Actaeon/M.Acton/M.Acts/M.Acuff/M.Ada/SM.Adam/SM.Adams/M.Adan/M.Adana/M.Adar/M.Addams/M.Adderley/M.Addie/M.Addison/M.Adela/M.Adelaide/M.Adele/M.Adeline/M.Aden/M.Adenauer/M.Adhara
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-M1KMT.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):80280
                                                                Entropy (8bit):4.274966490688955
                                                                Encrypted:false
                                                                SSDEEP:768:X56nBh3unRqRjNuivuIiw3uVbN6GLCMd3IkRAOw4D/pB69:JoRBmrDRAOw4D/pBm
                                                                MD5:E2DF937D98C899E84563FA329ADB64F8
                                                                SHA1:0B8FBA844188F04D2237D3F3D3F601ECDEAAD5FD
                                                                SHA-256:AE912F2662F754F92902AA41067C51D164C859A076928D2DCB78DC725855F79B
                                                                SHA-512:11745A3C9CA996B6D1E41ED7ECA261B1DF0883659721A9ED1193802E8044AC2AE43BBD2CAE4AED7DE9CC26ACE0087BF667A1A3CA5438C1F45CEC34246DB3FF23
                                                                Malicious:false
                                                                Preview: # Dizionario italiano.# .# Copyright (C) 2001, 2002 Gianluca Turconi.# Copyright (C) 2002, 2003, 2004 Gianluca Turconi and Davide Prina.# Copyright (C) 2004, 2005, 2006, 2007 Davide Prina.#.# E-Mail: DavidePrina(CHIOCCIOLA)yahoo(PUNTO)com.# home: http://linguistico.sf.net/wiki.#.# Version 2.4 (01/09/2007) (DD/MM/YYYY).# Note: this file is unmodified in the current package, hence no.# copyright notes have been added to it..#.# This file is distributed under GPL license..#.# This file is part of the "dizionario italiano"..#.# The "dizionario italiano" is free software; you can redistribute it and/or.# modify it under the terms of the GNU General Public License as published .# by the Free Software Foundation; either version 3 of the License, or.# (at your option) any later version..#.# The "dizionario italiano" is distributed in the hope that it will be .# useful, but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-M67EL.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ASCII text
                                                                Category:dropped
                                                                Size (bytes):641025
                                                                Entropy (8bit):4.760025857612187
                                                                Encrypted:false
                                                                SSDEEP:6144:RZMd+E+p16noqQ99mDo1AYOUYOKzdwSpri+CPNv8TYfFYjJeNh2FB7p3FK7j3UW9:yoZ9mDcOTYR4WfikEjQyWbEZbpKR
                                                                MD5:4515FBB1B055337DFD1B95A92C1B7E4F
                                                                SHA1:2D8CDBD2E1220253A9EA95BF8D251DBC20DBD519
                                                                SHA-256:DC47B8CBD67E32CB3E1D45747F130C02331CA3924D63676F7F48E40D0764DBB3
                                                                SHA-512:EBC0B25DA54868590CDBC6E283A4D4D38F6D76EFBAAC9E5FA31B5EF86FC4D9970FA895F4313CFAA4693FEC1F2C3AD7AFB5393139EE3B367F1AE888F6FD2D6ECA
                                                                Malicious:false
                                                                Preview: 52890.A/1.1.AA/2.1.AAA.Aachen.aah.1.Aaliyah/3.aardvark/1.1.Aaron.ab.AB/2.1.ABA.aback.1.abacus/4.1.abaft.1.abalone/1.1.abandon/5.1.abandoned.1.abandonment/2.1.abase/6.1.abasement/2.1.abash/7.1.abashed/8.1.abashment/2.1.abate/6.1.abatement/2.1.abates.2.abattoir/1.1.Abbas.Abbasid.1.abbe/1.1.abbes/9.1.abbess/4.1.abbey/1.1.abbot/1.1.Abbott/3.abbr.abbrev/10.1.abbreviate/6.1.abbreviation/1.1.Abby/3.ABC/1.1.abdicate/6.1.abdication/1.1.abdomen/1.1.abdominal.1.abduct/11.1.abduction/1.1.abductor/1.1.Abdul/3.Abe/3.abeam.1.abed.1.Abel/2.1.Abelard.Abelson/3.Aberdeen/2.1.Abernathy/3.aberrant.1.aberration/1.1.aberrational.abet/12.1.abetter/1.1.abettor/1.1.abeyance/2.1.abhor/13.1.abhorrence/2.1.abhorrent/8.1.abidance/2.1.abide/14.3.abiding/8.1.Abidjan/2.1.Abigail.Abilene.ability/15.1.abject/16.1.abjection/2.1.abject.1.abjuration/1.1.abjuratory.abjure/6.1.abjurer/1.1.ablate/6.1.ablation/1.1.ablative/1.1.ablaze.1.able/17.1.abloom.1.ablution/1.1.ABM/1.1.abnegate/6.1.abnegation/2.1.Abner/3.abnormal/8.1.abn
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-M8BJQ.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):18652
                                                                Entropy (8bit):4.042703598605601
                                                                Encrypted:false
                                                                SSDEEP:384:3HU628Q7qUS5OvlnzMmYiQ8JDePBVU2AMLZqO8zaGUOr0Lmk5T2xqTP:a7OwUhLmYP
                                                                MD5:0EB8CBD100470A58D90EBC1ACAFEF090
                                                                SHA1:CF6071C73DCF7D69A02A3C38E80F403C84C5B2F4
                                                                SHA-256:7BBAE4DA16F0C2A2136A32CDFB9FF75BC4C5270570ED2BC70994582447366050
                                                                SHA-512:FB99D5A5239ED3A86C9DC0CCA8774E0B268A2BA958DA6F74A0833A02D8B32D8E694D3AD946F270093778F86A4BDCFBB9F6DF14FB4F284575AAEF0C9535B3BC23
                                                                Malicious:false
                                                                Preview: # this is the affix file of the de_CH Hunspell dictionary.# derived from the igerman98 dictionary.#.# Version: 20110321+frami20110505 (build 20110505).#.# Copyright (C) 1998-2011 Bjoern Jacke <bjoern@j3e.de>.#.# License: GPLv2, GPLv3 or OASIS distribution license agreement.# There should be a copy of both of this licenses included.# with every distribution of this dictionary. Modified.# versions using the GPL may only include the GPL..SET ISO8859-1.TRY esijanrtolcdugmphbyfvkwqxz..........ESIJANRTOLCDUGMPHBYFVKWQXZ....-...PFX U Y 1.PFX U 0 un ...PFX V Y 1.PFX V 0 ver ...SFX F Y 35.SFX F 0 nen in.SFX F e in e.SFX F e innen e.SFX F 0 in [^i]n.SFX F 0 innen [^i]n.SFX F 0 in [^enr].SFX F 0 innen [^enr].SFX F 0 in [^e]r.SFX F 0 innen [^e]r.SFX F 0 in [^r]er.SFX F 0 innen [^r]er.SFX F 0 in [^e]rer.SFX F 0 innen
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-U145M.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:UTF-8 Unicode text
                                                                Category:dropped
                                                                Size (bytes):27835
                                                                Entropy (8bit):5.356840197811871
                                                                Encrypted:false
                                                                SSDEEP:384:JLQY7FMAlxnvRXp3bs8SgeuOhlbHcOoLCknL7XgPBlJquOuFhHAi+FnsEQ56tb:J8QNxnvvbKgkXb8HQlZOUAicnsEQ5g
                                                                MD5:3CB4B4DEB1DD1788E52FB87FAB1F78FD
                                                                SHA1:46F2D30D9FF2283AF8F5BEFF6A148C1ABA06DBB0
                                                                SHA-256:0EE9233FE1C5785F9A803A05AC882E8363AC785C06FBD455AF88CE0C0A57324B
                                                                SHA-512:4AD8963722723386254FB65EC661827634441738246AFA8A195F250102491A52C9DE3E5B255E2F4CA67C57D5CBF5B253B181BBCA10E4E33D3ACD6363FD85705A
                                                                Malicious:false
                                                                Preview: # Hunspell affix file.# (c) 2006-2010 OpenTaal.# Coded by R. Baars.# www.opentaal.org.# version 2.00b2.# d.d. 17-9-2010..# BEWARE: THIS AFFIX FILE AND DICTIONARY REQUIRE HUNSPELL 1.2.8 AS MINIMAL VERSION..# define char set.SET UTF-8..# - in front of try to suggest compuounds with - earlier.TRY -esiadnrtolcugmphbyfvkwjkqxz............'ESIANRTOLCDUGMPHBYFVKWJKQXZ..# combined layout for BE and NL keyboards NL en BE.KEY qwertyuiop|asdfghjkl|zxcvbnm|qawsedrftgyhujikolp|azsxdcfvgbhnjmk|aze|qsd|lm|wx|aqz|qws|..WORDCHARS '.0123456789..-\/.# . is only useful as wordchar from the command line.# \/ should make the / acceptable as part of word (km/h).# the way applications offer words to the Hunspell interface apperently differs,.# causing problems with abbreviations and end-of-sentence words..# Issue has been communicated with Hunspell's author...# do not offer split words (to prevent English desease, splitting up words).# it would be usefull, when suggestions would be last in list
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-U4QSM.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:UTF-8 Unicode text
                                                                Category:dropped
                                                                Size (bytes):64145
                                                                Entropy (8bit):4.9920850041773335
                                                                Encrypted:false
                                                                SSDEEP:1536:tKZhmLUYi7sJ/ogGoxx03tbhhXmLYI5KvctYHJ6OaO:tfGoxx03tbhhXmL/5+zHaO
                                                                MD5:948412697F6FE862D4BC17517011F46E
                                                                SHA1:20D06521169E07DA4531C6702366E5BDD440E5A1
                                                                SHA-256:41F5DEB682C25C3D1A9C5FBE2A538B5E112DE0084A1A9FE8CEB4C4DFE400AF0F
                                                                SHA-512:9C7122A026698EE12B8581CD1A5E520B86EF65899FD834DC116AD13D4B8AF5465C99440F86B20440208CB94EAC06841654F5C8295B4E8757E9420FE37093A1BA
                                                                Malicious:false
                                                                Preview: FLAG num.AF 589.AF 2,3 # 1.AF 2 # 2.AF 1 # 3.AF 4,2 # 4.AF 3,5,6,7 # 5.AF 8,7,9 # 6.AF 5,11,6 # 7.AF 10 # 8.AF 12 # 9.AF 3 # 10.AF 5,6,7 # 11.AF 7,13,14 # 12.AF 15,16,7 # 13.AF 7,9 # 14.AF 2,17 # 15.AF 10,18,19 # 16.AF 20,21,22 # 17.AF 2,3,7 # 18.AF 22 # 19.AF 18,19,2,3 # 20.AF 23,24,10,18,19 # 21.AF 4,2,5,11,6 # 22.AF 2,3,5,6,7 # 23.AF 10,5,6,7 # 24.AF 10,18,19,20,21,2,3 # 25.AF 23,24,10,18,25,19,2,3,5,6,7 # 26.AF 10,18,19,20,21 # 27.AF 2,3,8,7,9 # 28.AF 18,19,22 # 29.AF 10,2,3 # 30.AF 6,26,27 # 31.AF 3,28 # 32.AF 18,19 # 33.AF 29,30 # 34.AF 31,3,28 # 35.AF 10,18,19,2,3 # 36.AF 10,2 # 37.AF 23,24,10,18,19,2,3 # 38.AF 31 # 39.AF 11,4,2 # 40.AF 20,21,2,3 # 41.AF 2,17,29,30 # 42.AF 3,8,7,9 # 43.AF 23 # 44.AF 10,20,21 # 45.AF 8,6,7 # 46.AF 2,3,32,33,7 # 47.AF 20,2,3 # 48.AF 29,30,34,35 # 49.AF 29,30,36,34,35 # 50.AF 2,3,31 # 51.AF 23,24,10,18,19,2,3,5,6,7 # 52.AF 37,2 # 53.AF 10,2,3,8,7,9 # 54.AF 18,22 # 55.AF 2,17,6,26,27 # 56.AF 37,2,3 # 57.AF 7 # 58.AF 29,30,36 # 59.AF 17 # 60.AF 41,42
                                                                C:\Program Files (x86)\PhraseExpress\dict\is-UES3P.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ISO-8859 text
                                                                Category:dropped
                                                                Size (bytes):4356858
                                                                Entropy (8bit):4.870789103744166
                                                                Encrypted:false
                                                                SSDEEP:49152:lczSmzalCmEAC33AEnrfkecVbf1f+4IAGqILTgXUH0k:i
                                                                MD5:4DBAE1CA0DB9375162CE5CDBEA5C2B63
                                                                SHA1:0BB429229857398A9875F883DE5F27231132996C
                                                                SHA-256:52D2484A70681386D979E958F2F828A976F0DCDAA680038F371BC70ABCF7463A
                                                                SHA-512:3483114D8C6ED058277E906F3866C86A18108D91B3F16E3EE86B10BAFACC3B87C0D0AD140DFC1A2B1A3B827A204B49462271AAD4BBC39D6B06D67055F8C52DF6
                                                                Malicious:false
                                                                Preview: 258200.#.This is the dictionary file of the de_DE Hunspell dictionary.#.derived from the igerman98 dictionary.#..#.Version: 20161207+frami20170109.#..#.Copyright (C) 1998-2017.#.Bj.rn Jacke <bjoern@j3e.de>, .#.for the addon:.# Franz Michael Baumann <f.m.baumann@smail.uni-koeln.de.#..#.License: GPLv2, GPLv3.#.There should be a copy of all of this licenses included with every distribution.#.of this dictionary. Modified versions using the GPL may only include the.#.GPL. This dictionary is compiled from igerman98. For the purpose of the.#.GPL modifications of this dictionary should be made public as a patch.#.for igerman98 allowing to regenerate the modified dictionary.....bte/Nm..btissin/Fm..btissinnenliste/Nm..btissinnenst.be/Nm..btissinnenstab/STm..chten/SJm..chzen/S..cker/Nm..derchen/Sm..dikula..dikularrahmen/Sm..dikulen..dil/EPS..ffchen/Sm..ffin/Fm..g.is/m..g.isbereich/EPSTm..g.isinsel/Nm..g.iskreuzfahrt/Pm..gide/m..gidii..gidisch/Am..gidius..gypten/Sm..gyptenarmee/Nm..gyptenbeschre
                                                                C:\Program Files (x86)\PhraseExpress\is-015T6.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:Zip archive data, at least v5.1 to extract
                                                                Category:dropped
                                                                Size (bytes):83487
                                                                Entropy (8bit):7.997716140133843
                                                                Encrypted:true
                                                                SSDEEP:1536:NGWtX9LbKh7WRFfX0lVsfMuy5JnDYk0SODwut3unLRKAXFhU1n2pDiwGeqJ1pOY4:FtRbKIFEJ1GUnLxh4nIRGe01pO9LcU
                                                                MD5:1092C9E311F380FE3413BF9B46DBC70F
                                                                SHA1:E4B1D146621D8A1638B9B00CA815C784AFAC871E
                                                                SHA-256:0A87C7D243BDDACF3BAAFEB52C49669EDC32359E5DB68A5A6558F981D6038A6F
                                                                SHA-512:1AA42BBAE26EDB8ACA0E30669F0212B9A7F2E76FC5A465B5E37213BB3E3849D62BC191AC877C8AECC3B0BC95C4E91AD0E88031C3B6FC87A7D617BEA0BFC04611
                                                                Malicious:false
                                                                Preview: PK..3...c..tBC....gE..Q.......mailconfig.xml......AE....o...0..d.Q.o,`.....x..O...1..J.fK..hp%.!.......2.....A+6...1.(/.....3Yv:...H.\.h...0..D3L...y.~+QG.=....*...%1..(.V.....4]...._....f.01.~.6.=1.:`.b.EP.....,s...........].s.........r.k5...V.....Ol...5C-N...^.i..$Fd?[.\...K.._.......\...J]A'.\.^Z.....;[H.....p.m..R..i..7.........m.G...a...]y.......H.....6..D.M..3.......J...G.0.4M.=...ne..~;-.z._......6f}f}....$tr..W..8]hb..2...t....P-@vA......K.r.X.w...AK..90.....!#."......w..{............>...y.S..........U.f....M...2.N.T.S.........<....a,..^...2+...gUt..N.....f....../..z.9;h..K........|.W....l...0.x.....U...~...".6...).9}m.YF`.a.O ..^5...`A./.j.....,........D...... ...ht..?I3J.:....}......^..e]..k,T[bq.9.....O-......H..0D..H%Tb..c&....Z[^I%4,}c...F.....JX.ToMx=.=..(..4.|L.J..l.y.h ......2x.H3L..sM...[_.=.....7.k.y.'......j.xU..f.ms.......XY.F.........0Y.s/Ta6...........e.c..e*.K!...F..l_........E.....6.j.g+T.q.>g.tr..-...m..ZJ.Q.......La{.
                                                                C:\Program Files (x86)\PhraseExpress\is-5664E.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):548864
                                                                Entropy (8bit):6.393702958885723
                                                                Encrypted:false
                                                                SSDEEP:12288:BuYZhMltDoD+OSt+ujajk5RnchUgiW6QR7t553Ooc8NHkC2euB:oOhMltDoqvpjajk59g3Ooc8NHkC2eW
                                                                MD5:2BC650257FB0867ABD54FD460EC2BAFC
                                                                SHA1:EC063526AA14BCADEEFFA6D859B39A80680015B7
                                                                SHA-256:9FC2E85BA84CF0459AAB0DC2EFAC734AD7B5B4C99BA19871FE8F6E35D0191838
                                                                SHA-512:903966F1739727D166131B42DF6A7CD77D4F734C01437F7D96F18E8CB2C60A8E49BD952452FDE8F0D3A92A002D2404EE78B97472821C190B300C594A5525C0A2
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                Joe Sandbox View:
                                                                • Filename: camaleones-capitulo-_444546424.exe, Detection: malicious, Browse
                                                                • Filename: camaleones-capitulo-_444546424.exe, Detection: malicious, Browse
                                                                • Filename: PortPSuitePro20082.0.4283_softarchive.net.exe, Detection: malicious, Browse
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................H...?.....Z=......?......?......?......?......?......?.....Rich...........PE..L....3C...........!.....@... ......z........P....B|.........................p.......*..............................`.......,...<............................ ...2...S..............................@e..@............P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data...`&....... ..................@....rsrc...............................@..@.reloc...A... ...P..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-9929J.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):675840
                                                                Entropy (8bit):6.734762560012747
                                                                Encrypted:false
                                                                SSDEEP:12288:zGS0YPmKEK9uxS4TCNfbg4ibCcoInBliDxrPLkQGSWDhap:NmKEKEsnJbg4iFoIBliZLkvph
                                                                MD5:8B61226D1421BDEF3C416F27E195F7CD
                                                                SHA1:65712274E92D9C71FE61E0D0F9DD1269DB28857D
                                                                SHA-256:661E77320397CEDBE09E221115F7079857DCC0775BF8A32156AF7A7CDF85C921
                                                                SHA-512:EC77651BBB609C6CC2582AA86A9A61A286C768729AF735AF8618E28C2F53D37DE881D95EC24E9D6867E54952358C42F796D7AF464A7432144C05538DDF891936
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k..k..k..L,..B..L,..i.....n..k.....L,..5..L,....L,..j..L,..j..L,..j..Richk..........PE..L....P.N...........!.........@......D..............J................................1...............................@.......d...P.......$.................... ..dN...................................P..@...............`............................text...C........................... ..`.rdata..!...........................@..@.data....D....... ..................@....rsrc...$...........................@..@.reloc..Z[... ...`..................@..B................................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-9UM50.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):548864
                                                                Entropy (8bit):6.524129284528649
                                                                Encrypted:false
                                                                SSDEEP:6144:HonrJwrscWd8rmUcEndtFiR0nMSFsl+C5kTzf3zBbjknhNL+ZlllcWqofOSqPDgY:HorWscWd+tFpLsl+CyTzbwGl8goFr
                                                                MD5:BBC0CBBB8F41EA6D3FE27F411B7B1DE0
                                                                SHA1:6C948D462061FAD41628595B8F8A345D532CC26B
                                                                SHA-256:96303A1B2133F1B6FA90240D3ACC0A2BE291473CF5CC1F72FD89F5B65CCA9286
                                                                SHA-512:47ED6B3C9ACE8187AB7B1F2EA0A3A884128919C48CADE36C41234C8D247410B0B6DE2C7E68270331135BB83786088586D3F5CE99893750C63CF656EF8BABF0E3
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.4...g...g...g..g...g2.g...g..g...g..g...g...gB..gf..g...g..g...g..g...g..g...g..g...gRich...g................PE..L....V.N...........!.................*.............................................................................0.......D........P.......................`..@\......................................@............................................text...a........................... ..`.rdata...5.......@..................@..@.data... a..........................@....rsrc........P......................@..@.reloc...]...`...`..................@..B................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-AFL57.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):171392
                                                                Entropy (8bit):6.447914735721398
                                                                Encrypted:false
                                                                SSDEEP:3072:7i1JDwpvG8NWChANdu7zgzT+duKqBH8p5m:7i1liEQALzCY
                                                                MD5:2F2B50895082D5DB21A9E78A63D1F14A
                                                                SHA1:976AC8807E6FDAA0C7D641B6438B315AA188477A
                                                                SHA-256:D2DF0206F4DFF4B8C845F2CF658AB80337F9190F0203F49C1F1738E8ED155930
                                                                SHA-512:1E3C025BE262A603A77E070011FC668A89B235F2E3B28C72A9A57BF598CDC6903C43BDD32E2B7CDDAC37B80B895937C6A3487CFE62384A686E824651D103F072
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....;._..................................... ....@..........................@......8....................................................(...........|...!......$-..................................................0................................text............................... ..`.itext.............................. ..`.data........ ......................@....bss....D_...@...........................idata..............................@....didata.............. ..............@....edata..............."..............@..@.rdata..E............$..............@..@.reloc..$-...........&..............@..B.rsrc....(.......(...T..............@..@.............@.......|..............@..@........................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-ITQ7B.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):417792
                                                                Entropy (8bit):6.543813398863488
                                                                Encrypted:false
                                                                SSDEEP:12288:R8D9DwpzrEUkzU9nteJsbk7E9l0nDYcZ/F4:N2NKyrE9l0nR/
                                                                MD5:51885B2E55600779A725B9110A4C2187
                                                                SHA1:43963E2BD4C706D6AD883C81B458B8E08812B917
                                                                SHA-256:1A4A362724A0327767180AFA71E94923D159FF22D315182E89EA142630DA3DCB
                                                                SHA-512:8EC96A848FABC22BCD17A797B31182B54B2607D879AAB6B7FD3C0FC77002866D2AE24A0E8A8BC3F319774DCB0445EDAE2FB905895F0A22FB9FE57C0FD34C0688
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\aR@=..@=..@=..g.r.Y=..g.t.C=...2R.B=..@=...<..g.b.4=..g.a.>=..g.u.A=..g.s.A=..g.w.A=..Rich@=..........PE..L....P.N...........!.....P...........Z.......`.....J................................=@...............................2..........<.... .. ....................0...9......................................@............`...............................text....@.......P.................. ..`.rdata..Ft...`.......`..............@..@.data....9....... ..................@....rsrc... .... ......................@..@.reloc...G...0...P..................@..B................................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-JK4R0.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PDP-11 UNIX/RT ldp
                                                                Category:dropped
                                                                Size (bytes):148556
                                                                Entropy (8bit):5.190404620491418
                                                                Encrypted:false
                                                                SSDEEP:3072:Km5NCii9ViWJXRAkPsRCUnXQH7C0jH4OJXpz74XlOFW:TCF9VtH7s074eAO0
                                                                MD5:CDD9857D200E70DC07B87F8DA418AF18
                                                                SHA1:BA97DC5DEEABCB7FA55D9AACDA1DD2311F2213AC
                                                                SHA-256:190E1ADA19F7E051F96A09F674244831FFD0E071A3E83ED296AEDE062AF74C93
                                                                SHA-512:DD585BFC3D49715C89551776EDCFCBE8EE3FA63E4727CAD123E3330B299C42FCC6B5287B8DE1059CFE7AEEFFC09EE3B2E8E54905809B149B1C007DD01B22FD8A
                                                                Malicious:false
                                                                Preview: ....<D.../1.................<...arithmetic exception, numeric overflow, or string truncation........invalid database key........file @1 is not a valid database.........invalid database handle (no active connection)......+...bad parameters on attach or create database.....%...unrecognized database parameter block...........invalid request handle..........invalid BLOB handle.........invalid BLOB ID.....0...invalid parameter in transaction parameter block........invalid format for transaction parameter block......A...invalid transaction handle (expecting explicit transaction start).......(...internal Firebird consistency check (@1)....!...conversion error from string "@1"......."...database file appears corrupt (@1)..........deadlock....*...attempt to start more than @1 transactions......#...no match for first value expression.....3...information type inappropriate for object specified.....:...no information of this type available for object specified..........unknown information item....
                                                                C:\Program Files (x86)\PhraseExpress\is-LP8N7.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):7680
                                                                Entropy (8bit):4.563766936763978
                                                                Encrypted:false
                                                                SSDEEP:192:fRSm+hxXgUdU1fKh1vN3XN6MbrkR4YRB:fRr89U6H96Ms
                                                                MD5:B83959065BC4C86B90B29CADEAD5D198
                                                                SHA1:4F6C5793DDF497C8ED015D90DF895721B13C3708
                                                                SHA-256:CDE247D1A990A21D76085D3E8A3414CCC156C6D307DA4618F2D1FCDFFEF742BB
                                                                SHA-512:F122F21BB0CEBA90F0A9E8B80E6F30FC9D78CEA0E873F0F953B39131D4643A3F8D6E71FB1D5EF043EA5596FC10EF8CD2244D47C5BCF3DEB35A292507969BB7E5
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............M..M..M. .M..M. .M..M. .M..M!..M..M..M..M. .M..M. .M..M. .M..M. .M..MRich..M................PE..L....V.N...........!................1........ ...............................`......................................`%..d...."..<....@..p....................P..P.... ............................... ..@............ ...............................text...4........................... ..`.rdata....... ......................@..@.data...d....0......................@....rsrc...p....@......................@..@.reloc..\....P......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-M0D71.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):581944
                                                                Entropy (8bit):3.799977272409138
                                                                Encrypted:false
                                                                SSDEEP:3072:kGJT9x4NYL7mUkv+/HtI/sb8hOfbojeTYFbH9ZQ+vEna5Rdes8Y+Xdrp3tBR2lmQ:kGXx4luWtvVe3Y+Pq76iLpf1Uj7H6
                                                                MD5:EDE4374C5403B4EDA22BB31CF0BE732A
                                                                SHA1:2833B59374F0F7FF111BDBCC28FFD8E9186FFE1B
                                                                SHA-256:A4B7F74DE65FE82CF26870AD298BCFE42B2CA106873D7C71B02AAF686051FE29
                                                                SHA-512:347D73486133FB6482BF593F3A080C45A7E4E7F01F9ADB03407CC2B5B443715657CADEAC046798252E0B7C95CA44A06A843DB36A3018C84D19D2A0999920C8ED
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................,...........@.......P....@..........................0......m...........................................,........v..............8+..............................................................|............................text....).......*.................. ..`.itext.......@...................... ..`.data........P.......0..............@....bss.....'...`.......8...................idata..,............8..............@....reloc...............<..............@..B.rsrc....v.......v...@..............@..@.............0......................@..@................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-M708D.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):82710008
                                                                Entropy (8bit):5.7668097349790175
                                                                Encrypted:false
                                                                SSDEEP:786432:DzYubmAxfHQ9wEN35zo7DOFD3i4aW+WL/G4eNxnK/XjaV/:DzYuNHuhho/OZg/
                                                                MD5:07DC3423C4D131DFFB08BA7BBDC44C0D
                                                                SHA1:D4D6A60E58A602B6BD9FEE720243C5C643D2B8EE
                                                                SHA-256:588271D56BA3E30ACFD58FA138E85DD406CCA8B14B9A39C8EA6B189EFC431687
                                                                SHA-512:8EA64F0D247985FD4CD2D46E881E8912F3291389CCD58A469FED05F2FD937EF0A6DEFF03B4E7A8FE3B5A80C210C87A3DA8730F4F61AACBD299D06D25AA19F34D
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...z`.`..................u...w.......u.......u...@..........................@......Z............@...........................`..........P.T..............5...@...@...........................0......................4u...............................text...@.t.......t................. ..`.itext........u.......t............. ..`.data....n....u..p....u.............@....bss....|....`~..........................idata.......`.......J~.............@....didata...............~.............@....edata................~.............@..@.tls......... ...........................rdata..]....0........~.............@..@.reloc...@...@...B....~.............@..B.rsrc...P.T.......T..,..............@..@.............0......................@..@................
                                                                C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):4217368
                                                                Entropy (8bit):6.62418762568924
                                                                Encrypted:false
                                                                SSDEEP:49152:u9TaXIC6EA5SC6hfBAneMP38T85pc1DcQVTJO6:ao9mxP38TvSQ93
                                                                MD5:A5CAADFEA750F00989054788A13BC20A
                                                                SHA1:411D2D4FDD708E16BD9EE026A88E8F4B6A97D655
                                                                SHA-256:047ADE4C0E00F11FD910C675F25EA104012FE38D316B7779F5B4F4C2E9E14057
                                                                SHA-512:DAD21122911206B8601F4FF54CBCAF8E740C7D28EFF154FB447181D999C0284A3AB3839FEADE2C099AAFFD7B81B0D7CC1A8C38AFB3830988B88FFF59BC234AF6
                                                                Malicious:false
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\PhraseExpress\is-MBKTQ.tmp, Author: Joe Security
                                                                Antivirus:
                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....K.W.................*:..........8:......@:...@...........................@......SA..............................`;.......;.L;....@..............<@.......;......................................................;......P;......................text.....:.......:................. ..`.itext....... :.......:............. ..`.data....b...@:..d....:.............@....bss....tX....:..........................idata..L;....;..<....:.............@....didata......P;.......:.............@....edata.......`;.......:.............@..@.rdata..E....p;.......:.............@..@.reloc.......;.......:.............@..B.rsrc.........@......n?.............@..@..............@......<@.............@..@........................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-N9NC9.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):381440
                                                                Entropy (8bit):7.214384413744437
                                                                Encrypted:false
                                                                SSDEEP:6144:w3LX1tWutQtNpY1GB91E8gGaI14E4hLSC2FAPsByy1zyX2IST20SPM:0T1tWutQtNpYIw8gGaI14E41cFAPsBya
                                                                MD5:D2A74F0EE2202DD2F20B922898D518AC
                                                                SHA1:6CFB82865317697B2E6A13C1654056E6AFF4D86C
                                                                SHA-256:99C07AE6104F388A1D484559B9E48049E9DD759ABB59A2A7EB917EEDB744262A
                                                                SHA-512:575443EA3977A9DEDE9017E6B3134F5CD77F4E5FCC0C1A7E6EC92E00DCEAD1DF01242DE0D8E8A35470DC747001D8873AECB6CF2A5FC850D1FE7EBC80DEACBAFE
                                                                Malicious:false
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K."x..L+..L+..L+.~.+..L+.~.+w.L+.~.+).L+...+..L+..M+A.L+.~.+..L+.~.+..L+.~.+..L+.~.+..L+Rich..L+........................PE..L...n.eO...........!................ R....... ......................................V................................^..b@...X..(...............................x....................................N..@............ ...............................text...U........................... ..`.rdata..R.... ......................@..@.data...d5..........................@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-OMBH6.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):522
                                                                Entropy (8bit):5.005224587442335
                                                                Encrypted:false
                                                                SSDEEP:12:TMHdt7IBeBFJ3/3XO5n6SNMIF+hG0r9YgVWQnbEcbSELXKbSEjb1G:2dtMEDJ/e5NMU+hZryg5nhdwxQ
                                                                MD5:9EDF5EB3D091D4823C96A00B6B45DF45
                                                                SHA1:50C3A585404678A46BAE0F4369A3CD8328518F23
                                                                SHA-256:9964E296C171B8A395150DC93FDCEC7589244A88B6EEE3D974D6187B5148681B
                                                                SHA-512:DDA1A7518BB8B164691161CBF6E5B1FA90A04D42FC045FF73B8C3DB1882D018246E987BC5FBD515B631FB35B9C3565589789F1D09B4909BEA24E7F02D6E76B4B
                                                                Malicious:false
                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Copyright . 1981-2001 Microsoft Corporation -->..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable/>.. <assemblyIdentity .. type="win32" .. name="Microsoft.VC80.CRT" .. version="8.0.50608.0" .. processorArchitecture="x86" .. publicKeyToken="1fc8b3b9a1e18e3b".. />.. <file name="msvcr80.dll"/>.. <file name="msvcp80.dll"/>.. <file name="msvcm80.dll"/>..</assembly>..
                                                                C:\Program Files (x86)\PhraseExpress\is-P1QG2.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):27468
                                                                Entropy (8bit):4.982604909652806
                                                                Encrypted:false
                                                                SSDEEP:768:/GK2GVA/z8csC986yC9BcWhcrJlMdqILMXUIOXJAq2SRa9sp67qULo:ecgb939BcWhO+L7XSQRaCp67q1
                                                                MD5:E6274341B50CE5CF5414805924C719A2
                                                                SHA1:6F9A301DA3EAB2BC8376CA19121022EB60B7E6E7
                                                                SHA-256:9F3F859EF3F6E0F05415D0135DD76E22CA6BDC62C8190A91508CA82D868242F1
                                                                SHA-512:B0013E92E5B31D82FDA6CDE42BCC3EFA785D445297B20F1D46D27F45B5CF41C1F718830F0FB6FF44B9474344EEC7D4A0DA258B6A14C009E4EB292E101326F424
                                                                Malicious:false
                                                                Preview: #######################################..#..# Firebird configuration file..#..# Comments..# --------..# The # character is used for comments and can be placed anywhere on a..# line. Anything following the # character on a line is considered a..# comment...#..# Examples:..#..# # This is a comment..# DefaultDbCachePages = 2048 # This is an end-of-line comment..#..# Entries..# -------..# The default value for each entry is listed to the right of the "="...# To activate an entry, remove the leading "#"s and supply the desired..# value...#..# Please note, a number of the values are specified in **Bytes** (Not KB)...# Accordingly, we have provided some simple conversion tables at the bottom..# of this file...#..# There are three types of configuration values: integer, boolean and string...#..# Integer..# --------..# Integers is what they sound like, an integral value. Examples:..# 1..# 42..# 4711..#..# Boolean..# -------..# Boolean is expressed as integer values with 0 (zero)
                                                                C:\Program Files (x86)\PhraseExpress\is-ROS3A.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):359424
                                                                Entropy (8bit):6.517202756551662
                                                                Encrypted:false
                                                                SSDEEP:6144:6LdFEkpmi8UbGkndja/oVq6t7MGrhlQFJu1UWbuO0Jk8tdP5Ris/xbXxhoEtIRJD:69pmi8UbGkndja/oV1t7MGrhlQFMWWbD
                                                                MD5:AF1353192FA86EE523768166C6AFC58D
                                                                SHA1:0EAFFE577BC67B2D7FD70011EB2A3A422182965A
                                                                SHA-256:CCEDCA6C1B5AEFC779AF25A64F4FBC212A3379C3A2B392E9893A0D3EDBFDB332
                                                                SHA-512:95F5B8369ED6775A9D4F4BC9C02B35EDBA041A9823642AE8E2358A9CB93E212374FE3D75313DE3B112B4174AB2ADEFC4CF34D25D0A89ECD439E3250D3F11F317
                                                                Malicious:false
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r.......r.......r......r......r...s.7.r....\.r.......r......r......r.Rich..r.........PE..L...C.aV...........!................9v.......0...........................................................................)......<.......0......................../..07..................................@............0...............................text...:........................... ..`.rdata.......0......................@..@.data...D^... ...B..................@....rsrc...0............>..............@..@.reloc...6.......8...D..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-S3THG.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):60376
                                                                Entropy (8bit):6.373660892679701
                                                                Encrypted:false
                                                                SSDEEP:768:mkYhN4xUCE4bLL5XVbWjeJOQskprBxUwbpDjrlqBl2qt5Wp23+zj:khCxKeLhdWjeJlsOrvUO1K8aV0
                                                                MD5:591DC7D89EA115F5B27A9FA3E62CA50E
                                                                SHA1:B1ABED2E001D5D30AA44F961B2A8DCE0EF47F203
                                                                SHA-256:0911ABB292055376A76557AD35698C006F4614EFB0F19D1E5F6DB731AF24D25B
                                                                SHA-512:E37E99AE9A2EBFD8182C286AFE5F5B773167795E5887B7B9193211EE0700AA550826A401D46945C2A39BD37563B6FDE2252A597BCC38DF085E460B209564A32F
                                                                Malicious:false
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\PhraseExpress\is-S3THG.tmp, Author: Joe Security
                                                                Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....q.]..........................................@.................................i............@...................0..p....................................`..D............................P............................... ..$....................text...t........................... ..`.itext..T........................... ..`.data...8...........................@....bss.....5...............................idata..............................@....didata.$.... ......................@....edata..p....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc..D....`......................@..B.rsrc...............................@..@....................................@..@................
                                                                C:\Program Files (x86)\PhraseExpress\is-TSPG7.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1362944
                                                                Entropy (8bit):6.84980469236842
                                                                Encrypted:false
                                                                SSDEEP:24576:d/Qj+KpPax003EEbvUIs7zj0P399jKpo0JLx91QA9:w2f9DUIs7zj0vjKpo0JLx91QA9
                                                                MD5:39D7E73DC7712F89E93AB7A21BC5EB11
                                                                SHA1:21FC38157AC375741709147FFA9CDE4EE19ED737
                                                                SHA-256:6F91F607D1F30622E4B44D2146E59085A2A397990B79ACBE75970E6DD5C7EDDB
                                                                SHA-512:BD7DC91D685BCC93F458C4DF0D1370FE0AFDC9B3729F11BF9141FDE1CA04DE5D561A595B180AEC0BAD9F7C6C7F25C438A262C63C7960E0F3BFAC44F03A67F266
                                                                Malicious:false
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..J%..%..%..,......,...>..%......!.....%..0..,......,...$..,...$..,...$..Rich%..................PE..L...C.aV...........!.....F..........Sp.......`...............................@..........................................=...<...x.......0..........................pb..................................@............`..(............................text...TE.......F.................. ..`.rdata..=V...`...X...J..............@..@.data............t..................@....rsrc...0...........................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-U3PJH.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1568768
                                                                Entropy (8bit):6.180673563052627
                                                                Encrypted:false
                                                                SSDEEP:24576:TqaX8Bv2axcToy/oH0C/iwESlzJ5uM8H2ZIuNjMSpnhmW8c238uoL/:78BvPy/i0CKwFEvnckB
                                                                MD5:6D201E2168270028ED0D18563B08E449
                                                                SHA1:AC635C3A68D26AE99425F5F60B2DE3EB272422F0
                                                                SHA-256:1F7DD0A3CB26A71827C8F7E7AF4B2620EF8812FDA21FE963BB213A3B25FE9782
                                                                SHA-512:572261D92959ED672AE6C9A80C5459C9217D0C94A9237D62D927C056E38FB791CA23406BD3713517BCD7AE66B10CC77428D0A6E2E5677A718646E11586103EAB
                                                                Malicious:false
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.A.../.../.../.../.../.,.U.../.,.S.../.,.W.../.Rich../.........................PE..L...FQ.N...........!...............................J....................................................................J............................................................................................................................rdata..:...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Program Files (x86)\PhraseExpress\is-VC5Q1.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2942972
                                                                Entropy (8bit):6.350937718163189
                                                                Encrypted:false
                                                                SSDEEP:49152:2g2qPtc1e5OS7bPGoUl+x/grN4azvchYk2ru03j:2vqPCnrN4azvSYzu0z
                                                                MD5:8D4B991D26F6B3D1E99A18FCD9D0E43E
                                                                SHA1:7AB671B619705533FFF8D1058EEE03958CB76F30
                                                                SHA-256:B9C39305EBB1C4CCDC0FC7300FB0CE4DDAA87AC7EADB656FB0EF8CC71117B5E2
                                                                SHA-512:5E27FB7F25CDAFC2113C7E54F27F5DEA9749874F7803DEF8A5BD5A00EB2B85B393A6AB1A3A9C50FDFFF47BF1F6CE78240AC79CF884DFCA49154984E5B63EE5D2
                                                                Malicious:false
                                                                Preview: MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....]..................$...........$.......$...@...........................-.....7.-...@......@....................&.......%..5...@&.`D............,..5...................................0&.....................D.%.@.....&......................text...8.$.......$................. ..`.itext...&....$..(....$............. ..`.data...DZ....$..\....$.............@....bss.....q...@%..........................idata...5....%..6...(%.............@....didata.......&......^%.............@....edata........&......h%.............@..@.tls....D.... &..........................rdata..]....0&......j%.............@..@.rsrc...`D...@&..F...l%.............@..@..............'.......&.............@..@........................................................
                                                                C:\Program Files (x86)\PhraseExpress\unins000.dat
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):48130
                                                                Entropy (8bit):3.8458791991051786
                                                                Encrypted:false
                                                                SSDEEP:384:q3l+PIBpIGorEy73ktPpPDPLP5E2WcjIB+3sljiXehoz68rG0Kipm5LEdWWHnxp0:qqyeqAtb9licVoz9UglPg
                                                                MD5:BD8EE0F59483B2EF6DCFAAE0EEBC1D89
                                                                SHA1:AD8320BA416E6FD459E0F4F4A31FB1D477E37495
                                                                SHA-256:13E020A59D77ACD8A202BD0E0CD50E109121B9D3EC5BE552B8B34916DAEAD0FC
                                                                SHA-512:7B30C3CE1FB4A5FDEF0095A23C718487275ABE9AE639944472D34E8035DB4E94B16AD6D07909290E55BC64FF4ACCC9B7BAE37B66EA38564931AA5627C455FF80
                                                                Malicious:false
                                                                Preview: ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................8.7.8.4.1.1......h.a.r.d.z......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s....................A.. ..........L...IFPS....)...?....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM....................F....IDISPATCH.............!OPENARRAYO
                                                                C:\Program Files (x86)\PhraseExpress\unins000.msg
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):24365
                                                                Entropy (8bit):3.2774132566159087
                                                                Encrypted:false
                                                                SSDEEP:384:HJMG1EY6ir64+oHtX+7Q1U5YQDzt7/B3o:pF19+aftQDZV3o
                                                                MD5:CF7E378132F2152EDC6E75210EFA11A9
                                                                SHA1:2DAB8818075DAA3C0B3D69647318CBE4CCFE5219
                                                                SHA-256:44958690204B5907BDE88386EE1762120D28601EB54C69333626085F6B417B81
                                                                SHA-512:C32957FA51C09DFA3F7237F026831BB7CA6438C7590E4475D8EE975F72FE3162D4BC0BEC8A02DB7F43052AA9AC93DDC4E91F7D9B4034C73A8AE16A2D3E06477F
                                                                Malicious:false
                                                                Preview: Inno Setup Messages (6.0.0) (u)......................................^.........C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4...C.o.m.p.i.l.e.d. .w.i.t.h. .I.n.n.o. .S.c.r.i.p.t. .S.t.u.d.i.o. .F.r.e.e. .....h.t.t.p.:././.w.w.w...k.y.m.o.t.o...o.r.g...A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .t.o. .i.n.s.t.a.l.l. .t.h.i.s. .p.r.o.g.r.a.m...........Y.o.u. .c.a.n. .a.l.t.e.r.n.a.t.i.v.e.l.y. .d.o.w.n.l.o.a.d. .t.h.e. .P.h.r.a.s.e.E.x.p.r.e.s.s. .P.o.r.t.a.b.l.e. .E.d.i.t.i.o.n. .w.h.i.c.h. .d.o.e.s. .n.o.t. .r.e.q.u.i.r.e. .a.n. .i.n.s.t.a.l.l.a.t.i.o.n. .a.n.d. .a.l.l.o.w.s. .y.o.u. .t.o. .u.s.e. .P.h.r.a.s.e.E.x.p.r.e.s.s. .w.i.t.h.o.u.t. .A.d.m.i.n.i.s.t.t.r.a.t.i.o.n. .r.i.g.h.t.s.....T.h.e. .f.o.l.l.o.w.i.n.
                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhraseExpress.lnk
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Jul 23 02:14:21 2021, mtime=Fri Jul 23 02:14:27 2021, atime=Mon Jul 12 23:56:18 2021, length=82710008, window=hide
                                                                Category:dropped
                                                                Size (bytes):1152
                                                                Entropy (8bit):4.595567523455659
                                                                Encrypted:false
                                                                SSDEEP:24:8m1L2PCFuhdOEbZ62UAcNGPdDc7dD4UUt+M7aB6m:8mJ2PCFudOOcWdsdRg+5B6
                                                                MD5:09948D696BD3968F07D8A1E4DC587551
                                                                SHA1:9764BD0050FC50FCD51ABDFC58BDE5B409F55739
                                                                SHA-256:8CEF7A03AC0DEB4F46DE5C924CFA22C5FD9C0C03D2987D1E9FAEDB886C370C69
                                                                SHA-512:15C798D188F5E54CEDB8987F3C317118981E7001CAEAE6457DAE8E671C560F44BDE03D241830B764BE5FF8DACF822133D665EEE5ECF0D5124D1DD502B5140410
                                                                Malicious:false
                                                                Preview: L..................F.... .......p.....b.p....%a.w...............................P.O. .:i.....+00.../C:\.....................1.....>Qwx..PROGRA~2.........L..R......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1......R....PHRASE~1..L.......R...R.......T.....................h .P.h.r.a.s.e.E.x.p.r.e.s.s.....p.2......R.. .PHRASE~1.EXE..T.......R...R.......X........................p.h.r.a.s.e.e.x.p.r.e.s.s...e.x.e.......e...............-.......d...........1..".....C:\Program Files (x86)\PhraseExpress\phraseexpress.exe..B.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s.\.p.h.r.a.s.e.e.x.p.r.e.s.s...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s.........*................@Z|...K.J.........`.......X.......878411...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2
                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PhraseExpress.lnk
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Jul 23 02:14:21 2021, mtime=Fri Jul 23 02:14:27 2021, atime=Mon Jul 12 23:56:18 2021, length=82710008, window=hide
                                                                Category:dropped
                                                                Size (bytes):1158
                                                                Entropy (8bit):4.57903635267793
                                                                Encrypted:false
                                                                SSDEEP:24:8m1L2rxxbdOEbZ62UAcNG0dDc7dD4UUt+M7aB6m:8mJ2rxddOOc1dsdRg+5B6
                                                                MD5:28972AB372AB314A16AA3DDDAEBDACA8
                                                                SHA1:5E4F2D00572FA8CCA598F67D4701A1A71CED202E
                                                                SHA-256:62E35E35A9B916805A14E1E94FEC3D7CFA4331FE1613459138E9E7A26AA91DA7
                                                                SHA-512:9A5D020ECBAB9A9AF4E84C2ABFDA4A0F459CC9F25C660AC0AEB63B914300027222D0453A27B78A993B9E9AB2796005B8F4DF8444361EB74AB06F93340CD5F9CE
                                                                Malicious:false
                                                                Preview: L..................F.... .......p.....b.p....%a.w...............................P.O. .:i.....+00.../C:\.....................1......R....PROGRA~2.........L..R......................V.....z.:.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1......R....PHRASE~1..L.......R...R.......T.....................h .P.h.r.a.s.e.E.x.p.r.e.s.s.....p.2......R.. .PHRASE~1.EXE..T.......R...R.......X........................p.h.r.a.s.e.e.x.p.r.e.s.s...e.x.e.......e...............-.......d...........1..".....C:\Program Files (x86)\PhraseExpress\phraseexpress.exe..E.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s.\.p.h.r.a.s.e.e.x.p.r.e.s.s...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s.........*................@Z|...K.J.........`.......X.......878411...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-
                                                                C:\ProgramData\PhraseExpress\is-U9SO0.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):48
                                                                Entropy (8bit):4.777569011092752
                                                                Encrypted:false
                                                                SSDEEP:3:vFWWMNHU8LdgCzb:TMVBdTb
                                                                MD5:E948BE72E64B13C1297B9CB047C33FB2
                                                                SHA1:C862E1DEDEF6D162F21F366ED9C09ADB62790420
                                                                SHA-256:C17FBD83D36FAA053A16D37658633CFDBD6DCE925D2B8FCC70849437E107F260
                                                                SHA-512:F106F3D5934FE13400E8697ABC0D4A4DBF83708DE01433C4CA4CB8FA18D7FDA29D7A28F801F4622CA70CE0AD6B441A131CA0E2F84FC5341898295AA9203097DD
                                                                Malicious:false
                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..</xml>..
                                                                C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                Process:C:\Users\user\Desktop\PhraseExpressSetup.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):2942968
                                                                Entropy (8bit):6.350936537543159
                                                                Encrypted:false
                                                                SSDEEP:49152:2g2qPtc1e5OS7bPGoUl+x/grN4azvchYk2ru03T:2vqPCnrN4azvSYzu0D
                                                                MD5:B6F63D25BC114A183946CFE0BBC792D8
                                                                SHA1:BBE86CF0716C06F514B8D6CA9616915DB7ABC4F7
                                                                SHA-256:1115DEE163F89928CBD3E6EF2AF938512F8647B7939BE173597E1BD0100F56AB
                                                                SHA-512:96B4F385DFCA8B9332BBC0D620173480ADF0893831E2E5133E36DF1F4A87DD481DEC72A3E723B2A84B9AC5C1B9619A2314EF00DF154A9D36CBBF3D53362D53A2
                                                                Malicious:true
                                                                Preview: MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....]..................$...........$.......$...@...........................-.....7.-...@......@....................&.......%..5...@&.`D............,..5...................................0&.....................D.%.@.....&......................text...8.$.......$................. ..`.itext...&....$..(....$............. ..`.data...DZ....$..\....$.............@....bss.....q...@%..........................idata...5....%..6...(%.............@....didata.......&......^%.............@....edata........&......h%.............@..@.tls....D.... &..........................rdata..]....0&......j%.............@..@.rsrc...`D...@&..F...l%.............@..@..............'.......&.............@..@........................................................
                                                                C:\Users\user\AppData\Local\Temp\is-SQJ41.tmp\_isetup\_isdecmp.dll
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):24240
                                                                Entropy (8bit):6.823338888710406
                                                                Encrypted:false
                                                                SSDEEP:384:BHvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCgcoSmonTpXoi+Pbd0ia:BJ7FEAbd+EDsIO7oST1Yi+Ph0i
                                                                MD5:77D6D961F71A8C558513BED6FD0AD6F1
                                                                SHA1:122BB9ED6704B72250E4E31B5D5FC2F0476C4B6A
                                                                SHA-256:5DA7C8D33D3B7DB46277012D92875C0B850C8ABF1EB3C8C9C5B9532089A0BCF0
                                                                SHA-512:B0921E2442B4CDEC8CC479BA3751A01C0646A4804E2F4A5D5632FA2DBF54CC45D4CCCFFA4D5B522D42AFC2F6A622E07882ED7E663C8462333B082E82503F335A
                                                                Malicious:false
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P......K................................;.......;..(....................4...*...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\is-SQJ41.tmp\_isetup\_setup64.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6144
                                                                Entropy (8bit):4.720366600008286
                                                                Encrypted:false
                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                Malicious:false
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PhraseExpress.lnk
                                                                Process:C:\Program Files (x86)\PhraseExpress\phraseexpress.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Jul 23 02:14:21 2021, mtime=Fri Jul 23 02:15:08 2021, atime=Mon Jul 12 23:56:18 2021, length=82710008, window=hide
                                                                Category:dropped
                                                                Size (bytes):1245
                                                                Entropy (8bit):4.596830449090725
                                                                Encrypted:false
                                                                SSDEEP:24:8m102rxxbdOEzfSZ62UAcNGr2dDcydDEUUt+pI7aB5mA7m:8mi2rxddOlcLdVdtg+pdB5mA
                                                                MD5:77E7267CFBC4BE802172F97EA6345221
                                                                SHA1:B8D4619ABE25D8D5B5255378FDB57DBD2C5631E9
                                                                SHA-256:1C63261BDEE10704290A062AB1845D2AF266A395DC86A204253090B465F5D086
                                                                SHA-512:CEDD0F888450FA434762E0AD8331D4A6C41E11F019DB089F9F0D199D6D054F75B6F2C9A5C162C5EC820DC9E3B4BCD0018BF39559066732D621BC4BF2097833D2
                                                                Malicious:false
                                                                Preview: L..................F.... .......p....U..p....%a.w...............................P.O. .:i.....+00.../C:\.....................1......R....PROGRA~2.........L..R......................V.....z.:.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....d.1......R....PHRASE~1..L.......R...R.......T........................P.h.r.a.s.e.E.x.p.r.e.s.s.....p.2......R.. .PHRASE~1.EXE..T.......R...R.......X........................p.h.r.a.s.e.e.x.p.r.e.s.s...e.x.e.......e...............-.......d...........1..".....C:\Program Files (x86)\PhraseExpress\phraseexpress.exe..K.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s.\.p.h.r.a.s.e.e.x.p.r.e.s.s...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.P.h.r.a.s.e.E.x.p.r.e.s.s.\.........*................@Z|...K.J.........`.......X.......878411...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q.........
                                                                C:\Users\user\Documents\PhraseExpress\is-OQ634.tmp
                                                                Process:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                File Type:Zip archive data, at least v2.0 to extract
                                                                Category:dropped
                                                                Size (bytes):312833
                                                                Entropy (8bit):7.99902749750852
                                                                Encrypted:true
                                                                SSDEEP:6144:noVVl30gq4PXTV3AkJZSWUVcwrv6BJlR2ThQXNSFcLNt50e+YYOHzuD7:nUPXTV3AiEWUVBrOl8c5//YR7
                                                                MD5:1D486AC31572E3C3815B714B03B88776
                                                                SHA1:F865FBD11BB583C047394261690678D37B4D0AA8
                                                                SHA-256:EB3E2F81F3BABFB41452FFF1704BFE504A3DAA2F58359AD2D3F81B4D12D38BFA
                                                                SHA-512:DB2A4CA12688F40B96B0CA57C94C88BBE5FBF1527D0EEC623F399BE13105ED7723621418B01B6748DD51B0E62819B6220FA829D56719133557AEF3A7739A8CE3
                                                                Malicious:false
                                                                Preview: PK......c.U.CR.-T d>...f......302235091_7732127.stg......AE....( qEq|).N./Y9-[.....%.]&....l......Z..Q.&........!..hK:.........k}.y.T...Hq.)".~k..1....i.z.v...=vY...&..s.V...A..H.....3./.|.............E...W.?=af.5!....q8..c..1c.o..l.".E ..s....3.C\G......p...!uW.^.2?.N.....a....}....@H5..>r..*........y.n"C...<.z..uI..I.3...k*.E.k.x.uQ.t.d...5./.h..O....p...+.+v..xgn..A...U.d.....F....M@...`.......-.ym....V^v..+$X.5...&O.....T..]@.b..X........ap....w.s..;....EP&|...V~.......X}.u-.....T.H$G.T.H...s..Y..9.A{.v_..;NnB...+>...o-....^..[~.J(U.....h...l(....x.4J..k..E.5......A.N.....dD`...7.T..a....P..3k o.J.|y.... .w'......F.]...A,?...c.Ho.D..(.....ch.3.....Y4.{.8.}#.y..?I.2,..=...O?.bC....Qy.s.A0.".W.To.Su.5..`....^.?;.w.`W6....)5...v:h.x.Y .c.|.T.n.z.O.v7m3G...."Et..1......\/.k.[..........h#..ZP..i.[...........\.}.^.,@..m.(...U.>...bYf...,y...Z~3....-..[@}..."...}.....[5%?.V_m.C"f.zk...t"......>p.+.....z.WG..N..-.|..6|...w.K.y...$......W......t
                                                                \Device\ConDrv
                                                                Process:C:\Windows\SysWOW64\netsh.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):7
                                                                Entropy (8bit):2.2359263506290326
                                                                Encrypted:false
                                                                SSDEEP:3:t:t
                                                                MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                Malicious:false
                                                                Preview: Ok.....

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.988727831253856
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                • Inno Setup installer (109748/4) 1.08%
                                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                File name:PhraseExpressSetup.exe
                                                                File size:34303472
                                                                MD5:ce7db25979fb3cd61fca4a9e8f6d0c30
                                                                SHA1:d5ccf69c83cbbbbdeffc9805ec3f4abf6d02a847
                                                                SHA256:f8b33571fb06d4c68c5feb41750229ff48f0a8035749970f6462873ea6ed55aa
                                                                SHA512:cd3f6356dde82c43612954846bb2ebc69679d53b85095a9fefead1d8327a7a115d15898503983bbe1f92b0814b16bda714abab26736266f65a77e36606bc9e5c
                                                                SSDEEP:786432:rNmE59P6vXEUCIKCRZyHpEDnU8LE55aLMQG+j++snyN+ohvrE:rIE59P6wwTI8LpMQG+jY6DE
                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                File Icon

                                                                Icon Hash:f09a8ccc968c9989

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4a7ed0
                                                                Entrypoint Section:.itext
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x5DA1B5ED [Sat Oct 12 11:15:57 2019 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:eb5bc6ff6263b364dfbfb78bdb48ed59

                                                                Authenticode Signature

                                                                Signature Valid:true
                                                                Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                Signature Validation Error:The operation completed successfully
                                                                Error Number:0
                                                                Not Before, Not After
                                                                • 5/24/2021 4:50:00 AM 8/24/2024 4:50:00 AM
                                                                Subject Chain
                                                                • CN=Bartels Media GmbH, O=Bartels Media GmbH, STREET=Fleischstr. 17, L=Trier, S=Rheinland-Pfalz, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Wittlich, OID.1.3.6.1.4.1.311.60.2.1.2=Rheinland-Pfalz, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=HRB 40726, OID.2.5.4.15=Private Organization
                                                                Version:3
                                                                Thumbprint MD5:40B92EA1746E2F2088E9400722C602C6
                                                                Thumbprint SHA-1:35BF131D8A8657AABD71F374DA8D415E77AB70D7
                                                                Thumbprint SHA-256:8A82EC4FDE3E29ADDCAD6A1E16F9A6BE431F1648A9FB34EA31E5D2FE7BB13474
                                                                Serial:246275052E51A761BDDADA4C

                                                                Entrypoint Preview

                                                                Instruction
                                                                push ebp
                                                                mov ebp, esp
                                                                add esp, FFFFFFA4h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                xor eax, eax
                                                                mov dword ptr [ebp-3Ch], eax
                                                                mov dword ptr [ebp-40h], eax
                                                                mov dword ptr [ebp-5Ch], eax
                                                                mov dword ptr [ebp-30h], eax
                                                                mov dword ptr [ebp-38h], eax
                                                                mov dword ptr [ebp-34h], eax
                                                                mov dword ptr [ebp-2Ch], eax
                                                                mov dword ptr [ebp-28h], eax
                                                                mov dword ptr [ebp-14h], eax
                                                                mov eax, 004A2BC4h
                                                                call 00007F5CB48789DDh
                                                                xor eax, eax
                                                                push ebp
                                                                push 004A85C2h
                                                                push dword ptr fs:[eax]
                                                                mov dword ptr fs:[eax], esp
                                                                xor edx, edx
                                                                push ebp
                                                                push 004A857Eh
                                                                push dword ptr fs:[edx]
                                                                mov dword ptr fs:[edx], esp
                                                                mov eax, dword ptr [004B0634h]
                                                                call 00007F5CB490CADBh
                                                                call 00007F5CB490C632h
                                                                lea edx, dword ptr [ebp-14h]
                                                                xor eax, eax
                                                                call 00007F5CB488E008h
                                                                mov edx, dword ptr [ebp-14h]
                                                                mov eax, 004B3714h
                                                                call 00007F5CB4873267h
                                                                push 00000002h
                                                                push 00000000h
                                                                push 00000001h
                                                                mov ecx, dword ptr [004B3714h]
                                                                mov dl, 01h
                                                                mov eax, dword ptr [00423698h]
                                                                call 00007F5CB488F06Fh
                                                                mov dword ptr [004B3718h], eax
                                                                xor edx, edx
                                                                push ebp
                                                                push 004A852Ah
                                                                push dword ptr fs:[edx]
                                                                mov dword ptr fs:[edx], esp
                                                                call 00007F5CB490CB63h
                                                                mov dword ptr [004B3720h], eax
                                                                mov eax, dword ptr [004B3720h]
                                                                cmp dword ptr [eax+0Ch], 01h
                                                                jne 00007F5CB491341Ah
                                                                mov eax, dword ptr [004B3720h]
                                                                mov edx, 00000028h
                                                                call 00007F5CB488F964h
                                                                mov edx, dword ptr [004B3720h]

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb60000x9a.edata
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb40000xf1c.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb90000x646ac.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x20b37f80x35f8
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0xb80000x18.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0xb42e00x240.idata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb50000x1a4.didata
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000xa50e80xa5200False0.356011366862data6.3692847538IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .itext0xa70000x16680x1800False0.541015625data5.95181064354IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .data0xa90000x37a40x3800False0.360630580357data5.03516853901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .bss0xad0000x67780x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .idata0xb40000xf1c0x1000False0.36474609375data4.79161091586IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .didata0xb50000x1a40x200False0.345703125data2.74582255367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .edata0xb60000x9a0x200False0.2578125data1.8810692045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .tls0xb70000x180x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                .rdata0xb80000x5d0x200False0.189453125data1.37998812522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0xb90000x646ac0x64800False0.172062053016data4.89676573806IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_ICON0xb96a80x12428dataEnglishUnited States
                                                                RT_ICON0xcbad00x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 3823363043, next used block 3236160483EnglishUnited States
                                                                RT_ICON0xcd0f80xea8dataEnglishUnited States
                                                                RT_ICON0xcdfa00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                RT_ICON0xce8480x6c8dataEnglishUnited States
                                                                RT_ICON0xcef100x608dataEnglishUnited States
                                                                RT_ICON0xcf5180x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                RT_ICON0xcfa800x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                                                RT_ICON0x111aa80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 63743, next used block 4280221696EnglishUnited States
                                                                RT_ICON0x115cd00x25a8dataEnglishUnited States
                                                                RT_ICON0x1182780x10a8dataEnglishUnited States
                                                                RT_ICON0x1193200x988dataEnglishUnited States
                                                                RT_ICON0x119ca80x6b8dataEnglishUnited States
                                                                RT_ICON0x11a3600x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                RT_STRING0x11a7c80x360data
                                                                RT_STRING0x11ab280x260data
                                                                RT_STRING0x11ad880x45cdata
                                                                RT_STRING0x11b1e40x40cdata
                                                                RT_STRING0x11b5f00x2d4data
                                                                RT_STRING0x11b8c40xb8data
                                                                RT_STRING0x11b97c0x9cdata
                                                                RT_STRING0x11ba180x374data
                                                                RT_STRING0x11bd8c0x398data
                                                                RT_STRING0x11c1240x368data
                                                                RT_STRING0x11c48c0x2a4data
                                                                RT_RCDATA0x11c7300x10data
                                                                RT_RCDATA0x11c7400x2c4data
                                                                RT_RCDATA0x11ca040x2cdata
                                                                RT_GROUP_ICON0x11ca300xcadataEnglishUnited States
                                                                RT_VERSION0x11cafc0x584dataEnglishUnited States
                                                                RT_MANIFEST0x11d0800x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                Imports

                                                                DLLImport
                                                                kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                comctl32.dllInitCommonControls
                                                                version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                Exports

                                                                NameOrdinalAddress
                                                                TMethodImplementationIntercept30x453ac0
                                                                __dbk_fcall_wrapper20x40d3dc
                                                                dbkFCallWrapperAddr10x4b063c

                                                                Version Infos

                                                                DescriptionData
                                                                LegalCopyright(c) Bartels Media GmbH
                                                                FileVersionPhraseExpress
                                                                CompanyNameBartels Media GmbH
                                                                CommentsThis installation was built with Inno Setup.
                                                                ProductNamePhraseExpress
                                                                ProductVersion15.0.91
                                                                FileDescriptionPhraseExpress
                                                                OriginalFileName
                                                                Translation0x0000 0x04b0

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                No network behavior found

                                                                Code Manipulations

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: PhraseExpressSetup.exe PID: 4064 Parent PID: 5592

                                                                General

                                                                Start time:20:13:56
                                                                Start date:22/07/2021
                                                                Path:C:\Users\user\Desktop\PhraseExpressSetup.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\PhraseExpressSetup.exe'
                                                                Imagebase:0x400000
                                                                File size:34303472 bytes
                                                                MD5 hash:CE7DB25979FB3CD61FCA4A9E8F6D0C30
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: PhraseExpressSetup.tmp PID: 5552 Parent PID: 4064

                                                                General

                                                                Start time:20:13:58
                                                                Start date:22/07/2021
                                                                Path:C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\AppData\Local\Temp\is-DT6B1.tmp\PhraseExpressSetup.tmp' /SL5='$D0256,32684378,1115136,C:\Users\user\Desktop\PhraseExpressSetup.exe'
                                                                Imagebase:0x400000
                                                                File size:2942968 bytes
                                                                MD5 hash:B6F63D25BC114A183946CFE0BBC792D8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:low

                                                                Chronological Activities

                                                                Analysis Process: regsvr32.exe PID: 1008 Parent PID: 5552

                                                                General

                                                                Start time:20:14:30
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\system32\regsvr32.exe' /s 'C:\Program Files (x86)\PhraseExpress\pexmsol.dll'
                                                                Imagebase:0x12a0000
                                                                File size:20992 bytes
                                                                MD5 hash:426E7499F6A7346F0410DEAD0805586B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: netsh.exe PID: 6124 Parent PID: 5552

                                                                General

                                                                Start time:20:14:32
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\system32\netsh' advfirewall firewall add rule name='PhraseExpress' dir=in action=allow program='C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe' enable=yes
                                                                Imagebase:0xd90000
                                                                File size:82944 bytes
                                                                MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: conhost.exe PID: 5944 Parent PID: 6124

                                                                General

                                                                Start time:20:14:33
                                                                Start date:22/07/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6b2800000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Chronological Activities

                                                                Analysis Process: phraseexpress.exe PID: 2524 Parent PID: 5552

                                                                General

                                                                Start time:20:14:53
                                                                Start date:22/07/2021
                                                                Path:C:\Program Files (x86)\PhraseExpress\phraseexpress.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Program Files (x86)\PhraseExpress\PhraseExpress.exe
                                                                Imagebase:0x400000
                                                                File size:82710008 bytes
                                                                MD5 hash:07DC3423C4D131DFFB08BA7BBDC44C0D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Reputation:low

                                                                Chronological Activities

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >

                                                                  Analysis Process: PhraseExpressSetup.exe PID: 4064 Parent PID: 5592 PhraseExpressSetup.exeCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:3.9%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:12%
                                                                  Total number of Nodes:836
                                                                  Total number of Limit Nodes:33

                                                                  Graph

                                                                  execution_graph 29062 420060 29077 407e1c 29062->29077 29066 420098 29067 4200a4 GetFileVersionInfoSizeW 29066->29067 29068 42014a 29067->29068 29071 4200b4 29067->29071 29086 4079f4 29068->29086 29072 4200dd GetFileVersionInfoW 29071->29072 29073 4200e7 VerQueryValueW 29072->29073 29074 420101 29072->29074 29073->29074 29085 40540c 11 API calls 29074->29085 29076 420142 29079 407e20 29077->29079 29078 407e44 29081 407f84 29078->29081 29079->29078 29090 40540c 11 API calls 29079->29090 29082 407eec 29081->29082 29083 407f27 29082->29083 29091 40540c 11 API calls 29082->29091 29083->29066 29085->29076 29087 4079fa 29086->29087 29089 407a15 29086->29089 29087->29089 29092 40540c 11 API calls 29087->29092 29090->29078 29091->29083 29092->29089 29093 407854 29096 407724 29093->29096 29097 40773a 29096->29097 29098 40774b 29096->29098 29111 40768c GetStdHandle WriteFile GetStdHandle WriteFile 29097->29111 29099 407754 GetCurrentThreadId 29098->29099 29101 407761 29098->29101 29099->29101 29104 4077d0 29101->29104 29112 405494 11 API calls 29101->29112 29102 407744 29102->29098 29107 4077fb FreeLibrary 29104->29107 29110 407801 29104->29110 29105 4077b8 29105->29104 29113 405494 11 API calls 29105->29113 29107->29110 29108 40783a 29109 407832 ExitProcess 29110->29108 29110->29109 29111->29102 29112->29105 29113->29105 29114 40ce54 29115 40cec2 29114->29115 29116 40ce6d 29114->29116 29132 40580c 11 API calls 29116->29132 29118 40ce77 29133 40580c 11 API calls 29118->29133 29120 40ce81 29134 40580c 11 API calls 29120->29134 29122 40ce8b 29135 40a6b4 DeleteCriticalSection 29122->29135 29124 40ce90 29125 40cea3 29124->29125 29136 40426c 29124->29136 29156 40c50c 21 API calls 29125->29156 29128 40cead 29157 405384 29128->29157 29132->29118 29133->29120 29134->29122 29135->29124 29137 404281 29136->29137 29138 404364 29136->29138 29140 404287 29137->29140 29143 4042fe Sleep 29137->29143 29139 403cf8 29138->29139 29138->29140 29141 40445e 29139->29141 29167 403c48 29139->29167 29142 404290 29140->29142 29146 404342 Sleep 29140->29146 29148 404379 29140->29148 29141->29125 29142->29125 29143->29140 29145 404318 Sleep 29143->29145 29145->29137 29146->29148 29149 404358 Sleep 29146->29149 29154 4043f8 VirtualFree 29148->29154 29155 40439c 29148->29155 29149->29140 29150 403d39 29152 403d30 29150->29152 29153 403d42 VirtualQuery VirtualFree 29150->29153 29151 403d1f VirtualFree 29151->29152 29152->29125 29153->29150 29153->29152 29154->29125 29155->29125 29156->29128 29158 40538d CloseHandle 29157->29158 29159 40539f 29157->29159 29158->29159 29160 4053ad 29159->29160 29178 404d58 10 API calls 29159->29178 29162 4053b6 VirtualFree 29160->29162 29163 4053cf 29160->29163 29162->29163 29172 4052d4 29163->29172 29166 408d1c 27 API calls 29166->29115 29168 403c90 29167->29168 29169 403c51 29167->29169 29168->29150 29168->29151 29169->29168 29170 403c5c Sleep 29169->29170 29170->29168 29171 403c76 Sleep 29170->29171 29171->29169 29173 4052f9 29172->29173 29174 4052e7 VirtualFree 29173->29174 29175 4052fd 29173->29175 29174->29173 29176 405363 VirtualFree 29175->29176 29177 405379 29175->29177 29176->29175 29177->29166 29178->29160 29179 40a364 29180 40a391 29179->29180 29181 40a372 29179->29181 29181->29180 29184 40a31c 29181->29184 29185 40a348 29184->29185 29186 40a32c GetModuleFileNameW 29184->29186 29188 40b5a8 GetModuleFileNameW 29186->29188 29189 40b5f6 29188->29189 29198 40b484 29189->29198 29191 40b622 29192 40b63c 29191->29192 29193 40b634 LoadLibraryExW 29191->29193 29224 407a54 29192->29224 29193->29192 29196 4079f4 11 API calls 29197 40b661 29196->29197 29197->29185 29199 40b4a5 29198->29199 29200 4079f4 11 API calls 29199->29200 29201 40b4c2 29200->29201 29202 407e1c 11 API calls 29201->29202 29215 40b52d 29201->29215 29204 40b4d7 29202->29204 29203 407a54 11 API calls 29205 40b59a 29203->29205 29206 40b508 29204->29206 29293 40888c 29204->29293 29205->29191 29228 40b1a8 29206->29228 29210 40b520 29212 40b2d4 13 API calls 29210->29212 29211 40b52f GetUserDefaultUILanguage 29236 40ab58 EnterCriticalSection 29211->29236 29212->29215 29215->29203 29218 40b571 29218->29215 29275 40b3b8 29218->29275 29219 40b557 GetSystemDefaultUILanguage 29220 40ab58 28 API calls 29219->29220 29222 40b564 29220->29222 29223 40b2d4 13 API calls 29222->29223 29223->29218 29226 407a5a 29224->29226 29225 407a80 29225->29196 29226->29225 29382 40540c 11 API calls 29226->29382 29229 40b1ca 29228->29229 29233 40b1dc 29228->29233 29297 40ae8c 29229->29297 29231 40b1d4 29321 40b20c 18 API calls 29231->29321 29234 4079f4 11 API calls 29233->29234 29235 40b1fe 29234->29235 29235->29210 29235->29211 29237 40aba4 LeaveCriticalSection 29236->29237 29238 40ab84 29236->29238 29239 4079f4 11 API calls 29237->29239 29240 40ab95 LeaveCriticalSection 29238->29240 29241 40abb5 IsValidLocale 29239->29241 29242 40ac46 29240->29242 29243 40ac13 EnterCriticalSection 29241->29243 29244 40abc4 29241->29244 29249 4079f4 11 API calls 29242->29249 29245 40ac2b 29243->29245 29246 40abd8 29244->29246 29247 40abcd 29244->29247 29254 40ac3c LeaveCriticalSection 29245->29254 29325 40a840 14 API calls 29246->29325 29324 40aa3c 17 API calls 29247->29324 29252 40ac5b 29249->29252 29251 40abd6 29251->29243 29261 40b2d4 29252->29261 29253 40abe1 GetSystemDefaultUILanguage 29253->29243 29255 40abeb 29253->29255 29254->29242 29256 40abfc GetSystemDefaultUILanguage 29255->29256 29326 4086c4 29255->29326 29338 40a840 14 API calls 29256->29338 29259 40ac09 29260 4086c4 11 API calls 29259->29260 29260->29243 29262 40b2f3 29261->29262 29263 4079f4 11 API calls 29262->29263 29271 40b311 29263->29271 29264 40b37f 29265 4079f4 11 API calls 29264->29265 29266 40b387 29265->29266 29267 4079f4 11 API calls 29266->29267 29268 40b39c 29267->29268 29270 407a54 11 API calls 29268->29270 29269 40888c 11 API calls 29269->29271 29272 40b3a9 29270->29272 29271->29264 29271->29266 29271->29269 29352 40871c 29271->29352 29363 40b268 29271->29363 29272->29218 29272->29219 29376 407ad8 29275->29376 29278 40b408 29279 40871c 11 API calls 29278->29279 29280 40b415 29279->29280 29281 40b268 13 API calls 29280->29281 29283 40b41c 29281->29283 29282 40b455 29284 407a54 11 API calls 29282->29284 29283->29282 29285 40871c 11 API calls 29283->29285 29286 40b46f 29284->29286 29287 40b443 29285->29287 29288 4079f4 11 API calls 29286->29288 29289 40b268 13 API calls 29287->29289 29290 40b477 29288->29290 29291 40b44a 29289->29291 29290->29215 29291->29282 29292 4079f4 11 API calls 29291->29292 29292->29282 29294 408897 29293->29294 29378 407b7c 29294->29378 29298 40aea3 29297->29298 29299 40aeb7 GetModuleFileNameW 29298->29299 29300 40aecc 29298->29300 29299->29300 29301 40aef4 RegOpenKeyExW 29300->29301 29302 40b09b 29300->29302 29303 40afb5 29301->29303 29304 40af1b RegOpenKeyExW 29301->29304 29307 4079f4 11 API calls 29302->29307 29322 40ac9c 7 API calls 29303->29322 29304->29303 29305 40af39 RegOpenKeyExW 29304->29305 29305->29303 29308 40af57 RegOpenKeyExW 29305->29308 29310 40b0b0 29307->29310 29308->29303 29311 40af75 RegOpenKeyExW 29308->29311 29309 40afd3 RegQueryValueExW 29312 40aff1 29309->29312 29313 40b024 RegQueryValueExW 29309->29313 29310->29231 29311->29303 29314 40af93 RegOpenKeyExW 29311->29314 29317 40aff9 RegQueryValueExW 29312->29317 29315 40b040 29313->29315 29316 40b022 29313->29316 29314->29302 29314->29303 29319 40b048 RegQueryValueExW 29315->29319 29318 40b08a RegCloseKey 29316->29318 29323 40540c 11 API calls 29316->29323 29317->29316 29318->29231 29319->29316 29321->29233 29322->29309 29323->29318 29324->29251 29325->29253 29327 4086c8 29326->29327 29328 408713 29326->29328 29329 4086d2 29327->29329 29335 407dd4 29327->29335 29328->29256 29329->29328 29330 408708 29329->29330 29331 4086ed 29329->29331 29334 408644 11 API calls 29330->29334 29340 408644 29331->29340 29332 407e18 29332->29256 29337 4086f2 29334->29337 29335->29332 29339 40540c 11 API calls 29335->29339 29337->29256 29338->29259 29339->29332 29341 40868f 29340->29341 29343 408651 29340->29343 29342 407a18 11 API calls 29341->29342 29346 40868c 29342->29346 29343->29341 29344 408669 29343->29344 29344->29346 29347 407a18 29344->29347 29346->29337 29348 407a39 29347->29348 29349 407a1e 29347->29349 29348->29346 29349->29348 29351 40540c 11 API calls 29349->29351 29351->29348 29353 408720 29352->29353 29354 40878e 29352->29354 29355 408728 29353->29355 29358 407dd4 29353->29358 29355->29354 29360 408737 29355->29360 29371 407dd4 29355->29371 29356 407e18 29356->29271 29358->29356 29370 40540c 11 API calls 29358->29370 29360->29354 29361 407dd4 11 API calls 29360->29361 29362 40878a 29361->29362 29362->29271 29364 40b27d 29363->29364 29365 40b29a FindFirstFileW 29364->29365 29366 40b2b0 29365->29366 29367 40b2aa FindClose 29365->29367 29368 4079f4 11 API calls 29366->29368 29367->29366 29369 40b2c5 29368->29369 29369->29271 29370->29356 29372 407dd8 29371->29372 29373 407e18 29372->29373 29375 40540c 11 API calls 29372->29375 29373->29360 29375->29373 29377 407adc GetUserDefaultUILanguage GetLocaleInfoW 29376->29377 29377->29278 29379 407b8c 29378->29379 29380 407a18 11 API calls 29379->29380 29381 407ba6 29380->29381 29381->29206 29382->29226 29383 4a80cc 29384 4a80f1 29383->29384 29429 4a138c 29384->29429 29387 4a811b 29390 4a8174 29387->29390 29518 426dfc 11 API calls 29387->29518 29388 4a80ff 29434 4a1754 29388->29434 29445 4056b0 QueryPerformanceCounter 29390->29445 29392 4a810f 29398 4a84cc 29392->29398 29510 4a0ecc 29392->29510 29393 4a8179 29448 4a0d04 29393->29448 29397 4a8150 29403 4a8158 MessageBoxW 29397->29403 29401 4a84e5 29398->29401 29409 4a84df RemoveDirectoryW 29398->29409 29399 407dd4 11 API calls 29402 4a818e 29399->29402 29405 4a84f9 29401->29405 29406 4a84ee DestroyWindow 29401->29406 29467 422848 29402->29467 29403->29390 29408 4a8165 29403->29408 29407 4a8522 29405->29407 29521 408dac 27 API calls 29405->29521 29406->29405 29519 41f358 75 API calls 29408->29519 29409->29401 29414 4a8518 29522 40540c 11 API calls 29414->29522 29418 4a81bc 29419 40871c 11 API calls 29418->29419 29420 4a81ca 29419->29420 29421 407dd4 11 API calls 29420->29421 29422 4a81da 29421->29422 29490 423bf4 29422->29490 29424 4a8219 29496 42463c 29424->29496 29426 4a827b 29520 424918 105 API calls 29426->29520 29428 4a82a2 29523 4a0f5c 29429->29523 29435 4a1784 29434->29435 29436 4a1775 29434->29436 29437 4079f4 11 API calls 29435->29437 29438 407e1c 11 API calls 29436->29438 29439 4a1782 29437->29439 29438->29439 29542 4087a4 29439->29542 29441 4a17ac 29442 4a17bb MessageBoxW 29441->29442 29443 407a54 11 API calls 29442->29443 29444 4a17dd 29443->29444 29444->29392 29446 4056bd GetTickCount 29445->29446 29447 4056cb 29445->29447 29446->29447 29447->29393 29451 4a0d0c 29448->29451 29452 4a0d4b CreateDirectoryW 29451->29452 29548 422c64 29451->29548 29573 4a0be8 29451->29573 29593 426dfc 11 API calls 29451->29593 29594 419f38 11 API calls 29451->29594 29595 4231e0 FormatMessageW 29451->29595 29599 426dcc 11 API calls 29451->29599 29600 41f384 11 API calls 29451->29600 29601 4070f0 11 API calls 29451->29601 29453 4a0dc7 29452->29453 29454 4a0d55 GetLastError 29452->29454 29455 407dd4 11 API calls 29453->29455 29454->29451 29456 4a0dd1 29455->29456 29458 407a54 11 API calls 29456->29458 29459 4a0deb 29458->29459 29461 407a54 11 API calls 29459->29461 29462 4a0df8 29461->29462 29462->29399 29468 422858 29467->29468 29469 40888c 11 API calls 29468->29469 29470 42286a 29469->29470 29471 4225bc 29470->29471 29472 4225e6 29471->29472 29473 4225fa 29472->29473 29474 4225ec 29472->29474 29476 40888c 11 API calls 29473->29476 29475 40871c 11 API calls 29474->29475 29477 4225f8 29475->29477 29478 42260d 29476->29478 29480 4079f4 11 API calls 29477->29480 29479 40871c 11 API calls 29478->29479 29479->29477 29481 42262f 29480->29481 29482 422554 29481->29482 29483 422582 29482->29483 29486 42255e 29482->29486 29484 407dd4 11 API calls 29483->29484 29485 42258b 29484->29485 29485->29418 29486->29483 29487 422571 29486->29487 29488 40871c 11 API calls 29487->29488 29489 42257f 29488->29489 29489->29418 29491 423bfe 29490->29491 29676 423c9c 29491->29676 29492 423c2d 29494 423c43 29492->29494 29679 423ba0 106 API calls 29492->29679 29494->29424 29497 424649 29496->29497 29501 4246a2 29497->29501 29682 41f384 11 API calls 29497->29682 29499 42469d 29683 4070f0 11 API calls 29499->29683 29505 4246ca 29501->29505 29684 41f384 11 API calls 29501->29684 29503 4246c5 29685 4070f0 11 API calls 29503->29685 29506 42470d 29505->29506 29686 41f384 11 API calls 29505->29686 29506->29426 29508 424708 29687 4070f0 11 API calls 29508->29687 29511 4a0f26 29510->29511 29513 4a0edf 29510->29513 29511->29398 29512 4a0ee7 Sleep 29512->29513 29513->29511 29513->29512 29514 4a0ef7 Sleep 29513->29514 29516 4a0f0e GetLastError 29513->29516 29688 427040 29513->29688 29514->29513 29516->29511 29517 4a0f18 GetLastError 29516->29517 29517->29511 29517->29513 29518->29397 29520->29428 29521->29414 29522->29407 29524 4a0f7b 29523->29524 29525 4a0fb1 29524->29525 29526 4a0fb5 29524->29526 29530 4a0f8f 29524->29530 29527 4a0fbe GetUserDefaultLangID 29525->29527 29532 4a0fb3 29525->29532 29539 422f10 55 API calls 29526->29539 29527->29532 29529 4a0fba 29529->29532 29533 4a1320 29530->29533 29531 4a0f30 GetLocaleInfoW 29531->29532 29532->29530 29532->29531 29534 4a1328 29533->29534 29535 4a1363 29533->29535 29534->29535 29540 407f30 11 API calls 29534->29540 29535->29387 29535->29388 29537 4a1349 29541 426ef0 11 API calls 29537->29541 29539->29529 29540->29537 29541->29535 29544 4087ba 29542->29544 29543 40883f 29543->29543 29544->29543 29545 408644 11 API calls 29544->29545 29546 4087f5 29544->29546 29545->29546 29546->29543 29547 407dd4 11 API calls 29546->29547 29547->29543 29602 422984 29548->29602 29550 422c94 29552 422984 12 API calls 29550->29552 29555 422ce1 29550->29555 29554 422ca4 29552->29554 29556 422cb0 29554->29556 29558 422960 12 API calls 29554->29558 29610 422798 29555->29610 29556->29555 29622 42004c 47 API calls 29556->29622 29558->29556 29561 422cb9 29563 422cd6 29561->29563 29566 422984 12 API calls 29561->29566 29562 422554 11 API calls 29565 422cf6 29562->29565 29563->29555 29623 422c0c GetWindowsDirectoryW 29563->29623 29567 407dd4 11 API calls 29565->29567 29568 422cca 29566->29568 29569 422d00 29567->29569 29568->29563 29571 422960 12 API calls 29568->29571 29570 407a54 11 API calls 29569->29570 29572 422d1a 29570->29572 29571->29563 29572->29451 29574 4a0c0c 29573->29574 29575 422554 11 API calls 29574->29575 29576 4a0c25 29575->29576 29577 407e1c 11 API calls 29576->29577 29582 4a0c30 29577->29582 29579 4228a0 11 API calls 29579->29582 29580 4087a4 11 API calls 29580->29582 29582->29579 29582->29580 29585 4a0cac 29582->29585 29638 4a0b70 29582->29638 29646 4270b8 29582->29646 29654 426dfc 11 API calls 29582->29654 29655 41f384 11 API calls 29582->29655 29656 4070f0 11 API calls 29582->29656 29587 407dd4 11 API calls 29585->29587 29588 4a0cb7 29587->29588 29589 407a54 11 API calls 29588->29589 29590 4a0cd1 29589->29590 29591 407a54 11 API calls 29590->29591 29592 4a0cde 29591->29592 29592->29451 29593->29451 29594->29451 29596 423206 29595->29596 29597 407b7c 11 API calls 29596->29597 29598 423226 29597->29598 29598->29451 29599->29451 29600->29451 29603 408644 11 API calls 29602->29603 29604 422997 29603->29604 29605 4229b2 GetEnvironmentVariableW 29604->29605 29609 4229c5 29604->29609 29624 422d78 11 API calls 29604->29624 29605->29604 29606 4229be 29605->29606 29608 4079f4 11 API calls 29606->29608 29608->29609 29609->29550 29619 422960 29609->29619 29611 4227a1 29610->29611 29611->29611 29612 4227c8 GetFullPathNameW 29611->29612 29613 4227d4 29612->29613 29614 4227eb 29612->29614 29613->29614 29616 4227dc 29613->29616 29615 407dd4 11 API calls 29614->29615 29617 4227e9 29615->29617 29618 407b7c 11 API calls 29616->29618 29617->29562 29618->29617 29625 42290c 29619->29625 29622->29561 29623->29555 29624->29604 29631 4228a0 29625->29631 29627 42292c 29628 422934 GetFileAttributesW 29627->29628 29629 4079f4 11 API calls 29628->29629 29630 422951 29629->29630 29630->29550 29632 4228b1 29631->29632 29633 4228f7 29632->29633 29634 4228ec 29632->29634 29636 40888c 11 API calls 29633->29636 29635 407dd4 11 API calls 29634->29635 29637 4228f5 29635->29637 29636->29637 29637->29627 29639 4079f4 11 API calls 29638->29639 29641 4a0b91 29639->29641 29643 4a0bc2 29641->29643 29657 4084f0 29641->29657 29660 408930 29641->29660 29644 4079f4 11 API calls 29643->29644 29645 4a0bd7 29644->29645 29645->29582 29664 426ff4 29646->29664 29648 4270ce 29649 4270d2 29648->29649 29670 422974 29648->29670 29649->29582 29654->29582 29655->29582 29658 407b7c 11 API calls 29657->29658 29659 4084fd 29658->29659 29659->29641 29661 408945 29660->29661 29662 408644 11 API calls 29661->29662 29663 40899a 29661->29663 29662->29663 29663->29641 29665 427002 29664->29665 29666 426ffe 29664->29666 29667 427024 SetLastError 29665->29667 29668 42700b Wow64DisableWow64FsRedirection 29665->29668 29666->29648 29669 42701f 29667->29669 29668->29669 29669->29648 29671 42290c 12 API calls 29670->29671 29672 42297e GetLastError 29671->29672 29673 427030 29672->29673 29674 427035 Wow64RevertWow64FsRedirection 29673->29674 29675 42703f 29673->29675 29674->29675 29675->29582 29680 4084c8 29676->29680 29678 423cd8 CreateFileW 29678->29492 29679->29494 29681 4084ce 29680->29681 29681->29678 29682->29499 29684->29503 29686->29508 29689 426ff4 2 API calls 29688->29689 29690 427056 29689->29690 29691 42705a 29690->29691 29692 427076 DeleteFileW GetLastError 29690->29692 29691->29513 29693 427030 Wow64RevertWow64FsRedirection 29692->29693 29694 42709c 29693->29694 29694->29513 29695 403ee8 29696 403f00 29695->29696 29697 404148 29695->29697 29707 403f12 29696->29707 29710 403f9d Sleep 29696->29710 29698 404260 29697->29698 29699 40410c 29697->29699 29700 403c94 VirtualAlloc 29698->29700 29701 404269 29698->29701 29708 404126 Sleep 29699->29708 29711 404166 29699->29711 29703 403ccf 29700->29703 29704 403cbf 29700->29704 29702 403f21 29705 403c48 2 API calls 29704->29705 29705->29703 29706 404000 29718 40400c 29706->29718 29719 403bcc 29706->29719 29707->29702 29707->29706 29713 403fe1 Sleep 29707->29713 29709 40413c Sleep 29708->29709 29708->29711 29709->29699 29710->29707 29712 403fb3 Sleep 29710->29712 29714 403bcc VirtualAlloc 29711->29714 29715 404184 29711->29715 29712->29696 29713->29706 29717 403ff7 Sleep 29713->29717 29714->29715 29717->29707 29723 403b60 29719->29723 29721 403bd5 VirtualAlloc 29722 403bec 29721->29722 29722->29718 29724 403b00 29723->29724 29724->29721 29725 4a8383 29726 4a83b3 29725->29726 29749 40e748 29726->29749 29728 4a83ec SetWindowLongW 29753 41a99c 29728->29753 29733 4087a4 11 API calls 29734 4a846e 29733->29734 29761 4a143c 29734->29761 29737 4a1320 11 API calls 29739 4a8493 29737->29739 29738 4a84cc 29741 4a84e5 29738->29741 29744 4a84df RemoveDirectoryW 29738->29744 29739->29738 29740 4a0ecc 9 API calls 29739->29740 29740->29738 29742 4a84f9 29741->29742 29743 4a84ee DestroyWindow 29741->29743 29748 4a8522 29742->29748 29776 408dac 27 API calls 29742->29776 29743->29742 29744->29741 29746 4a8518 29777 40540c 11 API calls 29746->29777 29778 405720 29749->29778 29751 40e75b CreateWindowExW 29752 40e795 29751->29752 29752->29728 29779 41a9c4 29753->29779 29756 422ab8 GetCommandLineW 29797 422a28 29756->29797 29758 422adb 29759 4079f4 11 API calls 29758->29759 29760 422af9 29759->29760 29760->29733 29762 4087a4 11 API calls 29761->29762 29763 4a1477 29762->29763 29764 4a14a9 CreateProcessW 29763->29764 29765 4a14bc CloseHandle 29764->29765 29766 4a14b5 29764->29766 29768 4a14c5 29765->29768 29816 4a1064 13 API calls 29766->29816 29812 4a1410 29768->29812 29771 4a14e3 29772 4a1410 3 API calls 29771->29772 29773 4a14e8 GetExitCodeProcess CloseHandle 29772->29773 29774 4079f4 11 API calls 29773->29774 29775 4a1510 29774->29775 29775->29737 29775->29739 29776->29746 29777->29748 29778->29751 29782 41a9dc 29779->29782 29783 41a9e5 29782->29783 29783->29783 29785 41aa45 29783->29785 29795 41a914 104 API calls 29783->29795 29786 41aab8 29785->29786 29793 41aa62 29785->29793 29787 407b7c 11 API calls 29786->29787 29789 41a9bc 29787->29789 29788 41aaac 29790 408644 11 API calls 29788->29790 29789->29756 29790->29789 29791 4079f4 11 API calls 29791->29793 29792 408644 11 API calls 29792->29793 29793->29788 29793->29791 29793->29792 29796 41a914 104 API calls 29793->29796 29795->29785 29796->29793 29798 422a53 29797->29798 29799 407b7c 11 API calls 29798->29799 29800 422a60 29799->29800 29807 407f74 29800->29807 29802 422a68 29803 407dd4 11 API calls 29802->29803 29804 422a80 29803->29804 29805 4079f4 11 API calls 29804->29805 29806 422aa8 29805->29806 29806->29758 29809 407eec 29807->29809 29808 407f27 29808->29802 29809->29808 29811 40540c 11 API calls 29809->29811 29811->29808 29813 4a1424 PeekMessageW 29812->29813 29814 4a1418 TranslateMessage DispatchMessageW 29813->29814 29815 4a1436 MsgWaitForMultipleObjects 29813->29815 29814->29813 29815->29768 29815->29771 29816->29765 29817 4a7ed0 29844 40d508 GetModuleHandleW 29817->29844 29826 407dd4 11 API calls 29827 4a7f42 29826->29827 29828 423bf4 107 API calls 29827->29828 29829 4a7f5a 29828->29829 29876 4a1700 FindResourceW 29829->29876 29832 4a7fcf 29889 423bb4 29832->29889 29833 4a7f72 29833->29832 29911 4a1544 11 API calls 29833->29911 29835 4a7ff5 29836 4a8011 29835->29836 29912 4a1544 11 API calls 29835->29912 29838 42463c 11 API calls 29836->29838 29839 4a8037 29838->29839 29893 425bcc 29839->29893 29841 4a8062 29842 4a80ad 29841->29842 29843 425bcc 105 API calls 29841->29843 29843->29841 29845 40d543 29844->29845 29913 407458 29845->29913 29848 4a162c GetSystemInfo VirtualQuery 29849 4a1658 29848->29849 29850 4a16f7 29848->29850 29849->29850 29851 4a16d7 VirtualQuery 29849->29851 29852 4a1688 VirtualProtect 29849->29852 29853 4a16c1 VirtualProtect 29849->29853 29854 4a1188 29850->29854 29851->29849 29851->29850 29852->29849 29853->29851 30086 422b08 GetCommandLineW 29854->30086 29856 4a1271 29857 407a54 11 API calls 29856->29857 29858 4a128b 29857->29858 29862 422b68 29858->29862 29859 422b68 13 API calls 29860 4a11a6 29859->29860 29860->29856 29860->29859 29861 40888c 11 API calls 29860->29861 29861->29860 29863 422bb3 GetCommandLineW 29862->29863 29864 422b8f GetModuleFileNameW 29862->29864 29874 422bba 29863->29874 29865 407b7c 11 API calls 29864->29865 29866 422bb1 29865->29866 29868 422be7 29866->29868 29867 422bc0 29869 4079f4 11 API calls 29867->29869 29871 4079f4 11 API calls 29868->29871 29873 422bc8 29869->29873 29870 422a28 11 API calls 29870->29874 29872 422bfc 29871->29872 29872->29826 29875 407dd4 11 API calls 29873->29875 29874->29867 29874->29870 29874->29873 29875->29868 29877 4a171a SizeofResource 29876->29877 29878 4a1715 29876->29878 29880 4a172c LoadResource 29877->29880 29881 4a1727 29877->29881 30093 4a1544 11 API calls 29878->30093 29882 4a173a 29880->29882 29883 4a173f LockResource 29880->29883 30094 4a1544 11 API calls 29881->30094 30095 4a1544 11 API calls 29882->30095 29886 4a174b 29883->29886 29887 4a1750 29883->29887 30096 4a1544 11 API calls 29886->30096 29887->29833 29890 423bc8 29889->29890 29891 423bd8 29890->29891 30097 423aec 105 API calls 29890->30097 29891->29835 29896 425bfd 29893->29896 29908 425c48 29893->29908 29894 425c95 30101 424918 105 API calls 29894->30101 29900 408644 11 API calls 29896->29900 29903 407f74 11 API calls 29896->29903 29905 407dd4 11 API calls 29896->29905 29896->29908 29909 424918 105 API calls 29896->29909 29897 425cad 29898 407a18 11 API calls 29897->29898 29901 425cc2 29898->29901 29900->29896 29902 4079f4 11 API calls 29901->29902 29906 425cca 29902->29906 29903->29896 29905->29896 29906->29841 29908->29894 29910 424918 105 API calls 29908->29910 30098 4081e4 11 API calls 29908->30098 30099 407f30 11 API calls 29908->30099 30100 407e70 11 API calls 29908->30100 29909->29896 29910->29908 29911->29832 29912->29836 29914 407490 29913->29914 29917 4073ec 29914->29917 29918 407434 29917->29918 29919 4073fc 29917->29919 29918->29848 29919->29918 29921 4231e0 12 API calls 29919->29921 29926 40cde0 GetSystemInfo 29919->29926 29927 4a7114 29919->29927 29999 4a7980 29919->29999 30009 4a7000 29919->30009 30021 4a7a8c 29919->30021 29921->29919 29926->29919 29928 4a711c 29927->29928 29929 4a736d 29928->29929 29930 4a7141 GetModuleHandleW GetVersion 29928->29930 29933 407a54 11 API calls 29929->29933 29931 4a717a 29930->29931 29932 4a715c GetProcAddress 29930->29932 29935 4a7182 GetProcAddress 29931->29935 29936 4a7344 GetProcAddress 29931->29936 29932->29931 29934 4a716d 29932->29934 29937 4a7387 29933->29937 29934->29931 29938 4a7191 29935->29938 29939 4a735a GetProcAddress 29936->29939 29940 4a7353 29936->29940 29937->29919 30039 40e818 GetSystemDirectoryW 29938->30039 29939->29929 29942 4a7369 SetProcessDEPPolicy 29939->29942 29940->29939 29942->29929 29943 4a71a0 29944 407dd4 11 API calls 29943->29944 29945 4a71ad 29944->29945 29945->29936 29946 4a71e5 29945->29946 29947 4086c4 11 API calls 29945->29947 29948 40871c 11 API calls 29946->29948 29947->29946 29949 4a71f8 29948->29949 30040 40e844 SetErrorMode LoadLibraryW 29949->30040 29951 4a7200 29952 40871c 11 API calls 29951->29952 29953 4a7213 29952->29953 30041 40e844 SetErrorMode LoadLibraryW 29953->30041 29955 4a721b 29956 40871c 11 API calls 29955->29956 29957 4a722e 29956->29957 30042 40e844 SetErrorMode LoadLibraryW 29957->30042 29959 4a7236 29960 40871c 11 API calls 29959->29960 29961 4a7249 29960->29961 30043 40e844 SetErrorMode LoadLibraryW 29961->30043 29963 4a7251 29964 40871c 11 API calls 29963->29964 29965 4a7264 29964->29965 30044 40e844 SetErrorMode LoadLibraryW 29965->30044 29967 4a726c 29968 40871c 11 API calls 29967->29968 29969 4a727f 29968->29969 30045 40e844 SetErrorMode LoadLibraryW 29969->30045 29971 4a7287 29972 40871c 11 API calls 29971->29972 29973 4a729a 29972->29973 30046 40e844 SetErrorMode LoadLibraryW 29973->30046 29975 4a72a2 29976 40871c 11 API calls 29975->29976 29977 4a72b5 29976->29977 30047 40e844 SetErrorMode LoadLibraryW 29977->30047 29979 4a72bd 29980 40871c 11 API calls 29979->29980 29981 4a72d0 29980->29981 30048 40e844 SetErrorMode LoadLibraryW 29981->30048 29983 4a72d8 29984 40871c 11 API calls 29983->29984 29985 4a72eb 29984->29985 30049 40e844 SetErrorMode LoadLibraryW 29985->30049 29987 4a72f3 29988 40871c 11 API calls 29987->29988 29989 4a7306 29988->29989 30050 40e844 SetErrorMode LoadLibraryW 29989->30050 29991 4a730e 29992 40871c 11 API calls 29991->29992 29993 4a7321 29992->29993 30051 40e844 SetErrorMode LoadLibraryW 29993->30051 29995 4a7329 29996 40871c 11 API calls 29995->29996 29997 4a733c 29996->29997 30052 40e844 SetErrorMode LoadLibraryW 29997->30052 30000 4a7a2e 29999->30000 30001 4a799e 29999->30001 30000->29919 30053 40755c 30001->30053 30003 4a79a8 30004 407dd4 11 API calls 30003->30004 30005 4a79ca 30003->30005 30004->30005 30006 40b1a8 48 API calls 30005->30006 30007 4a7a11 30006->30007 30059 4205cc 119 API calls 30007->30059 30010 4a70c9 30009->30010 30011 4a701e 30009->30011 30010->29919 30012 4a7028 SetThreadLocale 30011->30012 30063 40a5c4 InitializeCriticalSection GetVersion 30012->30063 30016 4a705e 30017 4a7077 GetCommandLineW 30016->30017 30067 403810 GetStartupInfoW 30017->30067 30019 4a70a1 GetACP GetCurrentThreadId 30068 40cdf4 GetVersion 30019->30068 30022 4a7b3b 30021->30022 30023 4a7ab0 GetModuleHandleW 30021->30023 30025 407a54 11 API calls 30022->30025 30069 40e4a8 30023->30069 30027 4a7b55 30025->30027 30026 4a7ac5 GetModuleHandleW 30028 40e4a8 13 API calls 30026->30028 30027->29919 30029 4a7adf 30028->30029 30081 422c38 GetSystemDirectoryW 30029->30081 30031 4a7b09 30032 422554 11 API calls 30031->30032 30033 4a7b14 30032->30033 30034 4086c4 11 API calls 30033->30034 30035 4a7b21 30034->30035 30083 421124 SetErrorMode 30035->30083 30037 4a7b2e 30038 4231e0 12 API calls 30037->30038 30038->30022 30039->29943 30040->29951 30041->29955 30042->29959 30043->29963 30044->29967 30045->29971 30046->29975 30047->29979 30048->29983 30049->29987 30050->29991 30051->29995 30052->29936 30054 407568 30053->30054 30058 40759f 30054->30058 30060 4074a0 75 API calls 30054->30060 30061 4074f8 75 API calls 30054->30061 30062 407548 75 API calls 30054->30062 30058->30003 30059->30000 30060->30054 30061->30054 30062->30054 30064 40a642 30063->30064 30065 40a5f4 6 API calls 30063->30065 30066 40cde0 GetSystemInfo 30064->30066 30065->30064 30066->30016 30067->30019 30068->30010 30070 40e4d0 GetProcAddress 30069->30070 30071 40e4dc 30069->30071 30073 40e530 30070->30073 30072 407a18 11 API calls 30071->30072 30076 40e4f2 30072->30076 30074 407a18 11 API calls 30073->30074 30075 40e545 30074->30075 30075->30026 30077 40e509 GetProcAddress 30076->30077 30078 40e520 30077->30078 30079 407a18 11 API calls 30078->30079 30080 40e528 30079->30080 30080->30026 30082 422c59 30081->30082 30082->30031 30084 4084c8 30083->30084 30085 42115c LoadLibraryW 30084->30085 30085->30037 30087 422a28 11 API calls 30086->30087 30088 422b2a 30087->30088 30089 422b43 30088->30089 30090 422a28 11 API calls 30088->30090 30091 4079f4 11 API calls 30089->30091 30090->30088 30092 422b58 30091->30092 30092->29860 30093->29877 30094->29880 30095->29883 30096->29887 30097->29891 30098->29908 30099->29908 30100->29908 30101->29897 30102 4a82c1 30103 4a82e6 30102->30103 30104 4a831e 30103->30104 30114 4a1544 11 API calls 30103->30114 30110 423dcc SetEndOfFile 30104->30110 30107 4a833a 30115 40540c 11 API calls 30107->30115 30109 4a8371 30111 423de3 30110->30111 30112 423ddc 30110->30112 30111->30107 30116 423ba0 106 API calls 30112->30116 30114->30104 30115->30109 30116->30111

                                                                  Executed Functions

                                                                  Function 004A7114, Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 165libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 73%
                                                                  			E004A7114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4a7388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4b0664 =  *0x4b0664 - 1;
				if( *0x4b0664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4a738f);
					return E00407A54( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4a73e4);
						}
						E0040E818( &_v8);
						E00407DD4(0x4b0668, _v8);
						if( *0x4b0668 != 0) {
							_t51 =  *0x4b0668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4b0668 + _t51 * 2 - 2)) != 0x5c) {
								E004086C4(0x4b0668, 0x4a73f4);
							}
							E0040871C( &_v12, L"uxtheme.dll",  *0x4b0668);
							E0040E844(_v12, _t111);
							E0040871C( &_v16, L"userenv.dll",  *0x4b0668);
							E0040E844(_v16, _t111);
							E0040871C( &_v20, L"setupapi.dll",  *0x4b0668);
							E0040E844(_v20, _t111);
							E0040871C( &_v24, L"apphelp.dll",  *0x4b0668);
							E0040E844(_v24, _t111);
							E0040871C( &_v28, L"propsys.dll",  *0x4b0668);
							E0040E844(_v28, _t111);
							E0040871C( &_v32, L"dwmapi.dll",  *0x4b0668);
							E0040E844(_v32, _t111);
							E0040871C( &_v36, L"cryptbase.dll",  *0x4b0668);
							E0040E844(_v36, _t111);
							E0040871C( &_v40, L"oleacc.dll",  *0x4b0668);
							E0040E844(_v40, _t111);
							E0040871C( &_v44, L"version.dll",  *0x4b0668);
							E0040E844(_v44, _t111);
							E0040871C( &_v48, L"profapi.dll",  *0x4b0668);
							E0040E844(_v48, _t111);
							E0040871C( &_v52, L"comres.dll",  *0x4b0668);
							E0040E844(_v52, _t111);
							E0040871C( &_v56, L"clbcatq.dll",  *0x4b0668);
							E0040E844(_v56, _t111);
							E0040871C( &_v60, L"ntmarta.dll",  *0x4b0668);
							E0040E844(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}





























                                                                  0x004a7115
                                                                  0x004a7117
                                                                  0x004a711c
                                                                  0x004a711c
                                                                  0x004a711e
                                                                  0x004a7120
                                                                  0x004a7120
                                                                  0x004a7128
                                                                  0x004a7129
                                                                  0x004a712e
                                                                  0x004a7131
                                                                  0x004a7134
                                                                  0x004a713b
                                                                  0x004a736d
                                                                  0x004a736f
                                                                  0x004a7372
                                                                  0x004a7375
                                                                  0x004a7387
                                                                  0x004a7141
                                                                  0x004a714b
                                                                  0x004a714d
                                                                  0x004a7154
                                                                  0x004a715a
                                                                  0x004a7167
                                                                  0x004a716b
                                                                  0x004a7172
                                                                  0x004a7177
                                                                  0x004a7179
                                                                  0x004a7179
                                                                  0x004a716b
                                                                  0x004a717c
                                                                  0x004a7188
                                                                  0x004a718f
                                                                  0x004a7196
                                                                  0x004a7196
                                                                  0x004a719b
                                                                  0x004a71a8
                                                                  0x004a71b4
                                                                  0x004a71ba
                                                                  0x004a71c1
                                                                  0x004a71c6
                                                                  0x004a71c6
                                                                  0x004a71d4
                                                                  0x004a71e0
                                                                  0x004a71e0
                                                                  0x004a71f3
                                                                  0x004a71fb
                                                                  0x004a720e
                                                                  0x004a7216
                                                                  0x004a7229
                                                                  0x004a7231
                                                                  0x004a7244
                                                                  0x004a724c
                                                                  0x004a725f
                                                                  0x004a7267
                                                                  0x004a727a
                                                                  0x004a7282
                                                                  0x004a7295
                                                                  0x004a729d
                                                                  0x004a72b0
                                                                  0x004a72b8
                                                                  0x004a72cb
                                                                  0x004a72d3
                                                                  0x004a72e6
                                                                  0x004a72ee
                                                                  0x004a7301
                                                                  0x004a7309
                                                                  0x004a731c
                                                                  0x004a7324
                                                                  0x004a7337
                                                                  0x004a733f
                                                                  0x004a733f
                                                                  0x004a71b4
                                                                  0x004a734a
                                                                  0x004a7351
                                                                  0x004a7358
                                                                  0x004a7358
                                                                  0x004a7360
                                                                  0x004a7367
                                                                  0x004a736b
                                                                  0x004a736b
                                                                  0x00000000
                                                                  0x004a7367

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004A7388,?,?,?,?,00000000,00000000), ref: 004A7146
                                                                  • GetVersion.KERNEL32(kernel32.dll,00000000,004A7388,?,?,?,?,00000000,00000000), ref: 004A714D
                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004A7162
                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004A7188
                                                                    • Part of subcall function 0040E844: SetErrorMode.KERNEL32(00008000), ref: 0040E852
                                                                    • Part of subcall function 0040E844: LoadLibraryW.KERNEL32(00000000,00000000,0040E89C,?,00000000,0040E8BA,?,00008000), ref: 0040E881
                                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004A734A
                                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004A7360
                                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004A7388,?,?,?,?,00000000,00000000), ref: 004A736B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
                                                                  • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                  • API String ID: 2248137261-1119018034
                                                                  • Opcode ID: 3cff10d8a37e8f74ee08042b476ec0aeb1e7e16601af9275c0598c71473bbef6
                                                                  • Instruction ID: 02322ebf13ac6853ed14ef268a063699a4793311109b24e8029bbe3fde3c2d54
                                                                  • Opcode Fuzzy Hash: 3cff10d8a37e8f74ee08042b476ec0aeb1e7e16601af9275c0598c71473bbef6
                                                                  • Instruction Fuzzy Hash: 8E516E346441449BDB10FBA6CC82E9E73B5EBD6308B24863BE810772A5DB3CAD55CB5C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A162C, Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 382 4a162c-4a1652 GetSystemInfo VirtualQuery 383 4a1658 382->383 384 4a16f7-4a16fe 382->384 385 4a16eb-4a16f1 383->385 385->384 386 4a165d-4a1664 385->386 387 4a1666-4a166a 386->387 388 4a16d7-4a16e9 VirtualQuery 386->388 387->388 389 4a166c-4a1677 387->389 388->384 388->385 390 4a1688-4a169d VirtualProtect 389->390 391 4a1679-4a167c 389->391 393 4a169f 390->393 394 4a16a4-4a16a6 390->394 391->390 392 4a167e-4a1681 391->392 392->390 395 4a1683-4a1686 392->395 393->394 396 4a16b5-4a16b8 394->396 395->390 395->394 397 4a16ba-4a16bf 396->397 398 4a16a8-4a16b1 call 4a1624 396->398 397->388 400 4a16c1-4a16d2 VirtualProtect 397->400 398->396 400->388
                                                                  C-Code - Quality: 100%
                                                                  			E004A162C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004A1624(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}













                                                                  0x004a1630
                                                                  0x004a1633
                                                                  0x004a1636
                                                                  0x004a163f
                                                                  0x004a164b
                                                                  0x004a1652
                                                                  0x004a16fe
                                                                  0x004a16fe
                                                                  0x004a1658
                                                                  0x004a16eb
                                                                  0x004a16eb
                                                                  0x004a16f1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a1664
                                                                  0x004a16d7
                                                                  0x004a16e2
                                                                  0x004a16e9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a166c
                                                                  0x004a166c
                                                                  0x004a1671
                                                                  0x004a1677
                                                                  0x004a1696
                                                                  0x004a169d
                                                                  0x004a169f
                                                                  0x004a169f
                                                                  0x004a169d
                                                                  0x004a16a4
                                                                  0x004a16b5
                                                                  0x004a16ac
                                                                  0x004a16b1
                                                                  0x004a16b1
                                                                  0x004a16bf
                                                                  0x004a16d2
                                                                  0x004a16d2
                                                                  0x00000000
                                                                  0x004a16bf
                                                                  0x004a1664
                                                                  0x00000000
                                                                  0x004a16eb

                                                                  APIs
                                                                  • GetSystemInfo.KERNEL32(?), ref: 004A163F
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004A164B
                                                                  • VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004A1696
                                                                  • VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004A16D2
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004A16E2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$ProtectQuery$InfoSystem
                                                                  • String ID:
                                                                  • API String ID: 2441996862-0
                                                                  • Opcode ID: 5b3962b5c6332dcebc7121228b8a4b3e3461861da3638e45f5f22f4c152fd88c
                                                                  • Instruction ID: 121c490457b7ae1f12085ab2edba84d2aabbc21e4026ddd200c69c56977e63ec
                                                                  • Opcode Fuzzy Hash: 5b3962b5c6332dcebc7121228b8a4b3e3461861da3638e45f5f22f4c152fd88c
                                                                  • Instruction Fuzzy Hash: D5216971504344ABD720EA59CD84EABB7E8AF66314F4C4C1EF694C32A1D33AE844CB66
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B3B8, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 73%
                                                                  			E0040B3B8(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407AD8(_v8);
				_push(_t61);
				_push(0x40b478);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040856C( &_v20, 4,  &_v16);
				E0040871C(_t44, _v20, _v8);
				_t29 = E0040B268( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040856C( &_v24, 4,  &_v16);
					E0040871C(_t44, _v24, _v8);
					_t40 = E0040B268( *_t44, _t44); // executed
					if(_t40 == 0) {
						E004079F4(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B47F);
				E00407A54( &_v24, 2);
				return E004079F4( &_v8);
			}













                                                                  0x0040b3be
                                                                  0x0040b3c1
                                                                  0x0040b3c4
                                                                  0x0040b3c7
                                                                  0x0040b3c9
                                                                  0x0040b3cf
                                                                  0x0040b3d6
                                                                  0x0040b3d7
                                                                  0x0040b3dc
                                                                  0x0040b3df
                                                                  0x0040b3e4
                                                                  0x0040b3ea
                                                                  0x0040b3f3
                                                                  0x0040b403
                                                                  0x0040b410
                                                                  0x0040b417
                                                                  0x0040b41e
                                                                  0x0040b420
                                                                  0x0040b431
                                                                  0x0040b43e
                                                                  0x0040b445
                                                                  0x0040b44c
                                                                  0x0040b450
                                                                  0x0040b450
                                                                  0x0040b44c
                                                                  0x0040b457
                                                                  0x0040b45a
                                                                  0x0040b45d
                                                                  0x0040b46a
                                                                  0x0040b477

                                                                  APIs
                                                                  • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B478,?,?), ref: 0040B3EA
                                                                  • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B478,?,?), ref: 0040B3F3
                                                                    • Part of subcall function 0040B268: FindFirstFileW.KERNEL32(00000000,?,00000000,0040B2C6,?,?), ref: 0040B29B
                                                                    • Part of subcall function 0040B268: FindClose.KERNEL32(00000000,00000000,?,00000000,0040B2C6,?,?), ref: 0040B2AB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                  • String ID:
                                                                  • API String ID: 3216391948-0
                                                                  • Opcode ID: 7c11227e8b53d5cf57ab3c00df66d88cc61cce9a5cb76bffb90c21d47624e2da
                                                                  • Instruction ID: 9155c5fd2a6d7a32e17c8bb0479b116e8c2ecdb55d1a06f7ce78c4880fdbda1e
                                                                  • Opcode Fuzzy Hash: 7c11227e8b53d5cf57ab3c00df66d88cc61cce9a5cb76bffb90c21d47624e2da
                                                                  • Instruction Fuzzy Hash: B9117570A041499BDB00EFA5C942AAEB3B8EF44304F50407FB544B72D2DB385F04CA6D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B268, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 46%
                                                                  			E0040B268(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407AD8(_v8);
				_push(_t27);
				_push(0x40b2c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084C8(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040B2CD);
				return E004079F4( &_v8);
			}








                                                                  0x0040b271
                                                                  0x0040b272
                                                                  0x0040b278
                                                                  0x0040b27f
                                                                  0x0040b280
                                                                  0x0040b285
                                                                  0x0040b288
                                                                  0x0040b29b
                                                                  0x0040b2a8
                                                                  0x0040b2ab
                                                                  0x0040b2ab
                                                                  0x0040b2b2
                                                                  0x0040b2b5
                                                                  0x0040b2b8
                                                                  0x0040b2c5

                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,0040B2C6,?,?), ref: 0040B29B
                                                                  • FindClose.KERNEL32(00000000,00000000,?,00000000,0040B2C6,?,?), ref: 0040B2AB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID:
                                                                  • API String ID: 2295610775-0
                                                                  • Opcode ID: dcd63df1445c4785f46ad18630efca613813575deacfdb2e7f3fde81f5b7913b
                                                                  • Instruction ID: af97b761f8286923e3e8c7c54c75c770fa091db835a787e0331ac1096eca1aa4
                                                                  • Opcode Fuzzy Hash: dcd63df1445c4785f46ad18630efca613813575deacfdb2e7f3fde81f5b7913b
                                                                  • Instruction Fuzzy Hash: 56F0BE70914248AECB21EB75CC5295EB7ACEB44310BA005BAB804F32D1EB38AF009A5C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AE8C, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 78%
                                                                  			E0040AE8C(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407AD8(_v8);
				_push(_t112);
				_push(0x40b0b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A6C0( &_v542, E004084C8(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040B0B8);
					return E004079F4( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40b094);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040AC9C( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040B1A4, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040B1A4, 0, 0, _v12,  &_v20);
								E00408530(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408530(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040B09B);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                                                  0x0040ae8d
                                                                  0x0040ae8f
                                                                  0x0040ae96
                                                                  0x0040ae98
                                                                  0x0040ae9e
                                                                  0x0040aea5
                                                                  0x0040aea6
                                                                  0x0040aeab
                                                                  0x0040aeae
                                                                  0x0040aeb5
                                                                  0x0040aee1
                                                                  0x0040aeb7
                                                                  0x0040aec5
                                                                  0x0040aec5
                                                                  0x0040aeee
                                                                  0x0040b09b
                                                                  0x0040b09d
                                                                  0x0040b0a0
                                                                  0x0040b0a3
                                                                  0x0040b0b0
                                                                  0x0040aef4
                                                                  0x0040aef6
                                                                  0x0040af0e
                                                                  0x0040af15
                                                                  0x0040afb5
                                                                  0x0040afb7
                                                                  0x0040afb8
                                                                  0x0040afbd
                                                                  0x0040afc0
                                                                  0x0040afce
                                                                  0x0040afef
                                                                  0x0040b03e
                                                                  0x0040b048
                                                                  0x0040b060
                                                                  0x0040b06a
                                                                  0x0040b06a
                                                                  0x0040aff1
                                                                  0x0040aff9
                                                                  0x0040b013
                                                                  0x0040b01d
                                                                  0x0040b01d
                                                                  0x0040b071
                                                                  0x0040b074
                                                                  0x0040b077
                                                                  0x0040b080
                                                                  0x0040b085
                                                                  0x0040b085
                                                                  0x0040b093
                                                                  0x0040af1b
                                                                  0x0040af30
                                                                  0x0040af37
                                                                  0x00000000
                                                                  0x0040af39
                                                                  0x0040af4e
                                                                  0x0040af55
                                                                  0x00000000
                                                                  0x0040af57
                                                                  0x0040af6c
                                                                  0x0040af73
                                                                  0x00000000
                                                                  0x0040af75
                                                                  0x0040af8a
                                                                  0x0040af91
                                                                  0x00000000
                                                                  0x0040af93
                                                                  0x0040afa8
                                                                  0x0040afaf
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040afaf
                                                                  0x0040af91
                                                                  0x0040af73
                                                                  0x0040af55
                                                                  0x0040af37
                                                                  0x0040af15

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B0B1,?,?), ref: 0040AEC5
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B0B1,?,?), ref: 0040AF0E
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B0B1,?,?), ref: 0040AF30
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040AF4E
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040AF6C
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AF8A
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AFA8
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040B094,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B0B1), ref: 0040AFE8
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040B094,?,80000001), ref: 0040B013
                                                                  • RegCloseKey.ADVAPI32(?,0040B09B,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040B094,?,80000001,Software\Embarcadero\Locales), ref: 0040B08E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Open$QueryValue$CloseFileModuleName
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                  • API String ID: 2701450724-3496071916
                                                                  • Opcode ID: a7a4f7800a908a23690c429c9108a661baea305ffcb50fe6ed6af284978fef88
                                                                  • Instruction ID: 511bc42bdc18c233ca4c8d7f1893363b3cc50658f2258b81fe6dc99cbd1a726a
                                                                  • Opcode Fuzzy Hash: a7a4f7800a908a23690c429c9108a661baea305ffcb50fe6ed6af284978fef88
                                                                  • Instruction Fuzzy Hash: CE5121B5A50208BEEB10DAA5CC46FAFB7ACDB08704F504077BA14F61C1E7B8AA44865D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 116 40426c-40427b 117 404281-404285 116->117 118 404364-404367 116->118 119 404287-40428e 117->119 120 4042e8-4042f1 117->120 121 404454-404458 118->121 122 40436d-404377 118->122 126 404290-40429b 119->126 127 4042bc-4042be 119->127 120->119 125 4042f3-4042fc 120->125 123 403cf8-403d1d call 403c48 121->123 124 40445e-404463 121->124 128 404328-404335 122->128 129 404379-404385 122->129 149 403d39-403d40 123->149 150 403d1f-403d2e VirtualFree 123->150 125->120 132 4042fe-404312 Sleep 125->132 135 4042a4-4042b9 126->135 136 40429d-4042a2 126->136 130 4042c0-4042d1 127->130 131 4042d3 127->131 128->129 133 404337-404340 128->133 137 404387-40438a 129->137 138 4043bc-4043ca 129->138 130->131 140 4042d6-4042e3 130->140 131->140 132->119 142 404318-404323 Sleep 132->142 133->128 143 404342-404356 Sleep 133->143 139 40438e-404392 137->139 138->139 141 4043cc-4043d1 call 403ac0 138->141 145 4043d4-4043e1 139->145 146 404394-40439a 139->146 140->122 141->139 142->120 143->129 148 404358-40435f Sleep 143->148 145->146 157 4043e3-4043ea call 403ac0 145->157 153 4043ec-4043f6 146->153 154 40439c-4043ba call 403b00 146->154 148->128 155 403d42-403d5e VirtualQuery VirtualFree 149->155 151 403d30-403d32 150->151 152 403d34-403d37 150->152 158 403d73-403d75 151->158 152->158 163 404424-404451 call 403b60 153->163 164 4043f8-404420 VirtualFree 153->164 160 403d60-403d63 155->160 161 403d65-403d6b 155->161 157->146 168 403d77-403d87 158->168 169 403d8a-403d9a 158->169 160->158 161->158 167 403d6d-403d71 161->167 167->155 168->169
                                                                  C-Code - Quality: 91%
                                                                  			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4ad059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4afb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4ad989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4ad059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4adae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4ad989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4adae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4adaf0 - 0x13ffe0;
							if( *0x4adaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4adaf0 = 0x13ffe0;
								 *0x4adaec = _t82;
								 *0x4adae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4adae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4adae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}





























                                                                  0x0040426c
                                                                  0x0040426c
                                                                  0x00404275
                                                                  0x0040427b
                                                                  0x00404364
                                                                  0x00404367
                                                                  0x00404454
                                                                  0x00404455
                                                                  0x00404458
                                                                  0x00403cf8
                                                                  0x00403cfa
                                                                  0x00403cfc
                                                                  0x00403d01
                                                                  0x00403d04
                                                                  0x00403d09
                                                                  0x00403d0d
                                                                  0x00403d13
                                                                  0x00403d17
                                                                  0x00403d1d
                                                                  0x00403d39
                                                                  0x00403d3d
                                                                  0x00403d40
                                                                  0x00403d40
                                                                  0x00403d42
                                                                  0x00403d4a
                                                                  0x00403d57
                                                                  0x00403d5c
                                                                  0x00403d5e
                                                                  0x00403d60
                                                                  0x00403d63
                                                                  0x00403d63
                                                                  0x00403d65
                                                                  0x00403d69
                                                                  0x00403d6b
                                                                  0x00403d6d
                                                                  0x00403d6f
                                                                  0x00000000
                                                                  0x00403d6f
                                                                  0x00000000
                                                                  0x00403d6b
                                                                  0x00403d1f
                                                                  0x00403d27
                                                                  0x00403d2e
                                                                  0x00403d34
                                                                  0x00403d30
                                                                  0x00403d30
                                                                  0x00403d30
                                                                  0x00403d2e
                                                                  0x00403d73
                                                                  0x00403d75
                                                                  0x00403d7e
                                                                  0x00403d87
                                                                  0x00403d87
                                                                  0x00403d8a
                                                                  0x00403d9a
                                                                  0x0040445e
                                                                  0x00404463
                                                                  0x00404463
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00404281
                                                                  0x00404281
                                                                  0x00404283
                                                                  0x00404285
                                                                  0x004042e8
                                                                  0x004042e8
                                                                  0x004042ed
                                                                  0x004042f1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004042f3
                                                                  0x004042f5
                                                                  0x004042fc
                                                                  0x00000000
                                                                  0x004042fe
                                                                  0x00404302
                                                                  0x00404307
                                                                  0x00404308
                                                                  0x00404309
                                                                  0x0040430e
                                                                  0x00404312
                                                                  0x0040431c
                                                                  0x00404321
                                                                  0x00404322
                                                                  0x00000000
                                                                  0x00404322
                                                                  0x00404312
                                                                  0x00000000
                                                                  0x004042fc
                                                                  0x004042e8
                                                                  0x00404287
                                                                  0x00404287
                                                                  0x00404287
                                                                  0x00404287
                                                                  0x0040428b
                                                                  0x0040428e
                                                                  0x004042bc
                                                                  0x004042be
                                                                  0x004042d3
                                                                  0x004042d3
                                                                  0x004042c0
                                                                  0x004042c0
                                                                  0x004042c3
                                                                  0x004042c6
                                                                  0x004042c9
                                                                  0x004042cc
                                                                  0x004042ce
                                                                  0x004042d1
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004042d1
                                                                  0x004042d6
                                                                  0x004042d8
                                                                  0x004042da
                                                                  0x004042dd
                                                                  0x0040436d
                                                                  0x00404370
                                                                  0x00404372
                                                                  0x00404374
                                                                  0x00404375
                                                                  0x00404377
                                                                  0x00404328
                                                                  0x00404328
                                                                  0x0040432d
                                                                  0x00404335
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00404337
                                                                  0x00404339
                                                                  0x00404340
                                                                  0x00000000
                                                                  0x00404342
                                                                  0x00404344
                                                                  0x00404349
                                                                  0x0040434e
                                                                  0x00404356
                                                                  0x0040435a
                                                                  0x00000000
                                                                  0x0040435a
                                                                  0x00404356
                                                                  0x00000000
                                                                  0x00404340
                                                                  0x00404328
                                                                  0x00404379
                                                                  0x00404379
                                                                  0x00404381
                                                                  0x00404385
                                                                  0x004043bc
                                                                  0x004043bf
                                                                  0x004043c2
                                                                  0x004043c4
                                                                  0x004043ca
                                                                  0x004043cc
                                                                  0x004043cc
                                                                  0x00404387
                                                                  0x00404387
                                                                  0x00404387
                                                                  0x0040438a
                                                                  0x0040438a
                                                                  0x0040438e
                                                                  0x00404392
                                                                  0x004043d4
                                                                  0x004043d7
                                                                  0x004043d9
                                                                  0x004043db
                                                                  0x004043e1
                                                                  0x004043e5
                                                                  0x004043e5
                                                                  0x004043e1
                                                                  0x00404394
                                                                  0x0040439a
                                                                  0x004043ec
                                                                  0x004043f6
                                                                  0x00404424
                                                                  0x0040442a
                                                                  0x0040442f
                                                                  0x00404436
                                                                  0x00404440
                                                                  0x00404446
                                                                  0x0040444d
                                                                  0x00404451
                                                                  0x004043f8
                                                                  0x004043f8
                                                                  0x004043fb
                                                                  0x004043fd
                                                                  0x00404400
                                                                  0x00404403
                                                                  0x00404405
                                                                  0x00404414
                                                                  0x00404419
                                                                  0x0040441c
                                                                  0x00404420
                                                                  0x00404420
                                                                  0x0040439c
                                                                  0x0040439f
                                                                  0x004043a2
                                                                  0x004043aa
                                                                  0x004043af
                                                                  0x004043b6
                                                                  0x004043ba
                                                                  0x004043ba
                                                                  0x00404290
                                                                  0x00404290
                                                                  0x00404292
                                                                  0x00404298
                                                                  0x0040429b
                                                                  0x004042a4
                                                                  0x004042a7
                                                                  0x004042aa
                                                                  0x004042ad
                                                                  0x004042b0
                                                                  0x004042b3
                                                                  0x004042b6
                                                                  0x004042b6
                                                                  0x004042b8
                                                                  0x004042b9
                                                                  0x0040429d
                                                                  0x0040429d
                                                                  0x0040429d
                                                                  0x0040429f
                                                                  0x004042a1
                                                                  0x004042a2
                                                                  0x004042a2
                                                                  0x0040429b
                                                                  0x0040428e

                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,?,?,00000000,0040BEB4,0040BF1A,?,00000000,?,?,0040C23D,00000000,?,00000000,0040C73E,00000000), ref: 00404302
                                                                  • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BEB4,0040BF1A,?,00000000,?,?,0040C23D,00000000,?,00000000,0040C73E), ref: 0040431C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 6990eeb09af798ff89c122cab0389b867fa95b1857629a1b42165b3db1f08a53
                                                                  • Instruction ID: 42852a627608553f2d1d5efabc9574773b40d1f12e789e067a733302d184c96b
                                                                  • Opcode Fuzzy Hash: 6990eeb09af798ff89c122cab0389b867fa95b1857629a1b42165b3db1f08a53
                                                                  • Instruction Fuzzy Hash: 4071F1B17042008BE715DF29C884B16BFD8AF86715F1882BFE945AB3D2D6B8CD41C789
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A8383, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 82%
                                                                  			E004A8383(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4b3718; // 0x0
				 *0x4b3718 = 0;
				E00405CC8(_t17);
				_t21 = E0040E748(0, L"STATIC", 0,  *0x4b0634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ac450 = _t21;
				_t22 =  *0x4ac450; // 0xd0256
				 *0x4b3710 = SetWindowLongW(_t22, 0xfffffffc, E004A13B0);
				_t25 =  *0x4ac450; // 0xd0256
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4b3720; // 0x51ca04
				_t4 = _t26 + 0x20; // 0x1f2b95a
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4b3720; // 0x51ca04
				_t7 = _t28 + 0x24; // 0x110400
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A99C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4b3714);
				_push(E004A8660);
				E00422AB8(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087A4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4b372c; // 0x0, executed
				E004A143C(_t36, _t52, 0x4ac44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ac448 != 0xffffffff) {
					_t50 =  *0x4ac448; // 0x0
					E004A1320(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004A8534);
				_t39 =  *0x4b3718; // 0x0
				_t40 = E00405CC8(_t39);
				if( *0x4b372c != 0) {
					_t70 =  *0x4b372c; // 0x0
					_t40 = E004A0ECC(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4b3724 != 0) {
					_t47 =  *0x4b3724; // 0x0
					_t40 = RemoveDirectoryW(E004084C8(_t47)); // executed
				}
				if( *0x4ac450 != 0) {
					_t46 =  *0x4ac450; // 0xd0256
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4b3708 != 0) {
					_t41 =  *0x4b3708; // 0x0
					_t60 =  *0x4b370c; // 0x2
					_t69 =  *0x426aa4; // 0x426aa8
					E00408DAC(_t41, _t60, _t69);
					_t43 =  *0x4b3708; // 0x0
					E0040540C(_t43);
					 *0x4b3708 = 0;
					return 0;
				}
				return _t40;
			}
























                                                                  0x004a8383
                                                                  0x004a8383
                                                                  0x004a8383
                                                                  0x004a8383
                                                                  0x004a8385
                                                                  0x004a8388
                                                                  0x004a83b3
                                                                  0x004a83ba
                                                                  0x004a83c0
                                                                  0x004a83e7
                                                                  0x004a83ec
                                                                  0x004a83f8
                                                                  0x004a8403
                                                                  0x004a840c
                                                                  0x004a8411
                                                                  0x004a8414
                                                                  0x004a8418
                                                                  0x004a841d
                                                                  0x004a8420
                                                                  0x004a8423
                                                                  0x004a8427
                                                                  0x004a842c
                                                                  0x004a842f
                                                                  0x004a8432
                                                                  0x004a8443
                                                                  0x004a8448
                                                                  0x004a844b
                                                                  0x004a8451
                                                                  0x004a8459
                                                                  0x004a845e
                                                                  0x004a8469
                                                                  0x004a8476
                                                                  0x004a847b
                                                                  0x004a8487
                                                                  0x004a8489
                                                                  0x004a848e
                                                                  0x004a848e
                                                                  0x004a8495
                                                                  0x004a8498
                                                                  0x004a849b
                                                                  0x004a84a0
                                                                  0x004a84a5
                                                                  0x004a84b1
                                                                  0x004a84bf
                                                                  0x004a84c7
                                                                  0x004a84c7
                                                                  0x004a84d3
                                                                  0x004a84d5
                                                                  0x004a84e0
                                                                  0x004a84e0
                                                                  0x004a84ec
                                                                  0x004a84ee
                                                                  0x004a84f4
                                                                  0x004a84f4
                                                                  0x004a8500
                                                                  0x004a8502
                                                                  0x004a8507
                                                                  0x004a850d
                                                                  0x004a8513
                                                                  0x004a8518
                                                                  0x004a851d
                                                                  0x004a8524
                                                                  0x00000000
                                                                  0x004a8524
                                                                  0x004a8529

                                                                  APIs
                                                                    • Part of subcall function 0040E748: CreateWindowExW.USER32 ref: 0040E787
                                                                  • SetWindowLongW.USER32 ref: 004A83FE
                                                                    • Part of subcall function 00422AB8: GetCommandLineW.KERNEL32(00000000,00422AFA,?,?,00000000,?,004A845E,004A8660,?), ref: 00422ACE
                                                                    • Part of subcall function 004A143C: CreateProcessW.KERNEL32 ref: 004A14AC
                                                                    • Part of subcall function 004A143C: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004A153C,00000000,004A152C,00000000), ref: 004A14C0
                                                                    • Part of subcall function 004A143C: MsgWaitForMultipleObjects.USER32 ref: 004A14D9
                                                                    • Part of subcall function 004A143C: GetExitCodeProcess.KERNEL32 ref: 004A14ED
                                                                    • Part of subcall function 004A143C: CloseHandle.KERNEL32(?,?,004AC44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A14F6
                                                                  • RemoveDirectoryW.KERNEL32(00000000,004A8534), ref: 004A84E0
                                                                  • DestroyWindow.USER32(000D0256,004A8534), ref: 004A84F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                  • API String ID: 3586484885-3001827809
                                                                  • Opcode ID: a11fbe756f7f2081050fdb452eeb39d84f723be55f3184d7a3272a2ac561a8e7
                                                                  • Instruction ID: ad17a008a8a74016f0247325cd10a11e66cc17c3673bb36b701d74231778c7e7
                                                                  • Opcode Fuzzy Hash: a11fbe756f7f2081050fdb452eeb39d84f723be55f3184d7a3272a2ac561a8e7
                                                                  • Instruction Fuzzy Hash: F3416FB4A042049FDB14DFAAED95B597BF0E76A305F10863AE4009B2A1DF78AD41CB5C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A143C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 61%
                                                                  			E004A143C(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4a1511);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4a152c);
				_push(__eax);
				_push(E004A153C);
				_push(__edx);
				E004087A4( &_v8, __eax, 4, __ecx, __edx);
				E00405864( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084C8(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004A1064(0x72, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004A1410();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004A1410();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E004A1518);
				return E004079F4( &_v8);
			}











                                                                  0x004a1447
                                                                  0x004a144a
                                                                  0x004a144c
                                                                  0x004a144e
                                                                  0x004a1452
                                                                  0x004a1453
                                                                  0x004a1458
                                                                  0x004a145b
                                                                  0x004a145e
                                                                  0x004a1463
                                                                  0x004a1464
                                                                  0x004a1469
                                                                  0x004a1472
                                                                  0x004a1481
                                                                  0x004a1486
                                                                  0x004a14ac
                                                                  0x004a14b1
                                                                  0x004a14b3
                                                                  0x004a14b7
                                                                  0x004a14b7
                                                                  0x004a14c0
                                                                  0x004a14c5
                                                                  0x004a14c5
                                                                  0x004a14de
                                                                  0x004a14e3
                                                                  0x004a14ed
                                                                  0x004a14f6
                                                                  0x004a14fd
                                                                  0x004a1500
                                                                  0x004a1503
                                                                  0x004a1510

                                                                  APIs
                                                                  • CreateProcessW.KERNEL32 ref: 004A14AC
                                                                  • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004A153C,00000000,004A152C,00000000), ref: 004A14C0
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 004A14D9
                                                                  • GetExitCodeProcess.KERNEL32 ref: 004A14ED
                                                                  • CloseHandle.KERNEL32(?,?,004AC44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A14F6
                                                                    • Part of subcall function 004A1064: GetLastError.KERNEL32(00000000,004A110B,?,?,00000000), ref: 004A1087
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                  • String ID: D
                                                                  • API String ID: 3356880605-2746444292
                                                                  • Opcode ID: 3f53cdb1fe7aa8bb8f06de78268ae7764ae86d97b50b59418d3b709dbb49c709
                                                                  • Instruction ID: 47d237310cf9ec714f0c62a9dd1f60edaf51b76bd8e3ac122ecf0cee1fcf75e2
                                                                  • Opcode Fuzzy Hash: 3f53cdb1fe7aa8bb8f06de78268ae7764ae86d97b50b59418d3b709dbb49c709
                                                                  • Instruction Fuzzy Hash: 6211A571A442087ADB00EBE68C42F9F7BACDF59714F50453BB604E72D2DA789900862D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A7A8C, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 60%
                                                                  			E004A7A8C(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4a7b56);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4b30d4 =  *0x4b30d4 - 1;
				if( *0x4b30d4 < 0) {
					 *0x4b30d8 = E0040E4A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4b30dc = E0040E4A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4b30d8 == 0 ||  *0x4b30dc == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4b30e0 = _t16;
					E00422C38( &_v12);
					E00422554(_v12,  &_v8);
					E004086C4( &_v8, L"shell32.dll");
					E00421124(_v8, _t27, 0x8000); // executed
					E004231E0(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4a7b5d);
				return E00407A54( &_v16, 3);
			}









                                                                  0x004a7a8c
                                                                  0x004a7a8f
                                                                  0x004a7a91
                                                                  0x004a7a93
                                                                  0x004a7a97
                                                                  0x004a7a98
                                                                  0x004a7a9d
                                                                  0x004a7aa0
                                                                  0x004a7aa3
                                                                  0x004a7aaa
                                                                  0x004a7ac5
                                                                  0x004a7adf
                                                                  0x004a7aeb
                                                                  0x004a7af6
                                                                  0x004a7afa
                                                                  0x004a7afa
                                                                  0x004a7afa
                                                                  0x004a7afc
                                                                  0x004a7b04
                                                                  0x004a7b0f
                                                                  0x004a7b1c
                                                                  0x004a7b29
                                                                  0x004a7b36
                                                                  0x004a7b36
                                                                  0x004a7b3d
                                                                  0x004a7b40
                                                                  0x004a7b43
                                                                  0x004a7b55

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004A7B56,?,00000000,00000000,00000000), ref: 004A7ABA
                                                                    • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004A7B56,?,00000000,00000000,00000000), ref: 004A7AD4
                                                                    • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E50B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                  • API String ID: 1646373207-2130885113
                                                                  • Opcode ID: d416b1431fee2575f17526f7277d42f002a328a02d6f7a5176ac1df516150c71
                                                                  • Instruction ID: 2c4302aebef363acd514d918e3102629efdcfdb161d7c116b5a2cbd6c4c890f7
                                                                  • Opcode Fuzzy Hash: d416b1431fee2575f17526f7277d42f002a328a02d6f7a5176ac1df516150c71
                                                                  • Instruction Fuzzy Hash: 8B118270708204BFD720FB67DC52B5D77A4DB6A708FA0887BE40066291DA7C6A459A3D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 246 403ee8-403efa 247 403f00-403f10 246->247 248 404148-40414d 246->248 251 403f12-403f1f 247->251 252 403f68-403f71 247->252 249 404260-404263 248->249 250 404153-404164 248->250 256 403c94-403cbd VirtualAlloc 249->256 257 404269-40426b 249->257 254 404166-404182 250->254 255 40410c-404119 250->255 258 403f21-403f2e 251->258 259 403f38-403f44 251->259 252->251 253 403f73-403f7f 252->253 253->251 260 403f81-403f8d 253->260 261 404190-40419f 254->261 262 404184-40418c 254->262 255->254 267 40411b-404124 255->267 263 403cef-403cf5 256->263 264 403cbf-403cec call 403c48 256->264 265 403f30-403f34 258->265 266 403f58-403f65 258->266 268 403f46-403f54 259->268 269 403fbc-403fc5 259->269 260->251 270 403f8f-403f9b 260->270 273 4041a1-4041b5 261->273 274 4041b8-4041c0 261->274 271 4041ec-404202 262->271 264->263 267->255 277 404126-40413a Sleep 267->277 275 404000-40400a 269->275 276 403fc7-403fd4 269->276 270->252 279 403f9d-403fad Sleep 270->279 286 404204-404212 271->286 287 40421b-404227 271->287 273->271 281 4041c2-4041da 274->281 282 4041dc-4041de call 403bcc 274->282 284 40407c-404088 275->284 285 40400c-404037 275->285 276->275 283 403fd6-403fdf 276->283 277->254 278 40413c-404143 Sleep 277->278 278->255 279->251 292 403fb3-403fba Sleep 279->292 293 4041e3-4041eb 281->293 282->293 283->276 294 403fe1-403ff5 Sleep 283->294 290 4040b0-4040bf call 403bcc 284->290 291 40408a-40409c 284->291 296 404050-40405e 285->296 297 404039-404047 285->297 286->287 298 404214 286->298 288 404248 287->288 289 404229-40423c 287->289 301 40424d-40425f 288->301 289->301 302 40423e-404243 call 403b00 289->302 310 4040d1-40410a 290->310 314 4040c1-4040cb 290->314 303 4040a0-4040ae 291->303 304 40409e 291->304 292->252 294->275 306 403ff7-403ffe Sleep 294->306 299 404060-40407a call 403b00 296->299 300 4040cc 296->300 297->296 307 404049 297->307 298->287 299->310 300->310 302->301 303->310 304->303 306->276 307->296
                                                                  C-Code - Quality: 68%
                                                                  			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4ad059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4afb80; // 0x4afb7c
								 *_t147 = 0x4afb7c;
								 *0x4afb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4afb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4adae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4ad989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4adae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4adaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4adaf4;
							if((0xfffffffe << _t132 &  *0x4adaf4) == 0) {
								_t133 =  *0x4adaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4adaec; // 0x2342870
									_t109 = _t110 - _t125;
									 *0x4adaec = _t109;
									 *0x4adaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4adae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4adb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4adaf8 + _t142 * 4;
								 *_t80 =  *(0x4adaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4adaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4adae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4ad990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4a9080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4ad989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4ad059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4adae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4ad989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4adae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4adaf4;
							__eflags =  *(__ebx + 1) &  *0x4adaf4;
							if(( *(__ebx + 1) &  *0x4adaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4adaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4adae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4adaec; // 0x2342870
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4adaf0 =  *0x4adaf0 - __edi;
									 *0x4adaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4adaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4adaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4adb78 + ( *(0x4adaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4adaf8 + __eax * 4;
									 *_t38 =  *(0x4adaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4adaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4adae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2342890
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}






























                                                                  0x00403ee8
                                                                  0x00403ef4
                                                                  0x00403efa
                                                                  0x00404148
                                                                  0x0040414d
                                                                  0x00404260
                                                                  0x00404261
                                                                  0x00404263
                                                                  0x00403c94
                                                                  0x00403c98
                                                                  0x00403c9a
                                                                  0x00403ca4
                                                                  0x00403cb4
                                                                  0x00403cb9
                                                                  0x00403cbd
                                                                  0x00403cbf
                                                                  0x00403cc1
                                                                  0x00403cc7
                                                                  0x00403cca
                                                                  0x00403ccf
                                                                  0x00403cd4
                                                                  0x00403cda
                                                                  0x00403ce0
                                                                  0x00403ce3
                                                                  0x00403ce5
                                                                  0x00403cec
                                                                  0x00403cec
                                                                  0x00403cf5
                                                                  0x00404269
                                                                  0x00404269
                                                                  0x0040426b
                                                                  0x0040426b
                                                                  0x00404153
                                                                  0x00404153
                                                                  0x0040415f
                                                                  0x00404162
                                                                  0x00404164
                                                                  0x0040410c
                                                                  0x00404111
                                                                  0x00404119
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040411b
                                                                  0x0040411d
                                                                  0x00404124
                                                                  0x00000000
                                                                  0x00404126
                                                                  0x00404128
                                                                  0x00404132
                                                                  0x0040413a
                                                                  0x0040413e
                                                                  0x00000000
                                                                  0x0040413e
                                                                  0x0040413a
                                                                  0x00000000
                                                                  0x00404124
                                                                  0x0040410c
                                                                  0x00404166
                                                                  0x00404166
                                                                  0x00404166
                                                                  0x0040416e
                                                                  0x00404171
                                                                  0x0040417b
                                                                  0x0040417b
                                                                  0x00404182
                                                                  0x00404195
                                                                  0x00404199
                                                                  0x0040419f
                                                                  0x004041b8
                                                                  0x004041be
                                                                  0x004041be
                                                                  0x004041c0
                                                                  0x004041de
                                                                  0x004041c2
                                                                  0x004041c2
                                                                  0x004041c7
                                                                  0x004041c9
                                                                  0x004041ce
                                                                  0x004041d7
                                                                  0x004041d7
                                                                  0x004041e3
                                                                  0x004041eb
                                                                  0x004041a1
                                                                  0x004041a1
                                                                  0x004041ab
                                                                  0x004041b3
                                                                  0x00000000
                                                                  0x004041b3
                                                                  0x00404184
                                                                  0x00404187
                                                                  0x0040418a
                                                                  0x004041ec
                                                                  0x004041ec
                                                                  0x004041ed
                                                                  0x004041ee
                                                                  0x004041f5
                                                                  0x004041f8
                                                                  0x004041fb
                                                                  0x004041fe
                                                                  0x00404200
                                                                  0x00404202
                                                                  0x00404209
                                                                  0x0040420b
                                                                  0x0040420b
                                                                  0x0040420b
                                                                  0x00404212
                                                                  0x00404214
                                                                  0x00404214
                                                                  0x00404212
                                                                  0x00404220
                                                                  0x00404225
                                                                  0x00404225
                                                                  0x00404227
                                                                  0x00404248
                                                                  0x00404248
                                                                  0x00404248
                                                                  0x00404229
                                                                  0x00404229
                                                                  0x0040422f
                                                                  0x00404232
                                                                  0x00404236
                                                                  0x0040423c
                                                                  0x0040423e
                                                                  0x0040423e
                                                                  0x0040423c
                                                                  0x0040424d
                                                                  0x00404250
                                                                  0x00404253
                                                                  0x0040425f
                                                                  0x0040425f
                                                                  0x00404182
                                                                  0x00403f00
                                                                  0x00403f00
                                                                  0x00403f02
                                                                  0x00403f02
                                                                  0x00403f09
                                                                  0x00403f10
                                                                  0x00403f68
                                                                  0x00403f68
                                                                  0x00403f6d
                                                                  0x00403f71
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403f73
                                                                  0x00403f73
                                                                  0x00403f76
                                                                  0x00403f7b
                                                                  0x00403f7f
                                                                  0x00403f81
                                                                  0x00403f81
                                                                  0x00403f84
                                                                  0x00403f89
                                                                  0x00403f8d
                                                                  0x00403f8f
                                                                  0x00403f92
                                                                  0x00403f94
                                                                  0x00403f9b
                                                                  0x00000000
                                                                  0x00403f9d
                                                                  0x00403f9f
                                                                  0x00403fa4
                                                                  0x00403fa9
                                                                  0x00403fad
                                                                  0x00403fb5
                                                                  0x00000000
                                                                  0x00403fb5
                                                                  0x00403fad
                                                                  0x00403f9b
                                                                  0x00403f8d
                                                                  0x00000000
                                                                  0x00403f7f
                                                                  0x00403f68
                                                                  0x00403f12
                                                                  0x00403f12
                                                                  0x00403f15
                                                                  0x00403f18
                                                                  0x00403f1d
                                                                  0x00403f1f
                                                                  0x00403f38
                                                                  0x00403f3b
                                                                  0x00403f3f
                                                                  0x00403f41
                                                                  0x00403f44
                                                                  0x00403fbc
                                                                  0x00403fbd
                                                                  0x00403fbe
                                                                  0x00403fc5
                                                                  0x00403fc7
                                                                  0x00403fc7
                                                                  0x00403fcc
                                                                  0x00403fd4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403fd6
                                                                  0x00403fd8
                                                                  0x00403fdf
                                                                  0x00000000
                                                                  0x00403fe1
                                                                  0x00403fe3
                                                                  0x00403fe8
                                                                  0x00403fed
                                                                  0x00403ff5
                                                                  0x00403ff9
                                                                  0x00000000
                                                                  0x00403ff9
                                                                  0x00403ff5
                                                                  0x00000000
                                                                  0x00403fdf
                                                                  0x00403fc7
                                                                  0x00404000
                                                                  0x00404004
                                                                  0x00404004
                                                                  0x0040400a
                                                                  0x0040407c
                                                                  0x00404080
                                                                  0x00404086
                                                                  0x00404088
                                                                  0x004040b0
                                                                  0x004040b4
                                                                  0x004040b6
                                                                  0x004040bb
                                                                  0x004040bd
                                                                  0x004040bf
                                                                  0x00000000
                                                                  0x004040c1
                                                                  0x004040c1
                                                                  0x004040c6
                                                                  0x004040c8
                                                                  0x004040c9
                                                                  0x004040ca
                                                                  0x004040cb
                                                                  0x004040cb
                                                                  0x0040408a
                                                                  0x0040408a
                                                                  0x00404090
                                                                  0x00404094
                                                                  0x0040409a
                                                                  0x0040409c
                                                                  0x0040409e
                                                                  0x0040409e
                                                                  0x004040a0
                                                                  0x004040a2
                                                                  0x004040a8
                                                                  0x00000000
                                                                  0x004040a8
                                                                  0x0040400c
                                                                  0x0040400c
                                                                  0x0040400f
                                                                  0x00404016
                                                                  0x0040401d
                                                                  0x00404020
                                                                  0x00404023
                                                                  0x0040402a
                                                                  0x0040402d
                                                                  0x00404030
                                                                  0x00404033
                                                                  0x00404035
                                                                  0x00404037
                                                                  0x00404039
                                                                  0x0040403e
                                                                  0x00404040
                                                                  0x00404040
                                                                  0x00404040
                                                                  0x00404047
                                                                  0x00404049
                                                                  0x00404049
                                                                  0x00404047
                                                                  0x00404050
                                                                  0x00404055
                                                                  0x00404058
                                                                  0x0040405e
                                                                  0x004040cc
                                                                  0x004040cc
                                                                  0x004040cc
                                                                  0x00404060
                                                                  0x00404060
                                                                  0x00404062
                                                                  0x00404066
                                                                  0x00404068
                                                                  0x0040406b
                                                                  0x0040406e
                                                                  0x00404071
                                                                  0x00404075
                                                                  0x00404075
                                                                  0x004040d1
                                                                  0x004040d1
                                                                  0x004040d1
                                                                  0x004040d4
                                                                  0x004040d7
                                                                  0x004040d9
                                                                  0x004040de
                                                                  0x004040e0
                                                                  0x004040e3
                                                                  0x004040ea
                                                                  0x004040ed
                                                                  0x004040ed
                                                                  0x004040f0
                                                                  0x004040f4
                                                                  0x004040f7
                                                                  0x004040fa
                                                                  0x004040fc
                                                                  0x004040fc
                                                                  0x004040fe
                                                                  0x00404101
                                                                  0x00404104
                                                                  0x00404107
                                                                  0x00404108
                                                                  0x00404109
                                                                  0x0040410a
                                                                  0x0040410a
                                                                  0x00403f46
                                                                  0x00403f46
                                                                  0x00403f46
                                                                  0x00403f46
                                                                  0x00403f4a
                                                                  0x00403f4d
                                                                  0x00403f50
                                                                  0x00403f53
                                                                  0x00403f54
                                                                  0x00403f54
                                                                  0x00403f21
                                                                  0x00403f21
                                                                  0x00403f25
                                                                  0x00403f25
                                                                  0x00403f28
                                                                  0x00403f2b
                                                                  0x00403f2e
                                                                  0x00403f58
                                                                  0x00403f5b
                                                                  0x00403f5e
                                                                  0x00403f61
                                                                  0x00403f64
                                                                  0x00403f65
                                                                  0x00403f30
                                                                  0x00403f30
                                                                  0x00403f33
                                                                  0x00403f34
                                                                  0x00403f34
                                                                  0x00403f2e
                                                                  0x00403f1f

                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403F9F
                                                                  • Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403FB5
                                                                  • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403FE3
                                                                  • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403FF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: de0d06ab3528a7223025f1b9446eacc1668a16eaa8b8f8de44a1672ae8a3e8ae
                                                                  • Instruction ID: 40858f6e4be6ca8b0a26f9524243d71a381fde2c256961902b301cd5bde9a830
                                                                  • Opcode Fuzzy Hash: de0d06ab3528a7223025f1b9446eacc1668a16eaa8b8f8de44a1672ae8a3e8ae
                                                                  • Instruction Fuzzy Hash: F6C146B2A052118BCB19CF68E884356BFE4ABC6311F1882BFE516AB7D1C774D941C79C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A80CC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 73%
                                                                  			E004A80CC(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004A138C(_t88);
				if( *0x4ac440 == 0) {
					if(( *0x4b3701 & 0x00000001) == 0 &&  *0x4ac441 == 0) {
						_t61 =  *0x4ac674; // 0x4b2d04
						_t4 = _t61 + 0x2b4; // 0x0
						_t63 = E004084C8( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4b35d8; // 0x0
						E00426DFC(0xb1, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084C8( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ac44c = 2;
							E0041F358();
						}
					}
					E004056B0();
					E004A0D04(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407DD4(0x4b3724,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4b3714; // 0x0
					E00422848(_t26, _t88, _t120 - 0x34);
					E004225BC( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4b3724; // 0x0
					E00422554(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040871C(0x4b3728, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4b3728; // 0x0
					E00407DD4(0x4b372c, _t107);
					_t37 =  *0x4b3720; // 0x51ca04
					_t15 = _t37 + 0x14; // 0x1ffd0cc
					_t38 =  *0x4b3718; // 0x0
					E00423BDC(_t38,  *_t15);
					_push(_t120);
					_push(0x4a838d);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4b3770 = 0;
					_t42 = E00423BF4(1, 0, 1, 0); // executed
					 *0x4b371c = _t42;
					_push(_t120);
					_push(0x4a837c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4b3720; // 0x51ca04
					_t16 = _t44 + 0x18; // 0x2ce7f8
					 *0x4b3770 = E004053F0( *_t16);
					_t47 =  *0x4b3720; // 0x51ca04
					_t17 = _t47 + 0x18; // 0x2ce7f8
					_t86 =  *0x4b3770; // 0x7fbe0010
					E00405864(_t86,  *_t17);
					_push(_t120);
					_push(0x4a82cb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424bcc; // 0x424c24
					_t93 =  *0x4b3718; // 0x0
					_t53 = E0042463C(_t93, 1, _t51); // executed
					 *0x4b3774 = _t53;
					_push(_t120);
					_push(0x4a82ba);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4b3720; // 0x51ca04
					_t18 = _t55 + 0x18; // 0x2ce7f8
					_t56 =  *0x4b3774; // 0x23529a0
					E00424918(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004A82C1);
					_t59 =  *0x4b3774; // 0x23529a0
					return E00405CC8(_t59);
				} else {
					_t69 =  *0x4ac674; // 0x4b2d04
					_t1 = _t69 + 0x18c; // 0x0
					E004A1754( *_t1, __ebx, __edi, __esi);
					 *0x4ac44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004A8534);
					_t74 =  *0x4b3718; // 0x0
					_t75 = E00405CC8(_t74);
					if( *0x4b372c != 0) {
						_t117 =  *0x4b372c; // 0x0
						_t75 = E004A0ECC(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4b3724 != 0) {
						_t82 =  *0x4b3724; // 0x0
						_t75 = RemoveDirectoryW(E004084C8(_t82)); // executed
					}
					if( *0x4ac450 != 0) {
						_t81 =  *0x4ac450; // 0xd0256
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4b3708 != 0) {
						_t76 =  *0x4b3708; // 0x0
						_t99 =  *0x4b370c; // 0x2
						_t116 =  *0x426aa4; // 0x426aa8
						E00408DAC(_t76, _t99, _t116);
						_t78 =  *0x4b3708; // 0x0
						E0040540C(_t78);
						 *0x4b3708 = 0;
						return 0;
					}
					return _t75;
				}
			}




































                                                                  0x004a80cc
                                                                  0x004a80cc
                                                                  0x004a80cc
                                                                  0x004a80ce
                                                                  0x004a80d0
                                                                  0x004a80d1
                                                                  0x004a80f1
                                                                  0x004a80fd
                                                                  0x004a8122
                                                                  0x004a812f
                                                                  0x004a8134
                                                                  0x004a813a
                                                                  0x004a8140
                                                                  0x004a8143
                                                                  0x004a814b
                                                                  0x004a8163
                                                                  0x004a8165
                                                                  0x004a816f
                                                                  0x004a816f
                                                                  0x004a8163
                                                                  0x004a8174
                                                                  0x004a817c
                                                                  0x004a8189
                                                                  0x004a8191
                                                                  0x004a8196
                                                                  0x004a81a6
                                                                  0x004a81ae
                                                                  0x004a81b2
                                                                  0x004a81b7
                                                                  0x004a81c4
                                                                  0x004a81c5
                                                                  0x004a81cf
                                                                  0x004a81d5
                                                                  0x004a81da
                                                                  0x004a81df
                                                                  0x004a81e2
                                                                  0x004a81e7
                                                                  0x004a81ee
                                                                  0x004a81ef
                                                                  0x004a81f4
                                                                  0x004a81f7
                                                                  0x004a81fc
                                                                  0x004a8214
                                                                  0x004a8219
                                                                  0x004a8220
                                                                  0x004a8221
                                                                  0x004a8226
                                                                  0x004a8229
                                                                  0x004a822c
                                                                  0x004a8231
                                                                  0x004a8239
                                                                  0x004a823e
                                                                  0x004a8243
                                                                  0x004a8246
                                                                  0x004a8250
                                                                  0x004a8257
                                                                  0x004a8258
                                                                  0x004a825d
                                                                  0x004a8260
                                                                  0x004a8263
                                                                  0x004a8269
                                                                  0x004a8276
                                                                  0x004a827b
                                                                  0x004a8282
                                                                  0x004a8283
                                                                  0x004a8288
                                                                  0x004a828b
                                                                  0x004a828e
                                                                  0x004a8293
                                                                  0x004a8298
                                                                  0x004a829d
                                                                  0x004a82a4
                                                                  0x004a82a7
                                                                  0x004a82aa
                                                                  0x004a82af
                                                                  0x004a82b9
                                                                  0x004a80ff
                                                                  0x004a80ff
                                                                  0x004a8104
                                                                  0x004a810a
                                                                  0x004a8111
                                                                  0x004a8495
                                                                  0x004a8498
                                                                  0x004a849b
                                                                  0x004a84a0
                                                                  0x004a84a5
                                                                  0x004a84b1
                                                                  0x004a84bf
                                                                  0x004a84c7
                                                                  0x004a84c7
                                                                  0x004a84d3
                                                                  0x004a84d5
                                                                  0x004a84e0
                                                                  0x004a84e0
                                                                  0x004a84ec
                                                                  0x004a84ee
                                                                  0x004a84f4
                                                                  0x004a84f4
                                                                  0x004a8500
                                                                  0x004a8502
                                                                  0x004a8507
                                                                  0x004a850d
                                                                  0x004a8513
                                                                  0x004a8518
                                                                  0x004a851d
                                                                  0x004a8524
                                                                  0x00000000
                                                                  0x004a8524
                                                                  0x004a8529
                                                                  0x004a8529

                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004A815B
                                                                    • Part of subcall function 004A1754: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004A17BE
                                                                  • RemoveDirectoryW.KERNEL32(00000000,004A8534), ref: 004A84E0
                                                                  • DestroyWindow.USER32(000D0256,004A8534), ref: 004A84F4
                                                                    • Part of subcall function 004A0ECC: Sleep.KERNEL32(?,?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0EEB
                                                                    • Part of subcall function 004A0ECC: GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F0E
                                                                    • Part of subcall function 004A0ECC: GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F18
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
                                                                  • String ID: $LB$.tmp
                                                                  • API String ID: 3858953238-2116547132
                                                                  • Opcode ID: f43bd58ab390326026b5c830374453e98346b79b57d4fe5b5190d731510edfc5
                                                                  • Instruction ID: f755fe4bfd509cc25c2ddd0c8339d8558b2a0affd53895b10bdf613ffe7a07dc
                                                                  • Opcode Fuzzy Hash: f43bd58ab390326026b5c830374453e98346b79b57d4fe5b5190d731510edfc5
                                                                  • Instruction Fuzzy Hash: 92615BF4640240AFDB11EF6AEC92A567BE5E75A305F50867AF800973A1CE38AD41CB1C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00407724, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 402 407724-407738 403 40773a-407746 call 407604 call 40768c 402->403 404 40774b-407752 402->404 403->404 406 407754-40775f GetCurrentThreadId 404->406 407 407775-407779 404->407 406->407 411 407761-407770 call 40735c call 407660 406->411 408 40777b-407782 407->408 409 40779d-4077a1 407->409 408->409 412 407784-40779b 408->412 413 4077a3-4077a6 409->413 414 4077ad-4077b1 409->414 411->407 412->409 413->414 417 4077a8-4077aa 413->417 418 4077d0-4077d9 call 407384 414->418 419 4077b3-4077bc call 405494 414->419 417->414 428 4077e0-4077e5 418->428 429 4077db-4077de 418->429 419->418 430 4077be-4077ce call 405cc8 call 405494 419->430 431 407801-40780c call 40735c 428->431 432 4077e7-4077f5 call 40b780 428->432 429->428 429->431 430->418 441 407811-407815 431->441 442 40780e 431->442 432->431 440 4077f7-4077f9 432->440 440->431 446 4077fb-4077fc FreeLibrary 440->446 444 407817-407819 call 407660 441->444 445 40781e-407821 441->445 442->441 444->445 448 407823-40782a 445->448 449 40783a 445->449 446->431 450 407832-407835 ExitProcess 448->450 451 40782c 448->451 451->450
                                                                  C-Code - Quality: 86%
                                                                  			E00407724() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4a9004 != 0) {
					E00407604();
					E0040768C(_t46);
					 *0x4a9004 = 0;
				}
				if( *0x4afbcc != 0 && GetCurrentThreadId() ==  *0x4afbf4) {
					E0040735C(0x4afbc8);
					E00407660(0x4afbc8);
				}
				if( *0x004AFBC0 != 0 ||  *0x4ad054 == 0) {
					L8:
					if( *((char*)(0x4afbc0)) == 2 &&  *0x4a9000 == 0) {
						 *0x004AFBA4 = 0;
					}
					if( *((char*)(0x4afbc0)) != 0) {
						L14:
						E00407384();
						if( *((char*)(0x4afbc0)) <= 1 ||  *0x4a9000 != 0) {
							_t15 =  *0x004AFBA8;
							if( *0x004AFBA8 != 0) {
								E0040B780(_t15);
								_t31 =  *((intOrPtr*)(0x4afba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E0040735C(0x4afb98);
						if( *((char*)(0x4afbc0)) == 1) {
							 *0x004AFBBC();
						}
						if( *((char*)(0x4afbc0)) != 0) {
							E00407660(0x4afb98);
						}
						if( *0x4afb98 == 0) {
							if( *0x4ad038 != 0) {
								 *0x4ad038();
							}
							ExitProcess( *0x4a9000); // executed
						}
						memcpy(0x4afb98,  *0x4afb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4a9000 = 0x4a9000;
						0x4afb98 = 0x4afb98;
						goto L8;
					} else {
						_t20 = E00405494();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CC8(_t44);
							_t23 = E00405494();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4ad054; // 0x0
						 *0x4ad054 = 0;
						 *_t33();
					} while ( *0x4ad054 != 0);
					L8:
					while(1) {
					}
				}
			}










                                                                  0x00407738
                                                                  0x0040773a
                                                                  0x0040773f
                                                                  0x00407746
                                                                  0x00407746
                                                                  0x00407752
                                                                  0x00407766
                                                                  0x00407770
                                                                  0x00407770
                                                                  0x00407779
                                                                  0x0040779d
                                                                  0x004077a1
                                                                  0x004077aa
                                                                  0x004077aa
                                                                  0x004077b1
                                                                  0x004077d0
                                                                  0x004077d0
                                                                  0x004077d9
                                                                  0x004077e0
                                                                  0x004077e5
                                                                  0x004077e7
                                                                  0x004077ec
                                                                  0x004077ef
                                                                  0x004077ef
                                                                  0x004077f2
                                                                  0x004077f5
                                                                  0x004077fc
                                                                  0x004077fc
                                                                  0x004077f5
                                                                  0x004077e5
                                                                  0x00407803
                                                                  0x0040780c
                                                                  0x0040780e
                                                                  0x0040780e
                                                                  0x00407815
                                                                  0x00407819
                                                                  0x00407819
                                                                  0x00407821
                                                                  0x0040782a
                                                                  0x0040782c
                                                                  0x0040782c
                                                                  0x00407835
                                                                  0x00407835
                                                                  0x00407847
                                                                  0x00407847
                                                                  0x00407849
                                                                  0x0040784a
                                                                  0x00000000
                                                                  0x004077b3
                                                                  0x004077b3
                                                                  0x004077b8
                                                                  0x004077bc
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004077be
                                                                  0x004077be
                                                                  0x004077c0
                                                                  0x004077c5
                                                                  0x004077ca
                                                                  0x004077cc
                                                                  0x00000000
                                                                  0x004077be
                                                                  0x00407784
                                                                  0x00407784
                                                                  0x00407784
                                                                  0x0040778d
                                                                  0x00407792
                                                                  0x00407794
                                                                  0x00000000
                                                                  0x0040779d
                                                                  0x00000000
                                                                  0x0040779d

                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00407754
                                                                  • FreeLibrary.KERNEL32(00400000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,0045354A,00000000), ref: 004077FC
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,0045354A,00000000), ref: 00407835
                                                                    • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?,0040553F), ref: 004076C5
                                                                    • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?), ref: 004076CB
                                                                    • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?), ref: 004076E6
                                                                    • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?), ref: 004076EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                  • String ID: MZP
                                                                  • API String ID: 3490077880-2889622443
                                                                  • Opcode ID: 27687baf6def8bf591ad0f3cbfb324307bfd436381f9ba0853c27a150f62d65a
                                                                  • Instruction ID: 4d6c15ac86d8b360ffdfc55aea4b1fc84de7d629047560fa0690051ca5318a6c
                                                                  • Opcode Fuzzy Hash: 27687baf6def8bf591ad0f3cbfb324307bfd436381f9ba0853c27a150f62d65a
                                                                  • Instruction Fuzzy Hash: DA319220E086415AE731AB79C48875B7AE46B06358F14883BD441A37D2D77CF884CB6F
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040771C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 452 40771c-407738 453 40773a-407746 call 407604 call 40768c 452->453 454 40774b-407752 452->454 453->454 456 407754-40775f GetCurrentThreadId 454->456 457 407775-407779 454->457 456->457 461 407761-407770 call 40735c call 407660 456->461 458 40777b-407782 457->458 459 40779d-4077a1 457->459 458->459 462 407784-40779b 458->462 463 4077a3-4077a6 459->463 464 4077ad-4077b1 459->464 461->457 462->459 463->464 467 4077a8-4077aa 463->467 468 4077d0-4077d9 call 407384 464->468 469 4077b3-4077bc call 405494 464->469 467->464 478 4077e0-4077e5 468->478 479 4077db-4077de 468->479 469->468 480 4077be-4077ce call 405cc8 call 405494 469->480 481 407801-40780c call 40735c 478->481 482 4077e7-4077f5 call 40b780 478->482 479->478 479->481 480->468 491 407811-407815 481->491 492 40780e 481->492 482->481 490 4077f7-4077f9 482->490 490->481 496 4077fb-4077fc FreeLibrary 490->496 494 407817-407819 call 407660 491->494 495 40781e-407821 491->495 492->491 494->495 498 407823-40782a 495->498 499 40783a 495->499 496->481 500 407832-407835 ExitProcess 498->500 501 40782c 498->501 501->500
                                                                  C-Code - Quality: 86%
                                                                  			E0040771C() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4a9004 != 0) {
					E00407604();
					E0040768C(_t50);
					 *0x4a9004 = 0;
				}
				if( *0x4afbcc != 0 && GetCurrentThreadId() ==  *0x4afbf4) {
					E0040735C(0x4afbc8);
					E00407660(0x4afbc8);
				}
				if( *0x004AFBC0 != 0 ||  *0x4ad054 == 0) {
					L9:
					if( *((char*)(0x4afbc0)) == 2 &&  *0x4a9000 == 0) {
						 *0x004AFBA4 = 0;
					}
					if( *((char*)(0x4afbc0)) != 0) {
						L15:
						E00407384();
						if( *((char*)(0x4afbc0)) <= 1 ||  *0x4a9000 != 0) {
							_t18 =  *0x004AFBA8;
							if( *0x004AFBA8 != 0) {
								E0040B780(_t18);
								_t34 =  *((intOrPtr*)(0x4afba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E0040735C(0x4afb98);
						if( *((char*)(0x4afbc0)) == 1) {
							 *0x004AFBBC();
						}
						if( *((char*)(0x4afbc0)) != 0) {
							E00407660(0x4afb98);
						}
						if( *0x4afb98 == 0) {
							if( *0x4ad038 != 0) {
								 *0x4ad038();
							}
							ExitProcess( *0x4a9000); // executed
						}
						memcpy(0x4afb98,  *0x4afb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4a9000 = 0x4a9000;
						0x4afb98 = 0x4afb98;
						goto L9;
					} else {
						_t23 = E00405494();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CC8(_t48);
							_t26 = E00405494();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4ad054; // 0x0
						 *0x4ad054 = 0;
						 *_t36();
					} while ( *0x4ad054 != 0);
					L9:
					while(1) {
					}
				}
			}











                                                                  0x0040771e
                                                                  0x00407738
                                                                  0x0040773a
                                                                  0x0040773f
                                                                  0x00407746
                                                                  0x00407746
                                                                  0x00407752
                                                                  0x00407766
                                                                  0x00407770
                                                                  0x00407770
                                                                  0x00407779
                                                                  0x0040779d
                                                                  0x004077a1
                                                                  0x004077aa
                                                                  0x004077aa
                                                                  0x004077b1
                                                                  0x004077d0
                                                                  0x004077d0
                                                                  0x004077d9
                                                                  0x004077e0
                                                                  0x004077e5
                                                                  0x004077e7
                                                                  0x004077ec
                                                                  0x004077ef
                                                                  0x004077ef
                                                                  0x004077f2
                                                                  0x004077f5
                                                                  0x004077fc
                                                                  0x004077fc
                                                                  0x004077f5
                                                                  0x004077e5
                                                                  0x00407803
                                                                  0x0040780c
                                                                  0x0040780e
                                                                  0x0040780e
                                                                  0x00407815
                                                                  0x00407819
                                                                  0x00407819
                                                                  0x00407821
                                                                  0x0040782a
                                                                  0x0040782c
                                                                  0x0040782c
                                                                  0x00407835
                                                                  0x00407835
                                                                  0x00407847
                                                                  0x00407847
                                                                  0x00407849
                                                                  0x0040784a
                                                                  0x00000000
                                                                  0x004077b3
                                                                  0x004077b3
                                                                  0x004077b8
                                                                  0x004077bc
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004077be
                                                                  0x004077be
                                                                  0x004077c0
                                                                  0x004077c5
                                                                  0x004077ca
                                                                  0x004077cc
                                                                  0x00000000
                                                                  0x004077be
                                                                  0x00407784
                                                                  0x00407784
                                                                  0x00407784
                                                                  0x0040778d
                                                                  0x00407792
                                                                  0x00407794
                                                                  0x00000000
                                                                  0x0040779d
                                                                  0x00000000
                                                                  0x0040779d

                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00407754
                                                                  • FreeLibrary.KERNEL32(00400000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,0045354A,00000000), ref: 004077FC
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,0045354A,00000000), ref: 00407835
                                                                    • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?,0040553F), ref: 004076C5
                                                                    • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?), ref: 004076CB
                                                                    • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?), ref: 004076E6
                                                                    • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?), ref: 004076EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                  • String ID: MZP
                                                                  • API String ID: 3490077880-2889622443
                                                                  • Opcode ID: c0169702aa9a0112fec964110138e5601fa374416d594b0021619e1349d772d7
                                                                  • Instruction ID: 94527550a85b6d0efb8c992dbc1059f00de0a519c92a8f1d7b957efcc6585d4e
                                                                  • Opcode Fuzzy Hash: c0169702aa9a0112fec964110138e5601fa374416d594b0021619e1349d772d7
                                                                  • Instruction Fuzzy Hash: 8E315C20E087419AE731AB79848875B3BE06B16358F14883BE441A77D2D77CF884CB6F
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A0D04, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 73%
                                                                  			E004A0D04(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4a0df9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422C64( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004A0BE8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084C8(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426DFC(0x3b,  &_v32, _v8);
						_v28 = _v32;
						E00419F38( &_v36, _t54, 0);
						_v24 = _v36;
						E004231E0(_t54,  &_v40);
						_v20 = _v40;
						E00426DCC(0x70, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F384(_v16, 1);
						E004070F0();
					}
				}
				E00407DD4(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004A0E00);
				E00407A54( &_v40, 3);
				return E00407A54( &_v16, 3);
			}


















                                                                  0x004a0d04
                                                                  0x004a0d04
                                                                  0x004a0d05
                                                                  0x004a0d07
                                                                  0x004a0d0c
                                                                  0x004a0d0c
                                                                  0x004a0d0e
                                                                  0x004a0d10
                                                                  0x004a0d10
                                                                  0x004a0d13
                                                                  0x004a0d14
                                                                  0x004a0d16
                                                                  0x004a0d18
                                                                  0x004a0d1a
                                                                  0x004a0d1b
                                                                  0x004a0d20
                                                                  0x004a0d23
                                                                  0x004a0d26
                                                                  0x004a0d2d
                                                                  0x004a0d35
                                                                  0x004a0d3c
                                                                  0x004a0d4c
                                                                  0x004a0d53
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a0d5a
                                                                  0x004a0d5c
                                                                  0x004a0d62
                                                                  0x004a0d70
                                                                  0x004a0d78
                                                                  0x004a0d84
                                                                  0x004a0d8c
                                                                  0x004a0d94
                                                                  0x004a0d9c
                                                                  0x004a0da9
                                                                  0x004a0dae
                                                                  0x004a0db8
                                                                  0x004a0dbd
                                                                  0x004a0dbd
                                                                  0x004a0d62
                                                                  0x004a0dcc
                                                                  0x004a0dd1
                                                                  0x004a0dd3
                                                                  0x004a0dd6
                                                                  0x004a0dd9
                                                                  0x004a0de6
                                                                  0x004a0df8

                                                                  APIs
                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004A0DF9,?,?,?,00000003,00000000,00000000,?,004A8181), ref: 004A0D4C
                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,004A0DF9,?,?,?,00000003,00000000,00000000,?,004A8181), ref: 004A0D55
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectoryErrorLast
                                                                  • String ID: $OA$.tmp
                                                                  • API String ID: 1375471231-3378223631
                                                                  • Opcode ID: c1f69d4ac7ed32912a2b85f44ff5ab6aba8f1595c1b5cc6fac2d72c7c5252cf6
                                                                  • Instruction ID: b2ec1cbb6bf4e9aaf38cbd7c23de4c70b0fa0b963ef3ce0e2719d642a434da45
                                                                  • Opcode Fuzzy Hash: c1f69d4ac7ed32912a2b85f44ff5ab6aba8f1595c1b5cc6fac2d72c7c5252cf6
                                                                  • Instruction Fuzzy Hash: 04217675A002099FDB00EBA1C841ADFB3B9EB59304F50457BF901B7381DA786E058B69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A7000, Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  C-Code - Quality: 79%
                                                                  			E004A7000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4a70d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4ad98c =  *0x4ad98c - 1;
				if( *0x4ad98c < 0) {
					E00405B54();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A5C4();
					 *0x4a900c = 2;
					 *0x4ad01c = 0x4036b0;
					 *0x4ad020 = 0x4036b8;
					 *0x4ad05a = 2;
					 *0x4ad060 = E0040CDE0();
					 *0x4ad008 = E004098F4;
					E00405BAC(E00405B90());
					 *0x4ad068 = 0xd7b0;
					 *0x4ad344 = 0xd7b0;
					 *0x4ad620 = 0xd7b0;
					 *0x4ad050 = GetCommandLineW();
					 *0x4ad04c = E00403810();
					 *0x4ad97c = GetACP();
					 *0x4ad980 = 0x4b0;
					 *0x4ad044 = GetCurrentThreadId();
					E0040CDF4();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4a70de);
				return 0;
			}





                                                                  0x004a7005
                                                                  0x004a7006
                                                                  0x004a700b
                                                                  0x004a700e
                                                                  0x004a7011
                                                                  0x004a7018
                                                                  0x004a701e
                                                                  0x004a7023
                                                                  0x004a702d
                                                                  0x004a7032
                                                                  0x004a7037
                                                                  0x004a703e
                                                                  0x004a7048
                                                                  0x004a7052
                                                                  0x004a705e
                                                                  0x004a7063
                                                                  0x004a7072
                                                                  0x004a7077
                                                                  0x004a7080
                                                                  0x004a7089
                                                                  0x004a7097
                                                                  0x004a70a1
                                                                  0x004a70ab
                                                                  0x004a70b0
                                                                  0x004a70bf
                                                                  0x004a70c4
                                                                  0x004a70c4
                                                                  0x004a70cb
                                                                  0x004a70ce
                                                                  0x004a70d1
                                                                  0x004a70d6

                                                                  APIs
                                                                  • SetThreadLocale.KERNEL32(00000400,00000000,004A70D7), ref: 004A702D
                                                                    • Part of subcall function 0040A5C4: InitializeCriticalSection.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5C9
                                                                    • Part of subcall function 0040A5C4: GetVersion.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5D7
                                                                    • Part of subcall function 0040A5C4: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5FE
                                                                    • Part of subcall function 0040A5C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A604
                                                                    • Part of subcall function 0040A5C4: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A618
                                                                    • Part of subcall function 0040A5C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A61E
                                                                    • Part of subcall function 0040A5C4: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A632
                                                                    • Part of subcall function 0040A5C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A638
                                                                    • Part of subcall function 0040CDE0: GetSystemInfo.KERNEL32 ref: 0040CDE4
                                                                  • GetCommandLineW.KERNEL32(00000400,00000000,004A70D7), ref: 004A7092
                                                                    • Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821
                                                                  • GetACP.KERNEL32(00000400,00000000,004A70D7), ref: 004A70A6
                                                                  • GetCurrentThreadId.KERNEL32 ref: 004A70BA
                                                                    • Part of subcall function 0040CDF4: GetVersion.KERNEL32(004A70C9,00000400,00000000,004A70D7), ref: 0040CDF4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
                                                                  • String ID:
                                                                  • API String ID: 2740004594-0
                                                                  • Opcode ID: 751076c4bcae2fa5cb3ef74472dc0559afb380b7e743fee50856c719e0d04cff
                                                                  • Instruction ID: 2d6e9566c0f1ba9e301420735f22e2aaacda25799cb94ec5fa4b9a8b87f6e037
                                                                  • Opcode Fuzzy Hash: 751076c4bcae2fa5cb3ef74472dc0559afb380b7e743fee50856c719e0d04cff
                                                                  • Instruction Fuzzy Hash: EC1100B0808740A9E711BF72AC0660A3FA8FB4770DF41883EE10567AA2D7BD5545DF6E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040E748, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 551 40e748-40e79c call 405720 CreateWindowExW call 405710
                                                                  C-Code - Quality: 100%
                                                                  			E0040E748(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405720();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405710(_t13);
				return _t24;
			}








                                                                  0x0040e74f
                                                                  0x0040e754
                                                                  0x0040e756
                                                                  0x0040e787
                                                                  0x0040e790
                                                                  0x0040e79c

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID: InnoSetupLdrWindow$STATIC
                                                                  • API String ID: 716092398-2209255943
                                                                  • Opcode ID: 308ffab18e31b1134490d17498aac611e849f0f3c6d244726fd98e92013085e1
                                                                  • Instruction ID: f84a80031f046bc7831efab5cf97239724a0ea78ac17ff57204b8c6211417fe6
                                                                  • Opcode Fuzzy Hash: 308ffab18e31b1134490d17498aac611e849f0f3c6d244726fd98e92013085e1
                                                                  • Instruction Fuzzy Hash: 59F097B6600118BF8B40DE9DDC85DDB77ECEB4C264B054529FA0CD3201D634ED108BB4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A0ECC, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 556 4a0ecc-4a0edd 557 4a0edf-4a0ee0 556->557 558 4a0f26-4a0f2b 556->558 559 4a0ee2-4a0ee5 557->559 560 4a0ef2-4a0ef5 559->560 561 4a0ee7-4a0ef0 Sleep 559->561 562 4a0f00-4a0f05 call 427040 560->562 563 4a0ef7-4a0efb Sleep 560->563 561->562 565 4a0f0a-4a0f0c 562->565 563->562 565->558 566 4a0f0e-4a0f16 GetLastError 565->566 566->558 567 4a0f18-4a0f20 GetLastError 566->567 567->558 568 4a0f22-4a0f24 567->568 568->558 568->559
                                                                  C-Code - Quality: 100%
                                                                  			E004A0ECC(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427040(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}










                                                                  0x004a0ecc
                                                                  0x004a0ed3
                                                                  0x004a0ed6
                                                                  0x004a0eda
                                                                  0x004a0edd
                                                                  0x004a0f2b
                                                                  0x004a0f2b
                                                                  0x004a0f2b
                                                                  0x004a0edf
                                                                  0x004a0ee0
                                                                  0x004a0ee2
                                                                  0x004a0ee2
                                                                  0x004a0ee5
                                                                  0x004a0ef2
                                                                  0x004a0ef5
                                                                  0x004a0efb
                                                                  0x004a0efb
                                                                  0x004a0ee7
                                                                  0x004a0eeb
                                                                  0x004a0eeb
                                                                  0x004a0f05
                                                                  0x004a0f0c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a0f0e
                                                                  0x004a0f16
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a0f18
                                                                  0x004a0f20
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a0f22
                                                                  0x004a0f23
                                                                  0x004a0f24
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a0f24
                                                                  0x00000000

                                                                  APIs
                                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0EEB
                                                                  • Sleep.KERNEL32(?,?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0EFB
                                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F0E
                                                                  • GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F18
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastSleep
                                                                  • String ID:
                                                                  • API String ID: 1458359878-0
                                                                  • Opcode ID: cc2d4a94ccb7c0f067045319ffe32a9e8ea37e82b0256121e0719bcc797ceef4
                                                                  • Instruction ID: fcbe09275aa41918487a0acd76f4d80e315746382495138c44c41daec09aced7
                                                                  • Opcode Fuzzy Hash: cc2d4a94ccb7c0f067045319ffe32a9e8ea37e82b0256121e0719bcc797ceef4
                                                                  • Instruction Fuzzy Hash: A9F02B32B002241B6B30E95E9C4592F628CDAB7378B10052FF545E7302D4BDCC4152E8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00420060, Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 63%
                                                                  			E00420060(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420160);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E1C( &_v8, __eax);
				E00407F84( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084C8(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x420167);
					return E004079F4( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420143);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084C8(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x420174,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42014a);
					return E0040540C(_v20);
				}
			}



















                                                                  0x00420061
                                                                  0x00420063
                                                                  0x0042006b
                                                                  0x0042006e
                                                                  0x00420070
                                                                  0x00420076
                                                                  0x00420077
                                                                  0x0042007c
                                                                  0x0042007f
                                                                  0x00420082
                                                                  0x0042008b
                                                                  0x00420093
                                                                  0x004200a5
                                                                  0x004200aa
                                                                  0x004200ae
                                                                  0x0042014c
                                                                  0x0042014f
                                                                  0x00420152
                                                                  0x0042015f
                                                                  0x004200b4
                                                                  0x004200bb
                                                                  0x004200c0
                                                                  0x004200c1
                                                                  0x004200c6
                                                                  0x004200c9
                                                                  0x004200de
                                                                  0x004200e5
                                                                  0x0042010d
                                                                  0x00420116
                                                                  0x00420127
                                                                  0x00420129
                                                                  0x00420129
                                                                  0x0042012f
                                                                  0x00420132
                                                                  0x00420135
                                                                  0x00420142
                                                                  0x00420142

                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420160), ref: 004200A5
                                                                  • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420143,?,00000000,?,00000000,00420160), ref: 004200DE
                                                                  • VerQueryValueW.VERSION(?,00420174,?,?,00000000,?,00000000,?,00000000,00420143,?,00000000,?,00000000,00420160), ref: 004200F8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileInfoVersion$QuerySizeValue
                                                                  • String ID:
                                                                  • API String ID: 2179348866-0
                                                                  • Opcode ID: d183af1ef0636e6162bc8df42a0a4f5a0591cd6bdf26b12374301618c02b16f2
                                                                  • Instruction ID: 7a7f4719427165232ba07bab02eb7f8b2be03f671c4adb6f55d937d41512f1e4
                                                                  • Opcode Fuzzy Hash: d183af1ef0636e6162bc8df42a0a4f5a0591cd6bdf26b12374301618c02b16f2
                                                                  • Instruction Fuzzy Hash: 69312171A042199FDB01DFA9D9419BFB7F8EB48300B9144BAF404E3292DB79DD10D765
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B484, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 72%
                                                                  			E0040B484(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407AD8(_v8);
				E00407AD8(_v12);
				_push(_t84);
				_push(0x40b59b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E004079F4(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B5A2);
					return E00407A54( &_v28, 6);
				}
				E00407E1C( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040B1A8(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040AB58(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040B2D4(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4afc0c;
							if( *0x4afc0c == 0) {
								L00403738();
								E0040AB58(_t46, _t60,  &_v28, _t79, _t81);
								E0040B2D4(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B3B8(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040B2D4(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E0040888C(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                                                  0x0040b484
                                                                  0x0040b484
                                                                  0x0040b487
                                                                  0x0040b489
                                                                  0x0040b48b
                                                                  0x0040b48d
                                                                  0x0040b48f
                                                                  0x0040b491
                                                                  0x0040b493
                                                                  0x0040b494
                                                                  0x0040b495
                                                                  0x0040b497
                                                                  0x0040b49a
                                                                  0x0040b4a0
                                                                  0x0040b4a8
                                                                  0x0040b4af
                                                                  0x0040b4b0
                                                                  0x0040b4b5
                                                                  0x0040b4b8
                                                                  0x0040b4bd
                                                                  0x0040b4c6
                                                                  0x0040b580
                                                                  0x0040b582
                                                                  0x0040b585
                                                                  0x0040b588
                                                                  0x0040b59a
                                                                  0x0040b59a
                                                                  0x0040b4d2
                                                                  0x0040b4d7
                                                                  0x0040b4dc
                                                                  0x0040b4e1
                                                                  0x0040b4e1
                                                                  0x0040b4e3
                                                                  0x0040b4e8
                                                                  0x0040b50f
                                                                  0x0040b515
                                                                  0x0040b51e
                                                                  0x0040b52f
                                                                  0x0040b537
                                                                  0x0040b544
                                                                  0x0040b549
                                                                  0x0040b54c
                                                                  0x0040b54e
                                                                  0x0040b555
                                                                  0x0040b557
                                                                  0x0040b55f
                                                                  0x0040b56c
                                                                  0x0040b56c
                                                                  0x0040b555
                                                                  0x0040b571
                                                                  0x0040b574
                                                                  0x0040b57b
                                                                  0x0040b57b
                                                                  0x0040b520
                                                                  0x0040b528
                                                                  0x0040b528
                                                                  0x00000000
                                                                  0x0040b51e
                                                                  0x0040b4ea
                                                                  0x0040b50a
                                                                  0x0040b50b
                                                                  0x0040b50d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040b50d
                                                                  0x0040b4f9
                                                                  0x0040b503
                                                                  0x00000000

                                                                  APIs
                                                                  • GetUserDefaultUILanguage.KERNEL32(00000000,0040B59B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B622,00000000,?,00000105), ref: 0040B52F
                                                                  • GetSystemDefaultUILanguage.KERNEL32(00000000,0040B59B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B622,00000000,?,00000105), ref: 0040B557
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DefaultLanguage$SystemUser
                                                                  • String ID:
                                                                  • API String ID: 384301227-0
                                                                  • Opcode ID: a5df62239bc9b8b5aa42d2ad25163fdcfd826da8443722874e4a27fbb09cfcac
                                                                  • Instruction ID: 18846fc7009ae5a4e71a55a4188c0930fdf68c345da51b172561767d210bf349
                                                                  • Opcode Fuzzy Hash: a5df62239bc9b8b5aa42d2ad25163fdcfd826da8443722874e4a27fbb09cfcac
                                                                  • Instruction Fuzzy Hash: A5310170A10249ABDB10EF95C881AAEB7B5EF44308F5044BBE800B33D1D778AE458B9D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040B5A8, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E0040B5A8(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b662);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408530( &_v536, _t49);
				_push(_v536);
				E0040856C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B484(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084C8(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B669);
				E00407A54( &_v540, 2);
				return E004079F4( &_v8);
			}











                                                                  0x0040b5b5
                                                                  0x0040b5bb
                                                                  0x0040b5c1
                                                                  0x0040b5c4
                                                                  0x0040b5c8
                                                                  0x0040b5c9
                                                                  0x0040b5ce
                                                                  0x0040b5d1
                                                                  0x0040b5e4
                                                                  0x0040b5f1
                                                                  0x0040b5fc
                                                                  0x0040b60e
                                                                  0x0040b61c
                                                                  0x0040b61d
                                                                  0x0040b626
                                                                  0x0040b635
                                                                  0x0040b63a
                                                                  0x0040b63e
                                                                  0x0040b641
                                                                  0x0040b644
                                                                  0x0040b654
                                                                  0x0040b661

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B5E4
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B635
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileLibraryLoadModuleName
                                                                  • String ID:
                                                                  • API String ID: 1159719554-0
                                                                  • Opcode ID: 71a3d84090ee24f64dbd202d4203489a3ae5a06853d229489dca3004faea58dc
                                                                  • Instruction ID: b80f15a0147bad070475b0dcf22c8b753a80f6822e4b0def75fc5cb61c98f3c2
                                                                  • Opcode Fuzzy Hash: 71a3d84090ee24f64dbd202d4203489a3ae5a06853d229489dca3004faea58dc
                                                                  • Instruction Fuzzy Hash: AC118270A4421CABDB14EB60CD86BDE77B8DB04704F5144BAF408B32D1DB785F848A99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00427040, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 60%
                                                                  			E00427040(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00426FF4(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x42709d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084C8(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004270A4);
					return E00427030( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                                  0x00427041
                                                                  0x00427043
                                                                  0x00427058
                                                                  0x00427063
                                                                  0x00427064
                                                                  0x00427069
                                                                  0x0042706c
                                                                  0x00427077
                                                                  0x0042707c
                                                                  0x00427084
                                                                  0x00427089
                                                                  0x0042708c
                                                                  0x0042708f
                                                                  0x0042709c
                                                                  0x0042705a
                                                                  0x0042705c
                                                                  0x004270b5
                                                                  0x004270b5

                                                                  APIs
                                                                  • DeleteFileW.KERNEL32(00000000,00000000,0042709D,?,0000000D,00000000), ref: 00427077
                                                                  • GetLastError.KERNEL32(00000000,00000000,0042709D,?,0000000D,00000000), ref: 0042707F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 2018770650-0
                                                                  • Opcode ID: a0fbf55be5ffcd09f305ae54ec4c1657f6674b1495f27545fe34e85a0120edfe
                                                                  • Instruction ID: 9cbfc24df38639fe3e45efe1b64bd3214acbd9b2112ca2de374008e0d0b065ce
                                                                  • Opcode Fuzzy Hash: a0fbf55be5ffcd09f305ae54ec4c1657f6674b1495f27545fe34e85a0120edfe
                                                                  • Instruction Fuzzy Hash: 54F0C831B08318ABDB00DB7AAC4189DB7E8DB49714B9149BBF814E3241EA785D144698
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00421124, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 37%
                                                                  			E00421124(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x421196);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421178);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084C8(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42117f);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                                                  0x00421125
                                                                  0x00421127
                                                                  0x0042112b
                                                                  0x0042112e
                                                                  0x00421133
                                                                  0x00421138
                                                                  0x00421139
                                                                  0x0042113e
                                                                  0x00421141
                                                                  0x00421144
                                                                  0x00421149
                                                                  0x0042114a
                                                                  0x0042114f
                                                                  0x00421152
                                                                  0x0042115d
                                                                  0x00421162
                                                                  0x00421167
                                                                  0x0042116a
                                                                  0x0042116d
                                                                  0x00421172
                                                                  0x00421174
                                                                  0x00421177

                                                                  APIs
                                                                  • SetErrorMode.KERNEL32 ref: 0042112E
                                                                  • LoadLibraryW.KERNEL32(00000000,00000000,00421178,?,00000000,00421196), ref: 0042115D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLibraryLoadMode
                                                                  • String ID:
                                                                  • API String ID: 2987862817-0
                                                                  • Opcode ID: 58c8085b5dd36ac0ba48c9e98c217b3e8311cd8d6350e3969bf77500e8c19a68
                                                                  • Instruction ID: 6692b858657e05fdd79fffc9be95ae21615ec1a40954b736760fd61b652abef3
                                                                  • Opcode Fuzzy Hash: 58c8085b5dd36ac0ba48c9e98c217b3e8311cd8d6350e3969bf77500e8c19a68
                                                                  • Instruction Fuzzy Hash: 05F08270A14744BEDB125F769C5283BBAACE71DB047924CB6F910A26D1E63D4820C568
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004ADADC;
				while(_t28 != 0x4adad8) {
					_t2 = _t28 + 4; // 0x4adad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4a9080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4adad8 = 0x4adad8;
				 *0x004ADADC = 0x4adad8;
				_t26 = 0x400;
				_t23 = 0x4adb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4adb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4adaf4 = 0;
				E00405864(0x4adaf8, 0x80);
				_t18 = 0;
				 *0x4adaf0 = 0;
				_t31 =  *0x004AFB80;
				while(_t31 != 0x4afb7c) {
					_t10 = _t31 + 4; // 0x4afb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4afb7c = 0x4afb7c;
				 *0x004AFB80 = 0x4afb7c;
				return _t18;
			}











                                                                  0x004052e2
                                                                  0x004052f9
                                                                  0x004052e7
                                                                  0x004052f2
                                                                  0x004052f7
                                                                  0x004052f7
                                                                  0x004052fd
                                                                  0x00405302
                                                                  0x00405307
                                                                  0x00405309
                                                                  0x0040530e
                                                                  0x00405311
                                                                  0x0040531a
                                                                  0x0040531d
                                                                  0x00405320
                                                                  0x00405320
                                                                  0x00405323
                                                                  0x00405325
                                                                  0x00405328
                                                                  0x0040532d
                                                                  0x00405332
                                                                  0x00405332
                                                                  0x00405334
                                                                  0x00405336
                                                                  0x00405336
                                                                  0x00405339
                                                                  0x0040533c
                                                                  0x0040533c
                                                                  0x00405341
                                                                  0x00405352
                                                                  0x00405357
                                                                  0x00405359
                                                                  0x0040535e
                                                                  0x00405375
                                                                  0x00405363
                                                                  0x0040536e
                                                                  0x00405373
                                                                  0x00405373
                                                                  0x00405379
                                                                  0x0040537b
                                                                  0x00405382

                                                                  APIs
                                                                  • VirtualFree.KERNEL32(004ADAD8,00000000,00008000,?,?,?,?,004053D4,0040CEB2,00000000,0040CED0), ref: 004052F2
                                                                  • VirtualFree.KERNEL32(004AFB7C,00000000,00008000,004ADAD8,00000000,00008000,?,?,?,?,004053D4,0040CEB2,00000000,0040CED0), ref: 0040536E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 1263568516-0
                                                                  • Opcode ID: aca56245cc52c82a7b3f341d1c8cf7e92a798c0e1fefa8615c437f19d7d6098e
                                                                  • Instruction ID: f25e8dfbfec68b3d20904660ccd9f243b5161469b6c6478f3192385b195fbe5f
                                                                  • Opcode Fuzzy Hash: aca56245cc52c82a7b3f341d1c8cf7e92a798c0e1fefa8615c437f19d7d6098e
                                                                  • Instruction Fuzzy Hash: BE1160B1A056008BC7689F199840B17BBE4EB89754F15C0BFE54AEB791D778AC01CF9C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004231E0, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004231E0(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407B7C(_t10, _t7, _t17, _t20);
			}








                                                                  0x004231e7
                                                                  0x004231ff
                                                                  0x00423207
                                                                  0x0042320b
                                                                  0x00423214
                                                                  0x00423206
                                                                  0x00423206
                                                                  0x00423206
                                                                  0x00000000
                                                                  0x00423216
                                                                  0x00423216
                                                                  0x0042321a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0042321a
                                                                  0x00000000
                                                                  0x00423214
                                                                  0x0042322d

                                                                  APIs
                                                                  • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423B12,00000000,00423B63,?,00423D1C), ref: 004231FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FormatMessage
                                                                  • String ID:
                                                                  • API String ID: 1306739567-0
                                                                  • Opcode ID: 8a8ded29896a6a3d6e4ee71bfed8fc8627356091e34a13b4e2479e8e8f3ea2c7
                                                                  • Instruction ID: 3693045bc5da979ae713bd01a88bcb338427aee45f74c8d87c3cec6a1377aca4
                                                                  • Opcode Fuzzy Hash: 8a8ded29896a6a3d6e4ee71bfed8fc8627356091e34a13b4e2479e8e8f3ea2c7
                                                                  • Instruction Fuzzy Hash: 6CE0D86079833162E32416495C03B77241AD7D0B02FE4443AB6509E3D6D6BDA959917E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0042290C, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 31%
                                                                  			E0042290C(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422952);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004228A0(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084C8(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422959);
				return E004079F4( &_v8);
			}






                                                                  0x0042290f
                                                                  0x00422916
                                                                  0x00422917
                                                                  0x0042291c
                                                                  0x0042291f
                                                                  0x00422927
                                                                  0x00422935
                                                                  0x0042293e
                                                                  0x00422941
                                                                  0x00422944
                                                                  0x00422951

                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,00422952,?,?,00000000,?,00422965,00422CD6,00000000,00422D1B,?,?,00000000,00000000), ref: 00422935
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 9695cc5852d01956a8356376f89e56037d2dc4f0e8c31fee9d54d063763669a7
                                                                  • Instruction ID: adf724cbc0e9ec99664fb7122883241a88969a7a5422e81553629d77d99d79d0
                                                                  • Opcode Fuzzy Hash: 9695cc5852d01956a8356376f89e56037d2dc4f0e8c31fee9d54d063763669a7
                                                                  • Instruction Fuzzy Hash: B1E09271704304BFE711EA72DD52A1AB7ACE788704FE1487AF500E3681EABCAE149558
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A31C, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040A31C(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B5A8(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                                                  0x0040a324
                                                                  0x0040a326
                                                                  0x0040a32a
                                                                  0x0040a33a
                                                                  0x0040a343
                                                                  0x0040a348
                                                                  0x0040a34a
                                                                  0x0040a34f
                                                                  0x0040a354
                                                                  0x0040a354
                                                                  0x0040a34f
                                                                  0x0040a362

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040A33A
                                                                    • Part of subcall function 0040B5A8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B5E4
                                                                    • Part of subcall function 0040B5A8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B635
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 4113206344-0
                                                                  • Opcode ID: 7766ab1267648783c04a200b04eef592fad2a77fbeaae978ffe5e046441881e1
                                                                  • Instruction ID: 6edb2253a7495ed0a954c92edacff3916eacbd1be06b1290003ff9fd73c136a7
                                                                  • Opcode Fuzzy Hash: 7766ab1267648783c04a200b04eef592fad2a77fbeaae978ffe5e046441881e1
                                                                  • Instruction Fuzzy Hash: 87E0ED71A013109FCB10DE6CC8C5A5B77D8AB08758F0449A6AD68EF386D375DD2487D5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00423C9C, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00423C9C(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084C8(__edx),  *(0x4ab2e0 + (_a8 & 0x000000ff) * 4),  *(0x4ab2ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4ab2fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}




                                                                  0x00423cd9
                                                                  0x00423ce1

                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423CD9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: cd066e086ef1ed4415b0417d4103bee30a162689a27a68c38112519e4c91ff9d
                                                                  • Instruction ID: 1c9d4f23c8aa800b19e68a1bac3b745927229ba282ea9ea95d81522d104b03bb
                                                                  • Opcode Fuzzy Hash: cd066e086ef1ed4415b0417d4103bee30a162689a27a68c38112519e4c91ff9d
                                                                  • Instruction Fuzzy Hash: 77E012622442282AD240969E7C51F667F9CD75A755F404063F984D72C2C5659A1086E8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00423DCC, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00423DCC(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423BA0( *_t7);
				}
				return _t4;
			}





                                                                  0x00423dcd
                                                                  0x00423dd3
                                                                  0x00423dda
                                                                  0x00000000
                                                                  0x00423dde
                                                                  0x00423de4

                                                                  APIs
                                                                  • SetEndOfFile.KERNEL32(?,7FBE0010,004A833A,00000000), ref: 00423DD3
                                                                    • Part of subcall function 00423BA0: GetLastError.KERNEL32(004236F0,00423C43,?,?,00000000,?,004A7F5A,00000001,00000000,00000002,00000000,004A857E,?,00000000,004A85C2), ref: 00423BA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 734332943-0
                                                                  • Opcode ID: 0765ad1251f4f9bf448c2ca066bd2935a303bcba73d1fbfb61790bf244085abd
                                                                  • Instruction ID: cfa778f694ab93f521f9cbfb4fa9891c4931fcabf1aeac7c02125d20c1f19662
                                                                  • Opcode Fuzzy Hash: 0765ad1251f4f9bf448c2ca066bd2935a303bcba73d1fbfb61790bf244085abd
                                                                  • Instruction Fuzzy Hash: EAC04C61710110478B40AEBAE9C1A1666E85A582057804866B504DB206E66DD9148618
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040CDE0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040CDE0() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}





                                                                  0x0040cde4
                                                                  0x0040cdf0

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem
                                                                  • String ID:
                                                                  • API String ID: 31276548-0
                                                                  • Opcode ID: 64025997c8bef7f1ab34438094cc35a0f72d67f734e29c1609a2ef977955ad2c
                                                                  • Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
                                                                  • Opcode Fuzzy Hash: 64025997c8bef7f1ab34438094cc35a0f72d67f734e29c1609a2ef977955ad2c
                                                                  • Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4adaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4adadc; // 0x4adad8
					_t14 = _t4;
					 *_t14 = 0x4adad8;
					 *0x4adadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4adaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4adaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                                                  0x00403bce
                                                                  0x00403bd0
                                                                  0x00403be3
                                                                  0x00403bea
                                                                  0x00403c3c
                                                                  0x00403c45
                                                                  0x00403bec
                                                                  0x00403bec
                                                                  0x00403bf2
                                                                  0x00403bf4
                                                                  0x00403bfa
                                                                  0x00403bff
                                                                  0x00403c02
                                                                  0x00403c06
                                                                  0x00403c11
                                                                  0x00403c1e
                                                                  0x00403c26
                                                                  0x00403c28
                                                                  0x00403c35
                                                                  0x00403c39
                                                                  0x00403c39

                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000), ref: 00403BE3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 3bdf8bd4fda1bd36d4237db231ebe1dbc8cc1a3380dd60ea691b8e259bfce746
                                                                  • Instruction ID: 39403439fc8b110e22d936a7dc32f3b39bb41696391bc635e89da5ad8fc0de99
                                                                  • Opcode Fuzzy Hash: 3bdf8bd4fda1bd36d4237db231ebe1dbc8cc1a3380dd60ea691b8e259bfce746
                                                                  • Instruction Fuzzy Hash: 74F08CF2F082504FD7149F789D407417EE8E70A315B10817EE94AEBB95D7B488018B88
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 96%
                                                                  			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4afb78 = 0;
				return _t30;
			}
















                                                                  0x00403cfa
                                                                  0x00403cfc
                                                                  0x00403d01
                                                                  0x00403d04
                                                                  0x00403d09
                                                                  0x00403d0d
                                                                  0x00403d13
                                                                  0x00403d17
                                                                  0x00403d1d
                                                                  0x00403d39
                                                                  0x00403d3d
                                                                  0x00403d40
                                                                  0x00403d42
                                                                  0x00403d4a
                                                                  0x00403d5e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00403d65
                                                                  0x00403d6b
                                                                  0x00403d6d
                                                                  0x00403d6f
                                                                  0x00000000
                                                                  0x00403d6f
                                                                  0x00000000
                                                                  0x00403d6b
                                                                  0x00403d60
                                                                  0x00403d1f
                                                                  0x00403d27
                                                                  0x00403d2e
                                                                  0x00403d34
                                                                  0x00403d30
                                                                  0x00403d30
                                                                  0x00403d30
                                                                  0x00403d2e
                                                                  0x00403d73
                                                                  0x00403d75
                                                                  0x00403d7e
                                                                  0x00403d87
                                                                  0x00403d87
                                                                  0x00403d8a
                                                                  0x00403d9a

                                                                  APIs
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Free$Query
                                                                  • String ID:
                                                                  • API String ID: 778034434-0
                                                                  • Opcode ID: b0456c6339b53605163a229e0112fb3a82e8289d127bf0df54443eeb5f5b923e
                                                                  • Instruction ID: ad0733c8d53d3b26cd92df12ea1f8837c747f7844e5edc0d0b0e07a6a81a6a36
                                                                  • Opcode Fuzzy Hash: b0456c6339b53605163a229e0112fb3a82e8289d127bf0df54443eeb5f5b923e
                                                                  • Instruction Fuzzy Hash: 36F06D35304A005FD311DF1AC844B17BBE9EFC5711F15C57AE888973A1D635DD018796
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0040AC9C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 78%
                                                                  			E0040AC9C(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040AC78(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040AC78(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A6C0( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040AC78(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A6C0(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A6C0( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A6C0(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A6C0(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                                                  0x0040aca8
                                                                  0x0040acab
                                                                  0x0040acb1
                                                                  0x0040acbe
                                                                  0x0040acc2
                                                                  0x0040ad01
                                                                  0x0040ad08
                                                                  0x0040ad48
                                                                  0x00000000
                                                                  0x0040ad0a
                                                                  0x0040ad12
                                                                  0x0040ad23
                                                                  0x0040ad29
                                                                  0x0040ad2f
                                                                  0x0040ad37
                                                                  0x0040ad3d
                                                                  0x0040ad4b
                                                                  0x0040ad4d
                                                                  0x0040ad50
                                                                  0x0040ad52
                                                                  0x0040ad54
                                                                  0x0040ad54
                                                                  0x0040ad57
                                                                  0x0040ad5f
                                                                  0x0040ad70
                                                                  0x0040ae37
                                                                  0x0040ad82
                                                                  0x0040ad86
                                                                  0x0040ad88
                                                                  0x0040ad8a
                                                                  0x0040ad8c
                                                                  0x0040ad8c
                                                                  0x0040ad97
                                                                  0x0040ada7
                                                                  0x0040adab
                                                                  0x0040adad
                                                                  0x0040adaf
                                                                  0x0040adb1
                                                                  0x0040adb1
                                                                  0x0040adb7
                                                                  0x0040adcf
                                                                  0x0040add6
                                                                  0x0040addc
                                                                  0x0040adf8
                                                                  0x0040adfa
                                                                  0x0040ae21
                                                                  0x0040ae33
                                                                  0x0040ae35
                                                                  0x00000000
                                                                  0x0040ae35
                                                                  0x0040adf8
                                                                  0x0040add6
                                                                  0x00000000
                                                                  0x0040ad97
                                                                  0x0040ae4d
                                                                  0x0040ae4d
                                                                  0x0040ad5f
                                                                  0x0040ad3d
                                                                  0x0040ad29
                                                                  0x0040ad12
                                                                  0x0040acc4
                                                                  0x0040accf
                                                                  0x0040acd3
                                                                  0x00000000
                                                                  0x0040acd5
                                                                  0x0040acd5
                                                                  0x0040ace0
                                                                  0x0040ace4
                                                                  0x0040ace9
                                                                  0x00000000
                                                                  0x0040aceb
                                                                  0x0040acf7
                                                                  0x0040acf7
                                                                  0x0040ace9
                                                                  0x0040acd3
                                                                  0x0040ae52
                                                                  0x0040ae5b

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,004163D0,?,?), ref: 0040ACB9
                                                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040ACCA
                                                                  • FindFirstFileW.KERNEL32(?,?,kernel32.dll,004163D0,?,?), ref: 0040ADCA
                                                                  • FindClose.KERNEL32(?,?,?,kernel32.dll,004163D0,?,?), ref: 0040ADDC
                                                                  • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004163D0,?,?), ref: 0040ADE8
                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004163D0,?,?), ref: 0040AE2D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                  • String ID: GetLongPathNameW$\$kernel32.dll
                                                                  • API String ID: 1930782624-3908791685
                                                                  • Opcode ID: c23059803d50ffbb69bc2ce4a2bd9c62d9d22e9847f338aa71202613e6372609
                                                                  • Instruction ID: 41d01645e24d257238dd5067bd4c9414aa615acd03712fd1fd4c25b28ebdd489
                                                                  • Opcode Fuzzy Hash: c23059803d50ffbb69bc2ce4a2bd9c62d9d22e9847f338aa71202613e6372609
                                                                  • Instruction Fuzzy Hash: 7941A331A007189BCB10EFA4CC85ADEB3B5AF44310F1885B69544F73D1E7799E518B8A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A0E28, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 91%
                                                                  			E004A0E28() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0042004C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                                                  0x004a0e33
                                                                  0x004a0e90
                                                                  0x004a0e94
                                                                  0x004a0e9c
                                                                  0x00000000
                                                                  0x004a0e9e
                                                                  0x004a0e45
                                                                  0x004a0e57
                                                                  0x004a0e5c
                                                                  0x004a0e64
                                                                  0x004a0e7e
                                                                  0x004a0e8a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004a0e8c
                                                                  0x00000000

                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 004A0E38
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004A0E3E
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004A0E57
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004A0E7E
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004A0E83
                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 004A0E94
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                  • String ID: SeShutdownPrivilege
                                                                  • API String ID: 107509674-3733053543
                                                                  • Opcode ID: fe1b067eca73296cefec74aef68d5e38e82838797bed51e4050b4c645f3bddb9
                                                                  • Instruction ID: de75dd4a19c05497f4e369505de79ffe978a6723dd01d742fb3c8f7576f479cb
                                                                  • Opcode Fuzzy Hash: fe1b067eca73296cefec74aef68d5e38e82838797bed51e4050b4c645f3bddb9
                                                                  • Instruction Fuzzy Hash: 8AF06D7068430179F720A6B28C07F2B61C89B56B48F900C2AFA85EA1C2E7BDD414526F
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A1700, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004A1700() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004A1544();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004A1544();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004A1544();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004A1544();
				}
				return _t12;
			}






                                                                  0x004a170f
                                                                  0x004a1713
                                                                  0x004a1715
                                                                  0x004a1715
                                                                  0x004a1725
                                                                  0x004a1727
                                                                  0x004a1727
                                                                  0x004a1734
                                                                  0x004a1738
                                                                  0x004a173a
                                                                  0x004a173a
                                                                  0x004a1745
                                                                  0x004a1749
                                                                  0x004a174b
                                                                  0x004a174b
                                                                  0x004a1753

                                                                  APIs
                                                                  • FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002,00000000,004A857E,?,00000000,004A85C2), ref: 004A170A
                                                                  • SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002,00000000,004A857E), ref: 004A171D
                                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002,00000000), ref: 004A172F
                                                                  • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002), ref: 004A1740
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                  • String ID:
                                                                  • API String ID: 3473537107-0
                                                                  • Opcode ID: 0e167eaf222881e49b93fd61e2515b39df1dd1f3b826912796eb5bb1c6379618
                                                                  • Instruction ID: d09968d54a12af4fb9a7ffdc410a445be0be65e0f1a53bf5b11a7e4f68c05b11
                                                                  • Opcode Fuzzy Hash: 0e167eaf222881e49b93fd61e2515b39df1dd1f3b826912796eb5bb1c6379618
                                                                  • Instruction Fuzzy Hash: 2AE09284B8575635FA643AF71CC7B6E00094B7778DF40183BF606692E2EDACCC14122E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A840, Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 71%
                                                                  			E0040A840(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a9a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E004079F4(_v8);
				_t85 = _t80 -  *0x4a9a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4a9c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4a9a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4a9a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A760( *((intOrPtr*)(0x4a9a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040856C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a9c0);
					E0040856C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A9D0);
					E0040856C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087A4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A9AC);
				return E00407A54( &_v364, 3);
			}

















                                                                  0x0040a840
                                                                  0x0040a84b
                                                                  0x0040a84e
                                                                  0x0040a854
                                                                  0x0040a85a
                                                                  0x0040a860
                                                                  0x0040a863
                                                                  0x0040a867
                                                                  0x0040a868
                                                                  0x0040a86d
                                                                  0x0040a870
                                                                  0x0040a876
                                                                  0x0040a87b
                                                                  0x0040a882
                                                                  0x0040a884
                                                                  0x0040a88b
                                                                  0x0040a88d
                                                                  0x0040a894
                                                                  0x0040a89a
                                                                  0x0040a89c
                                                                  0x0040a8a1
                                                                  0x0040a8ab
                                                                  0x0040a8b2
                                                                  0x0040a8ba
                                                                  0x0040a8cc
                                                                  0x0040a8bc
                                                                  0x0040a8bd
                                                                  0x00000000
                                                                  0x0040a8bd
                                                                  0x0040a8ad
                                                                  0x0040a8af
                                                                  0x00000000
                                                                  0x0040a8af
                                                                  0x00000000
                                                                  0x0040a8d3
                                                                  0x0040a8d3
                                                                  0x0040a89c
                                                                  0x0040a89a
                                                                  0x0040a88b
                                                                  0x0040a8d8
                                                                  0x0040a8de
                                                                  0x0040a902
                                                                  0x0040a906
                                                                  0x0040a917
                                                                  0x0040a92d
                                                                  0x0040a932
                                                                  0x0040a938
                                                                  0x0040a94e
                                                                  0x0040a953
                                                                  0x0040a959
                                                                  0x0040a96f
                                                                  0x0040a974
                                                                  0x0040a982
                                                                  0x0040a982
                                                                  0x0040a989
                                                                  0x0040a98c
                                                                  0x0040a98f
                                                                  0x0040a9a4

                                                                  APIs
                                                                  • IsValidLocale.KERNEL32(?,00000002,00000000,0040A9A5,?,004163D0,?,00000000), ref: 0040A8EA
                                                                  • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A9A5,?,004163D0,?,00000000), ref: 0040A906
                                                                  • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A9A5,?,004163D0,?,00000000), ref: 0040A917
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$Info$Valid
                                                                  • String ID:
                                                                  • API String ID: 1826331170-0
                                                                  • Opcode ID: 64b235b34ad3b405be668a38bbcf0c4c9e16d70e7dca781f39a661cc6ac02bf3
                                                                  • Instruction ID: a21452d7453331bea184a1c788462f810345500a03990f2c05a1053d145e59cd
                                                                  • Opcode Fuzzy Hash: 64b235b34ad3b405be668a38bbcf0c4c9e16d70e7dca781f39a661cc6ac02bf3
                                                                  • Instruction Fuzzy Hash: 53319EB1A00708AAEB20EB55CC81BEF7BB9EB45701F1044BBA104B72D0D7395E91DF1A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041A5FC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041A5FC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004098FC(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004098FC(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















                                                                  0x0041a603
                                                                  0x0041a608
                                                                  0x0041a60a
                                                                  0x0041a60a
                                                                  0x0041a61d
                                                                  0x0041a62c
                                                                  0x0041a62f
                                                                  0x0041a63c
                                                                  0x0041a63f
                                                                  0x0041a644
                                                                  0x0041a647
                                                                  0x0041a649
                                                                  0x0041a656
                                                                  0x0041a659
                                                                  0x0041a65e
                                                                  0x0041a661
                                                                  0x0041a663
                                                                  0x0041a66c

                                                                  APIs
                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A61D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1705453755-0
                                                                  • Opcode ID: 1f81ffd3f8b7f43dd4d40be7e4fa3e48113c3a6555be2f83e13846e6c896b012
                                                                  • Instruction ID: 1ffc0297bdb4ea11008dc3bcb63dba6813c0f317fc4836b7b6f34cb81ab2f15a
                                                                  • Opcode Fuzzy Hash: 1f81ffd3f8b7f43dd4d40be7e4fa3e48113c3a6555be2f83e13846e6c896b012
                                                                  • Instruction Fuzzy Hash: 4B110CB5E00209AFDB00DF99C8819AFB7F9EFC8304B14C56AA508E7255E6319E018BA0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E154, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041E154(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407DD4(_t10, _t18);
				}
				return E00407B7C(_t10, _t5 - 1,  &_v516, _t19);
			}








                                                                  0x0041e15f
                                                                  0x0041e161
                                                                  0x0041e172
                                                                  0x0041e177
                                                                  0x0041e179
                                                                  0x00000000
                                                                  0x0041e191
                                                                  0x00000000

                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E172
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 7928e8acb0f3bf95a95806c5ee37cf780a020151f3d59b515ba1fff5897a5f5c
                                                                  • Instruction ID: 7cf265298f8ae4c2c4586e2e1eef3c96f0d827603146793af8923f5675885b80
                                                                  • Opcode Fuzzy Hash: 7928e8acb0f3bf95a95806c5ee37cf780a020151f3d59b515ba1fff5897a5f5c
                                                                  • Instruction Fuzzy Hash: 73E09235B0421427E314A55A8C86EFA725C9B48340F40457FBE05D7382ED74AD4082E9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E1A0, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E0041E1A0(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}






                                                                  0x0041e1a3
                                                                  0x0041e1a4
                                                                  0x0041e1ba
                                                                  0x0041e1c2
                                                                  0x0041e1bc
                                                                  0x0041e1bc
                                                                  0x0041e1bc
                                                                  0x0041e1c8

                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E2A2,?,00000001,00000000,0041E4B1), ref: 0041E1B3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: 43bf76aed24dc9c521354dcf3a82bfc67647264a5ffb14c8d3d6dbd711227945
                                                                  • Instruction ID: c7815ca7096205c7b25e67d21c63a0a54a6ca7704bde0e99258243124e7cf7fc
                                                                  • Opcode Fuzzy Hash: 43bf76aed24dc9c521354dcf3a82bfc67647264a5ffb14c8d3d6dbd711227945
                                                                  • Instruction Fuzzy Hash: 8AD05EBA30922036E214915B6D45DBB56DCCBC97A2F144C3BBE48C7241D224CC46D275
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A0F30, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004A0F30(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}





                                                                  0x004a0f46
                                                                  0x004a0f4d
                                                                  0x00000000
                                                                  0x004a0f54
                                                                  0x00000000

                                                                  APIs
                                                                  • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004A1030), ref: 004A0F46
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale
                                                                  • String ID:
                                                                  • API String ID: 2299586839-0
                                                                  • Opcode ID: c33d9d24f17edf913d3c59cc52c7a948e32ac160c74623fd23b254e084f3a8be
                                                                  • Instruction ID: a387aee5510ce7cb312478dcb7dda2bca2cadc0d391de8f1265bd776c9a03677
                                                                  • Opcode Fuzzy Hash: c33d9d24f17edf913d3c59cc52c7a948e32ac160c74623fd23b254e084f3a8be
                                                                  • Instruction Fuzzy Hash: 2CD05B61504308BDF504C1965D82D76729C9709324F500616F618D51C1D6A5FE005228
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041C4F8, Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0041C4F8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}




                                                                  0x0041c4fc
                                                                  0x0041c508

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime
                                                                  • String ID:
                                                                  • API String ID: 481472006-0
                                                                  • Opcode ID: 432e8ebe5e08171c98f20f808d41c161dd1ffcd0287293d7c08b14c61d049f45
                                                                  • Instruction ID: 30d254df6966928add27f6c53b79b67b7018594c25d8f6651389e5cc9869a0f0
                                                                  • Opcode Fuzzy Hash: 432e8ebe5e08171c98f20f808d41c161dd1ffcd0287293d7c08b14c61d049f45
                                                                  • Instruction Fuzzy Hash: 90A0120040582001D140331A0C0313930405800624FC40F55BCF8502D5E92D013440D7
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A8660, Relevance: 1.3, Instructions: 1267COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 40e1a5b0b6a74219d294bac2180994fe90a5ff1ce9c15cda3c2371bff48ecafa
                                                                  • Instruction ID: f21f87aa8edf7f72bab19d67bdbc77a268113f1876c3111a12b84a288820f3e0
                                                                  • Opcode Fuzzy Hash: 40e1a5b0b6a74219d294bac2180994fe90a5ff1ce9c15cda3c2371bff48ecafa
                                                                  • Instruction Fuzzy Hash: A671892058E7D28FD703877858695997FB0AE5312071F86EBC4D5CF8A3C29D8C8AC766
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004254D0, Relevance: .5, Instructions: 545COMMONCrypto
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E004254D0(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425228((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425228(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004253D8(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004252B0((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004251C8( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E004252F4(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E004252F4(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425228(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425228(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425228(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004253D8(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425228((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425338(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425364(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425188( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}
























































                                                                  0x004254dc
                                                                  0x004254df
                                                                  0x004254e2
                                                                  0x004254ed
                                                                  0x004254f0
                                                                  0x00425501
                                                                  0x00425512
                                                                  0x0042551a
                                                                  0x00425523
                                                                  0x00425529
                                                                  0x0042552f
                                                                  0x00425538
                                                                  0x00425541
                                                                  0x0042554a
                                                                  0x00425553
                                                                  0x0042555c
                                                                  0x00425565
                                                                  0x0042556e
                                                                  0x00425577
                                                                  0x0042557d
                                                                  0x00425586
                                                                  0x0042558c
                                                                  0x00425595
                                                                  0x004255a3
                                                                  0x004255a9
                                                                  0x004255af
                                                                  0x00000000
                                                                  0x004255b1
                                                                  0x004255b8
                                                                  0x004255bc
                                                                  0x004255c1
                                                                  0x004255c4
                                                                  0x004255d1
                                                                  0x004255d1
                                                                  0x004255d4
                                                                  0x004255d8
                                                                  0x00425679
                                                                  0x00425682
                                                                  0x004256b7
                                                                  0x004256b7
                                                                  0x004256bb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004256c0
                                                                  0x004256c3
                                                                  0x00425689
                                                                  0x0042568b
                                                                  0x0042568e
                                                                  0x00425690
                                                                  0x00425690
                                                                  0x00425690
                                                                  0x0042569d
                                                                  0x0042569e
                                                                  0x004256a4
                                                                  0x004256a6
                                                                  0x004256a9
                                                                  0x004256ac
                                                                  0x004256ad
                                                                  0x004256b0
                                                                  0x004256b2
                                                                  0x004256b2
                                                                  0x004256b2
                                                                  0x004256b4
                                                                  0x004256b4
                                                                  0x004256b4
                                                                  0x00000000
                                                                  0x004256b4
                                                                  0x00000000
                                                                  0x004256c3
                                                                  0x004256c5
                                                                  0x004256c7
                                                                  0x004256df
                                                                  0x004256c9
                                                                  0x004256d3
                                                                  0x004256d3
                                                                  0x004256e4
                                                                  0x004256e6
                                                                  0x004256e9
                                                                  0x004256ec
                                                                  0x004256ec
                                                                  0x004256f5
                                                                  0x004256fb
                                                                  0x004256fe
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00425704
                                                                  0x00425704
                                                                  0x0042570d
                                                                  0x00425710
                                                                  0x00425714
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0042571e
                                                                  0x00425722
                                                                  0x00425745
                                                                  0x0042574a
                                                                  0x0042574c
                                                                  0x00425825
                                                                  0x0042582a
                                                                  0x0042582b
                                                                  0x0042596b
                                                                  0x00425971
                                                                  0x00425974
                                                                  0x00425977
                                                                  0x0042597a
                                                                  0x00425983
                                                                  0x0042597c
                                                                  0x0042597c
                                                                  0x0042597c
                                                                  0x00425988
                                                                  0x004259a0
                                                                  0x004259a3
                                                                  0x004259a9
                                                                  0x004259ad
                                                                  0x004259b4
                                                                  0x004259af
                                                                  0x004259af
                                                                  0x004259af
                                                                  0x004259d0
                                                                  0x004259d3
                                                                  0x004259d7
                                                                  0x00425a50
                                                                  0x004259d9
                                                                  0x004259df
                                                                  0x004259e2
                                                                  0x004259ee
                                                                  0x004259f0
                                                                  0x004259f4
                                                                  0x00425a2a
                                                                  0x00425a4c
                                                                  0x004259f6
                                                                  0x00425a1a
                                                                  0x00425a1a
                                                                  0x004259f4
                                                                  0x00425a53
                                                                  0x00425a53
                                                                  0x00425a54
                                                                  0x00425a5f
                                                                  0x00425a5f
                                                                  0x00425a63
                                                                  0x00425a66
                                                                  0x00425a78
                                                                  0x00425a7b
                                                                  0x00425a88
                                                                  0x00425a7d
                                                                  0x00425a80
                                                                  0x00425a80
                                                                  0x00425a8b
                                                                  0x00425a8d
                                                                  0x00425a8f
                                                                  0x00425a92
                                                                  0x00425a94
                                                                  0x00425a94
                                                                  0x00425a94
                                                                  0x00425a9d
                                                                  0x00425aa6
                                                                  0x00425aa9
                                                                  0x00425aaa
                                                                  0x00425aad
                                                                  0x00425aaf
                                                                  0x00425aaf
                                                                  0x00425aaf
                                                                  0x00425ab1
                                                                  0x00425aba
                                                                  0x00425abc
                                                                  0x00425abf
                                                                  0x00425ac2
                                                                  0x00425ac6
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00425acb
                                                                  0x00425ace
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00425ace
                                                                  0x00425ad0
                                                                  0x00425ad3
                                                                  0x00425ad6
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00425ad6
                                                                  0x00000000
                                                                  0x00425a56
                                                                  0x00425a56
                                                                  0x00000000
                                                                  0x00425a56
                                                                  0x00425a54
                                                                  0x00425843
                                                                  0x00425848
                                                                  0x0042584a
                                                                  0x004258fa
                                                                  0x004258fc
                                                                  0x0042591a
                                                                  0x0042591c
                                                                  0x00425923
                                                                  0x00425929
                                                                  0x0042591e
                                                                  0x0042591e
                                                                  0x0042591e
                                                                  0x0042592f
                                                                  0x004258fe
                                                                  0x004258fe
                                                                  0x004258fe
                                                                  0x00425932
                                                                  0x00425935
                                                                  0x00425937
                                                                  0x0042594d
                                                                  0x00425950
                                                                  0x00425953
                                                                  0x0042595c
                                                                  0x00425955
                                                                  0x00425955
                                                                  0x00425955
                                                                  0x00425961
                                                                  0x00000000
                                                                  0x00425961
                                                                  0x00425871
                                                                  0x00425873
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00425879
                                                                  0x0042587d
                                                                  0x00425889
                                                                  0x0042588c
                                                                  0x00425895
                                                                  0x0042588e
                                                                  0x0042588e
                                                                  0x0042588e
                                                                  0x0042589a
                                                                  0x0042589e
                                                                  0x004258a0
                                                                  0x004258a3
                                                                  0x004258a5
                                                                  0x004258a5
                                                                  0x004258a5
                                                                  0x004258ae
                                                                  0x004258b7
                                                                  0x004258ba
                                                                  0x004258bb
                                                                  0x004258be
                                                                  0x004258c0
                                                                  0x004258c0
                                                                  0x004258c0
                                                                  0x004258c8
                                                                  0x004258ca
                                                                  0x004258d0
                                                                  0x004258d3
                                                                  0x004258d9
                                                                  0x004258d9
                                                                  0x00000000
                                                                  0x004258d3
                                                                  0x00000000
                                                                  0x0042587f
                                                                  0x0042577c
                                                                  0x00425781
                                                                  0x00425784
                                                                  0x004257c5
                                                                  0x00425786
                                                                  0x0042578a
                                                                  0x00425790
                                                                  0x00425793
                                                                  0x00425798
                                                                  0x00425798
                                                                  0x00425798
                                                                  0x00425798
                                                                  0x004257a4
                                                                  0x004257b5
                                                                  0x004257b5
                                                                  0x004257ce
                                                                  0x004257d0
                                                                  0x004257d3
                                                                  0x004257d9
                                                                  0x004257dc
                                                                  0x004257de
                                                                  0x004257de
                                                                  0x004257de
                                                                  0x004257de
                                                                  0x004257e7
                                                                  0x004257ea
                                                                  0x004257eb
                                                                  0x004257ee
                                                                  0x004257f0
                                                                  0x004257f0
                                                                  0x004257f0
                                                                  0x004257f2
                                                                  0x004257f5
                                                                  0x004257fe
                                                                  0x00425801
                                                                  0x0042580b
                                                                  0x00425803
                                                                  0x00425803
                                                                  0x00425803
                                                                  0x004257f7
                                                                  0x004257f7
                                                                  0x004257f7
                                                                  0x00000000
                                                                  0x004257f5
                                                                  0x00000000
                                                                  0x00425724
                                                                  0x00000000
                                                                  0x00425716
                                                                  0x00425adc
                                                                  0x00425ae2
                                                                  0x00425aeb
                                                                  0x00425af1
                                                                  0x00425afd
                                                                  0x00425b06
                                                                  0x00425b0c
                                                                  0x00425b15
                                                                  0x00425b1e
                                                                  0x00425b27
                                                                  0x00425b2d
                                                                  0x00425b36
                                                                  0x00425b3f
                                                                  0x00425b4b
                                                                  0x00425b54
                                                                  0x00425b5d
                                                                  0x00425b5f
                                                                  0x00000000
                                                                  0x00425b5f
                                                                  0x004255f5
                                                                  0x004255f8
                                                                  0x00425600
                                                                  0x00425606
                                                                  0x00425609
                                                                  0x00425622
                                                                  0x00425629
                                                                  0x0042562c
                                                                  0x0042562f
                                                                  0x00425632
                                                                  0x00425634
                                                                  0x00425639
                                                                  0x0042563c
                                                                  0x00425644
                                                                  0x00425646
                                                                  0x00425651
                                                                  0x00425656
                                                                  0x0042565a
                                                                  0x00000000
                                                                  0x0042565c
                                                                  0x00425664
                                                                  0x00425668
                                                                  0x00425674
                                                                  0x00425676
                                                                  0x00000000
                                                                  0x0042566a
                                                                  0x00000000
                                                                  0x0042566a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0042560b
                                                                  0x0042560b
                                                                  0x0042560e
                                                                  0x00425613
                                                                  0x00425616
                                                                  0x0042561d
                                                                  0x0042561d
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                  • Instruction ID: 714bfb58b2794d167d20b22a4996e34f8aecc2b55e378ed3f9398e5555f8a7d3
                                                                  • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                  • Instruction Fuzzy Hash: 0D320374E00629DFCB04CF98D981AADBBB2BF88314F64816AD805AB341D774AE42CF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00431F50, Relevance: .4, Instructions: 408COMMONCrypto
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00431F50(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M004322BD))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M00432051))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}













                                                                  0x00431f50
                                                                  0x00431f59
                                                                  0x00431f5c
                                                                  0x00431f5f
                                                                  0x00431f62
                                                                  0x00431f65
                                                                  0x00431f73
                                                                  0x00431f77
                                                                  0x00431f7b
                                                                  0x00431f80
                                                                  0x00431f87
                                                                  0x00432191
                                                                  0x004322b1
                                                                  0x004322b4
                                                                  0x004322f8
                                                                  0x00432302
                                                                  0x00432304
                                                                  0x0043230e
                                                                  0x00432310
                                                                  0x0043231a
                                                                  0x0043231c
                                                                  0x00432323
                                                                  0x00432325
                                                                  0x0043232f
                                                                  0x00432331
                                                                  0x0043233b
                                                                  0x0043233d
                                                                  0x00432347
                                                                  0x00432349
                                                                  0x00432350
                                                                  0x00432352
                                                                  0x0043235c
                                                                  0x0043235e
                                                                  0x00432368
                                                                  0x0043236a
                                                                  0x00432374
                                                                  0x00432376
                                                                  0x0043237c
                                                                  0x0043237e
                                                                  0x00432380
                                                                  0x0043238e
                                                                  0x00432392
                                                                  0x004323a0
                                                                  0x004323a4
                                                                  0x004323b2
                                                                  0x004323b6
                                                                  0x004323c4
                                                                  0x004323c8
                                                                  0x004323d6
                                                                  0x004323da
                                                                  0x004323e8
                                                                  0x004323ec
                                                                  0x004323fa
                                                                  0x00000000
                                                                  0x004323fc
                                                                  0x004322b6
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00432197
                                                                  0x00432197
                                                                  0x004321c1
                                                                  0x004321ee
                                                                  0x0043221b
                                                                  0x0043221f
                                                                  0x0043222d
                                                                  0x00432231
                                                                  0x00432235
                                                                  0x00432243
                                                                  0x00432247
                                                                  0x0043224b
                                                                  0x00432259
                                                                  0x0043225d
                                                                  0x00432261
                                                                  0x0043226f
                                                                  0x00432273
                                                                  0x00432277
                                                                  0x00432285
                                                                  0x00432289
                                                                  0x0043228d
                                                                  0x0043229b
                                                                  0x0043229f
                                                                  0x004322a1
                                                                  0x004322a4
                                                                  0x004322a8
                                                                  0x00000000
                                                                  0x00432197
                                                                  0x00431f90
                                                                  0x00432041
                                                                  0x00432044
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0043204a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0043208f
                                                                  0x00432091
                                                                  0x00432097
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004320a1
                                                                  0x004320a3
                                                                  0x004320a9
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004320b3
                                                                  0x004320b5
                                                                  0x004320bb
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004320c5
                                                                  0x004320c7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004320ce
                                                                  0x004320d3
                                                                  0x004320d5
                                                                  0x004320de
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004320e5
                                                                  0x004320ea
                                                                  0x004320ec
                                                                  0x004320f5
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004320fc
                                                                  0x00432101
                                                                  0x00432103
                                                                  0x0043210c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00432113
                                                                  0x00432118
                                                                  0x0043211d
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00432124
                                                                  0x00432129
                                                                  0x0043212e
                                                                  0x00432130
                                                                  0x00432139
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00432140
                                                                  0x00432145
                                                                  0x0043214a
                                                                  0x0043214c
                                                                  0x00432155
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0043215c
                                                                  0x00432161
                                                                  0x00432166
                                                                  0x00432168
                                                                  0x00432171
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00432178
                                                                  0x0043217d
                                                                  0x00432182
                                                                  0x00432187
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00431f96
                                                                  0x00431f96
                                                                  0x00431f9b
                                                                  0x00431fa3
                                                                  0x00431fab
                                                                  0x00431faf
                                                                  0x00431fbd
                                                                  0x00431fc1
                                                                  0x00431fc5
                                                                  0x00431fd3
                                                                  0x00431fd7
                                                                  0x00431fdb
                                                                  0x00431fe9
                                                                  0x00431fed
                                                                  0x00431ff1
                                                                  0x00431fff
                                                                  0x00432003
                                                                  0x00432007
                                                                  0x00432015
                                                                  0x00432019
                                                                  0x0043201d
                                                                  0x0043202b
                                                                  0x0043202f
                                                                  0x00432031
                                                                  0x00432034
                                                                  0x00432038
                                                                  0x00000000

                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a53240d1ff2e6a54c485aafc29675fea109497b1cbdbcdb71818d823280feeb
                                                                  • Instruction ID: 4f2c7345300522f8efab797650d0f57aff86ffded578c1633b2e6f11b4f1150f
                                                                  • Opcode Fuzzy Hash: 3a53240d1ff2e6a54c485aafc29675fea109497b1cbdbcdb71818d823280feeb
                                                                  • Instruction Fuzzy Hash: AF02BE32900235DFDB92CF6DC540109B7B6FF8A72472A82D6D854AB229D270AE52DFD1
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040ECB4, Relevance: .2, Instructions: 210COMMONCrypto
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E0040ECB4(signed int __eax, void* __ebx, void* __ecx, void* __edx, signed int __edi, void* __esi) {
				signed char _t146;
				signed char _t147;
				signed char _t148;
				signed char _t149;
				signed char _t150;
				signed char _t151;
				signed char _t152;
				signed char _t153;
				signed char _t154;
				signed char _t155;
				signed char _t156;
				signed char _t157;
				signed char _t158;
				signed char _t159;
				signed char _t160;
				signed char _t161;
				signed char _t162;
				signed char _t163;
				signed char _t164;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				signed char _t169;
				signed char _t170;
				signed char _t171;
				signed char _t172;
				signed char _t173;
				signed char _t174;
				signed char _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				void* _t184;
				void* _t188;
				void* _t196;
				void* _t204;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t220;
				void* _t228;
				void* _t236;
				void* _t246;

				_t146 = __eax ^ 0x00000006;
				_t184 = __ebx - 1;
				 *((intOrPtr*)(__edi + 0x340000ff)) =  *((intOrPtr*)(__edi + 0x340000ff)) + _t184;
				_push(es);
				 *((intOrPtr*)(_t146 + 0x340000ff)) =  *((intOrPtr*)(_t146 + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__ecx + 0x340000ff)) =  *((intOrPtr*)(__ecx + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__edx + 0x340000ff)) =  *((intOrPtr*)(__edx + 0x340000ff)) + _t146;
				_push(es);
				_t188 = _t184 - 0xfffffffffffffffe;
				 *((intOrPtr*)(_t188 + 0x340000ff)) =  *((intOrPtr*)(_t188 + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) =  *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) + _t146;
				 *((intOrPtr*)(_t246 + 0x340000ff)) =  *((intOrPtr*)(_t246 + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__esi + 0x340000ff)) =  *((intOrPtr*)(__esi + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__edi + 0x340000ff)) =  *((intOrPtr*)(__edi + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(_t146 + 0x340000ff)) =  *((intOrPtr*)(_t146 + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__ecx + 0x340000ff)) =  *((intOrPtr*)(__ecx + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__edx + 0x340000ff)) =  *((intOrPtr*)(__edx + 0x340000ff)) + __ecx;
				_push(es);
				_t196 = _t188 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t196 + 0x340000ff)) =  *((intOrPtr*)(_t196 + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) =  *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) + __ecx;
				 *((intOrPtr*)(_t246 + 0x340000ff)) =  *((intOrPtr*)(_t246 + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__esi + 0x340000ff)) =  *((intOrPtr*)(__esi + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__edi + 0x340000ff)) =  *((intOrPtr*)(__edi + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(_t146 - 1)) =  *((intOrPtr*)(_t146 - 1)) + __edx;
				 *_t146 =  *_t146 + _t146;
				_t147 = _t146 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + __edx;
				 *_t147 =  *_t147 + _t147;
				_t148 = _t147 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + __edx;
				 *_t148 =  *_t148 + _t148;
				_t149 = _t148 ^ 0x00000006;
				_t204 = _t196 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t204 - 1)) =  *((intOrPtr*)(_t204 - 1)) + __edx;
				 *_t149 =  *_t149 + _t149;
				_t150 = _t149 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + __edx;
				 *((intOrPtr*)(__esi + _t150)) =  *((intOrPtr*)(__esi + _t150)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + __edx;
				 *_t150 =  *_t150 + _t150;
				_t151 = _t150 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + __edx;
				 *_t151 =  *_t151 + _t151;
				_t152 = _t151 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + __edx;
				 *_t152 =  *_t152 + _t152;
				_t153 = _t152 ^ 0x00000006;
				_t209 = _t204 - 0xfffffffffffffffd;
				 *((intOrPtr*)(_t153 - 1)) =  *((intOrPtr*)(_t153 - 1)) + _t209;
				 *_t153 =  *_t153 + _t153;
				_t154 = _t153 ^ 0x00000006;
				_t210 = _t209 - 1;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + _t210;
				 *_t154 =  *_t154 + _t154;
				_t155 = _t154 ^ 0x00000006;
				_t211 = _t210 - 1;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + _t211;
				 *_t155 =  *_t155 + _t155;
				_t156 = _t155 ^ 0x00000006;
				_t212 = _t211 - 1;
				 *((intOrPtr*)(_t212 - 1)) =  *((intOrPtr*)(_t212 - 1)) + _t212;
				 *_t156 =  *_t156 + _t156;
				_t157 = _t156 ^ 0x00000006;
				_t213 = _t212 - 1;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + _t213;
				 *((intOrPtr*)(__esi + _t157)) =  *((intOrPtr*)(__esi + _t157)) + __edx;
				_t214 = _t213 - 1;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + _t214;
				 *_t157 =  *_t157 + _t157;
				_t158 = _t157 ^ 0x00000006;
				_t215 = _t214 - 1;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + _t215;
				 *_t158 =  *_t158 + _t158;
				_t159 = _t158 ^ 0x00000006;
				_t216 = _t215 - 1;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + _t216;
				 *_t159 =  *_t159 + _t159;
				_t160 = _t159 ^ 0x00000006;
				 *((intOrPtr*)(_t160 - 1)) =  *((intOrPtr*)(_t160 - 1)) + _t160;
				 *_t160 =  *_t160 + _t160;
				_t161 = _t160 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + _t161;
				 *_t161 =  *_t161 + _t161;
				_t162 = _t161 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + _t162;
				 *_t162 =  *_t162 + _t162;
				_t163 = _t162 ^ 0x00000006;
				_t220 = _t216 - 0xfffffffffffffffe;
				 *((intOrPtr*)(_t220 - 1)) =  *((intOrPtr*)(_t220 - 1)) + _t163;
				 *_t163 =  *_t163 + _t163;
				_t164 = _t163 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + _t164;
				 *((intOrPtr*)(__esi + _t164)) =  *((intOrPtr*)(__esi + _t164)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + _t164;
				 *_t164 =  *_t164 + _t164;
				_t165 = _t164 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + _t165;
				 *_t165 =  *_t165 + _t165;
				_t166 = _t165 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + _t166;
				 *_t166 =  *_t166 + _t166;
				_t167 = _t166 ^ 0x00000006;
				 *((intOrPtr*)(_t167 - 1)) =  *((intOrPtr*)(_t167 - 1)) + __ecx;
				 *_t167 =  *_t167 + _t167;
				_t168 = _t167 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + __ecx;
				 *_t168 =  *_t168 + _t168;
				_t169 = _t168 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + __ecx;
				 *_t169 =  *_t169 + _t169;
				_t170 = _t169 ^ 0x00000006;
				_t228 = _t220 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t228 - 1)) =  *((intOrPtr*)(_t228 - 1)) + __ecx;
				 *_t170 =  *_t170 + _t170;
				_t171 = _t170 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + __ecx;
				 *((intOrPtr*)(__esi + _t171)) =  *((intOrPtr*)(__esi + _t171)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + __ecx;
				 *_t171 =  *_t171 + _t171;
				_t172 = _t171 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + __ecx;
				 *_t172 =  *_t172 + _t172;
				_t173 = _t172 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + __ecx;
				 *_t173 =  *_t173 + _t173;
				_t174 = _t173 ^ 0x00000006;
				 *((intOrPtr*)(_t174 - 1)) =  *((intOrPtr*)(_t174 - 1)) + __edx;
				 *_t174 =  *_t174 + _t174;
				_t175 = _t174 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + __edx;
				 *_t175 =  *_t175 + _t175;
				_t176 = _t175 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + __edx;
				 *_t176 =  *_t176 + _t176;
				_t177 = _t176 ^ 0x00000006;
				_t236 = _t228 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t236 - 1)) =  *((intOrPtr*)(_t236 - 1)) + __edx;
				 *_t177 =  *_t177 + _t177;
				_t178 = _t177 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + __edx;
				 *((intOrPtr*)(__esi + _t178)) =  *((intOrPtr*)(__esi + _t178)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + __edx;
				 *_t178 =  *_t178 + _t178;
				_t179 = _t178 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + __edx;
				 *_t179 =  *_t179 + _t179;
				_t180 = _t179 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + __edx;
				 *_t180 =  *_t180 + _t180;
				_t181 = _t180 ^ 0x00000006;
				 *((intOrPtr*)(_t181 - 1)) =  *((intOrPtr*)(_t181 - 1)) + _t236 - 0xfffffffffffffffd;
				 *_t181 =  *_t181 + _t181;
				return 0x40ee8a;
			}























































                                                                  0x0040ecb4
                                                                  0x0040ecb6
                                                                  0x0040ecb7
                                                                  0x0040ecbd
                                                                  0x0040ecbf
                                                                  0x0040ecc5
                                                                  0x0040ecc7
                                                                  0x0040eccd
                                                                  0x0040eccf
                                                                  0x0040ecd5
                                                                  0x0040ecd6
                                                                  0x0040ecd7
                                                                  0x0040ecdd
                                                                  0x0040ecdf
                                                                  0x0040ece7
                                                                  0x0040eced
                                                                  0x0040ecef
                                                                  0x0040ecf5
                                                                  0x0040ecf7
                                                                  0x0040ecfd
                                                                  0x0040ecff
                                                                  0x0040ed05
                                                                  0x0040ed07
                                                                  0x0040ed0d
                                                                  0x0040ed0f
                                                                  0x0040ed15
                                                                  0x0040ed16
                                                                  0x0040ed17
                                                                  0x0040ed1d
                                                                  0x0040ed1f
                                                                  0x0040ed27
                                                                  0x0040ed2d
                                                                  0x0040ed2f
                                                                  0x0040ed35
                                                                  0x0040ed37
                                                                  0x0040ed3d
                                                                  0x0040ed3f
                                                                  0x0040ed42
                                                                  0x0040ed44
                                                                  0x0040ed47
                                                                  0x0040ed4a
                                                                  0x0040ed4c
                                                                  0x0040ed4f
                                                                  0x0040ed52
                                                                  0x0040ed54
                                                                  0x0040ed56
                                                                  0x0040ed57
                                                                  0x0040ed5a
                                                                  0x0040ed5c
                                                                  0x0040ed5f
                                                                  0x0040ed63
                                                                  0x0040ed67
                                                                  0x0040ed6a
                                                                  0x0040ed6c
                                                                  0x0040ed6f
                                                                  0x0040ed72
                                                                  0x0040ed74
                                                                  0x0040ed77
                                                                  0x0040ed7a
                                                                  0x0040ed7c
                                                                  0x0040ed7e
                                                                  0x0040ed7f
                                                                  0x0040ed82
                                                                  0x0040ed84
                                                                  0x0040ed86
                                                                  0x0040ed87
                                                                  0x0040ed8a
                                                                  0x0040ed8c
                                                                  0x0040ed8e
                                                                  0x0040ed8f
                                                                  0x0040ed92
                                                                  0x0040ed94
                                                                  0x0040ed96
                                                                  0x0040ed97
                                                                  0x0040ed9a
                                                                  0x0040ed9c
                                                                  0x0040ed9e
                                                                  0x0040ed9f
                                                                  0x0040eda3
                                                                  0x0040eda6
                                                                  0x0040eda7
                                                                  0x0040edaa
                                                                  0x0040edac
                                                                  0x0040edae
                                                                  0x0040edaf
                                                                  0x0040edb2
                                                                  0x0040edb4
                                                                  0x0040edb6
                                                                  0x0040edb7
                                                                  0x0040edba
                                                                  0x0040edbc
                                                                  0x0040edbf
                                                                  0x0040edc2
                                                                  0x0040edc4
                                                                  0x0040edc7
                                                                  0x0040edca
                                                                  0x0040edcc
                                                                  0x0040edcf
                                                                  0x0040edd2
                                                                  0x0040edd4
                                                                  0x0040edd6
                                                                  0x0040edd7
                                                                  0x0040edda
                                                                  0x0040eddc
                                                                  0x0040eddf
                                                                  0x0040ede3
                                                                  0x0040ede7
                                                                  0x0040edea
                                                                  0x0040edec
                                                                  0x0040edef
                                                                  0x0040edf2
                                                                  0x0040edf4
                                                                  0x0040edf7
                                                                  0x0040edfa
                                                                  0x0040edfc
                                                                  0x0040edff
                                                                  0x0040ee02
                                                                  0x0040ee04
                                                                  0x0040ee07
                                                                  0x0040ee0a
                                                                  0x0040ee0c
                                                                  0x0040ee0f
                                                                  0x0040ee12
                                                                  0x0040ee14
                                                                  0x0040ee16
                                                                  0x0040ee17
                                                                  0x0040ee1a
                                                                  0x0040ee1c
                                                                  0x0040ee1f
                                                                  0x0040ee23
                                                                  0x0040ee27
                                                                  0x0040ee2a
                                                                  0x0040ee2c
                                                                  0x0040ee2f
                                                                  0x0040ee32
                                                                  0x0040ee34
                                                                  0x0040ee37
                                                                  0x0040ee3a
                                                                  0x0040ee3c
                                                                  0x0040ee3f
                                                                  0x0040ee42
                                                                  0x0040ee44
                                                                  0x0040ee47
                                                                  0x0040ee4a
                                                                  0x0040ee4c
                                                                  0x0040ee4f
                                                                  0x0040ee52
                                                                  0x0040ee54
                                                                  0x0040ee56
                                                                  0x0040ee57
                                                                  0x0040ee5a
                                                                  0x0040ee5c
                                                                  0x0040ee5f
                                                                  0x0040ee63
                                                                  0x0040ee67
                                                                  0x0040ee6a
                                                                  0x0040ee6c
                                                                  0x0040ee6f
                                                                  0x0040ee72
                                                                  0x0040ee74
                                                                  0x0040ee77
                                                                  0x0040ee7a
                                                                  0x0040ee7c
                                                                  0x0040ee7f
                                                                  0x0040ee82
                                                                  0x0040ee89

                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 622fbd8048fd543cdc2cb0be557f41394da94c826b34e88aea9dfaf07a3619e9
                                                                  • Instruction ID: 2cea75af83b0793a95f332b946a4bc9c29eeecd7935183ae600d0464b4d82da5
                                                                  • Opcode Fuzzy Hash: 622fbd8048fd543cdc2cb0be557f41394da94c826b34e88aea9dfaf07a3619e9
                                                                  • Instruction Fuzzy Hash: 3371B7015EEBCA6FCB97833008A85D6AF61AE5316578B53EBCC818E497914D241EF372
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405AC0, Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                  • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
                                                                  • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                  • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00427760, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00427760() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4b30e4 = E00427734("VariantChangeTypeEx", E00427150, _t91);
				 *0x4b30e8 = E00427734("VarNeg", E00427198, _t91);
				 *0x4b30ec = E00427734("VarNot", E00427198, _t91);
				 *0x4b30f0 = E00427734("VarAdd", E004271A4, _t91);
				 *0x4b30f4 = E00427734("VarSub", E004271A4, _t91);
				 *0x4b30f8 = E00427734("VarMul", E004271A4, _t91);
				 *0x4b30fc = E00427734("VarDiv", E004271A4, _t91);
				 *0x4b3100 = E00427734("VarIdiv", E004271A4, _t91);
				 *0x4b3104 = E00427734("VarMod", E004271A4, _t91);
				 *0x4b3108 = E00427734("VarAnd", E004271A4, _t91);
				 *0x4b310c = E00427734("VarOr", E004271A4, _t91);
				 *0x4b3110 = E00427734("VarXor", E004271A4, _t91);
				 *0x4b3114 = E00427734("VarCmp", E004271B0, _t91);
				 *0x4b3118 = E00427734("VarI4FromStr", E004271BC, _t91);
				 *0x4b311c = E00427734("VarR4FromStr", E00427228, _t91);
				 *0x4b3120 = E00427734("VarR8FromStr", E00427298, _t91);
				 *0x4b3124 = E00427734("VarDateFromStr", E00427308, _t91);
				 *0x4b3128 = E00427734("VarCyFromStr", E00427378, _t91);
				 *0x4b312c = E00427734("VarBoolFromStr", E004273E8, _t91);
				 *0x4b3130 = E00427734("VarBstrFromCy", E00427468, _t91);
				 *0x4b3134 = E00427734("VarBstrFromDate", E00427510, _t91);
				_t46 = E00427734("VarBstrFromBool", E004276A0, _t91);
				 *0x4b3138 = _t46;
				return _t46;
			}






                                                                  0x0042776e
                                                                  0x00427782
                                                                  0x00427798
                                                                  0x004277ae
                                                                  0x004277c4
                                                                  0x004277da
                                                                  0x004277f0
                                                                  0x00427806
                                                                  0x0042781c
                                                                  0x00427832
                                                                  0x00427848
                                                                  0x0042785e
                                                                  0x00427874
                                                                  0x0042788a
                                                                  0x004278a0
                                                                  0x004278b6
                                                                  0x004278cc
                                                                  0x004278e2
                                                                  0x004278f8
                                                                  0x0042790e
                                                                  0x00427924
                                                                  0x0042793a
                                                                  0x0042794a
                                                                  0x00427950
                                                                  0x00427957

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00427769
                                                                    • Part of subcall function 00427734: GetProcAddress.KERNEL32(00000000), ref: 0042774D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                  • API String ID: 1646373207-1918263038
                                                                  • Opcode ID: 48e8c45941e3087f339835e92e208a9ec034c2b79a5d31d0d58655ea58982c29
                                                                  • Instruction ID: 0d53f7084111da00e6f8be9bb035bcb00c42a4e9e77ce097fa9a4c868214a819
                                                                  • Opcode Fuzzy Hash: 48e8c45941e3087f339835e92e208a9ec034c2b79a5d31d0d58655ea58982c29
                                                                  • Instruction Fuzzy Hash: 224109A070D2349BA308AB6FB84243AB798DB857143E4C17FB8048A745DF38B981C66D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E8EC, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 194threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 82%
                                                                  			E0041E8EC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41eb81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ac590; // 0x4ad8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040552C(0x1a);
				}
				E0040665C(E004068E0( *0x4b07e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41eb64);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4b07dc = 0;
				_push(0);
				E00409F74();
				_t142 = _t141 + 4;
				E0041E154(_t93, 0x41eb9c, 0x100b,  &_v12);
				_t127 = E0041A2E4(0x41eb9c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4b07dc = 1;
						_push(1);
						E00409F74();
						_t142 = _t142 + 4;
						E00407DD4( *0x4b07e0, L"B.C.");
						 *((intOrPtr*)( *0x4b07e0 + 4)) = 0;
						_t71 =  *0x4b07e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C2E4(1, 1, 1, __eflags, _t161);
						_v20 = E00405770();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4b07e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E7C4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4b07e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4b07e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E85C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E7C4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4b07e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4b07e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E85C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4b07e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409F74();
				_t53 =  *0x4b07e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416f2c; // 0x416f30
						E00409010( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4b07e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e720; // 0x41e724
				E0040A098(0x4b07e0, _t116);
				_t56 =  *0x4b07e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4b07dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41eb6b);
				return E0040683C( *0x4b07e4, _t105, _t127);
			}


































                                                                  0x0041e8ec
                                                                  0x0041e8ec
                                                                  0x0041e8ec
                                                                  0x0041e8ed
                                                                  0x0041e8ef
                                                                  0x0041e8f4
                                                                  0x0041e8f7
                                                                  0x0041e8fa
                                                                  0x0041e8fd
                                                                  0x0041e901
                                                                  0x0041e902
                                                                  0x0041e907
                                                                  0x0041e90a
                                                                  0x0041e90d
                                                                  0x0041e912
                                                                  0x0041e915
                                                                  0x0041e919
                                                                  0x0041e919
                                                                  0x0041e92b
                                                                  0x0041e932
                                                                  0x0041e933
                                                                  0x0041e938
                                                                  0x0041e93b
                                                                  0x0041e940
                                                                  0x0041e946
                                                                  0x0041e957
                                                                  0x0041e95c
                                                                  0x0041e96f
                                                                  0x0041e981
                                                                  0x0041e98b
                                                                  0x0041e9e8
                                                                  0x0041e9eb
                                                                  0x0041e9f6
                                                                  0x0041e9fc
                                                                  0x0041ea0d
                                                                  0x0041ea12
                                                                  0x0041ea1f
                                                                  0x0041ea2b
                                                                  0x0041ea2e
                                                                  0x0041ea33
                                                                  0x0041ea3a
                                                                  0x0041ea4d
                                                                  0x0041ea57
                                                                  0x0041ea5a
                                                                  0x0041ea5d
                                                                  0x0041ea65
                                                                  0x0041ea68
                                                                  0x0041ea77
                                                                  0x0041ea7c
                                                                  0x0041ea81
                                                                  0x0041ea83
                                                                  0x0041ea85
                                                                  0x0041ea85
                                                                  0x0041ea88
                                                                  0x0041ea88
                                                                  0x0041ea8c
                                                                  0x0041ea8d
                                                                  0x0041ea8f
                                                                  0x0041ea91
                                                                  0x0041ea96
                                                                  0x0041ea9f
                                                                  0x0041eaa7
                                                                  0x0041eaa8
                                                                  0x0041eaa8
                                                                  0x0041eaa8
                                                                  0x0041ea96
                                                                  0x0041eab9
                                                                  0x0041eab9
                                                                  0x0041e98d
                                                                  0x0041e99b
                                                                  0x0041e9a0
                                                                  0x0041e9a7
                                                                  0x0041e9ac
                                                                  0x0041e9ac
                                                                  0x0041e9b0
                                                                  0x0041e9b3
                                                                  0x0041e9b5
                                                                  0x0041e9b6
                                                                  0x0041e9b8
                                                                  0x0041e9c1
                                                                  0x0041e9c9
                                                                  0x0041e9ca
                                                                  0x0041e9ca
                                                                  0x0041e9b8
                                                                  0x0041e9db
                                                                  0x0041e9db
                                                                  0x0041eac3
                                                                  0x0041eac7
                                                                  0x0041eacc
                                                                  0x0041eacc
                                                                  0x0041eace
                                                                  0x0041eae2
                                                                  0x0041eaea
                                                                  0x0041eaf1
                                                                  0x0041eaf6
                                                                  0x0041eaf6
                                                                  0x0041eafa
                                                                  0x0041eafd
                                                                  0x0041eaff
                                                                  0x0041eb00
                                                                  0x0041eb02
                                                                  0x0041eb02
                                                                  0x0041eb1a
                                                                  0x0041eb20
                                                                  0x0041eb25
                                                                  0x0041eb26
                                                                  0x0041eb26
                                                                  0x0041eb02
                                                                  0x0041eb2e
                                                                  0x0041eb34
                                                                  0x0041eb39
                                                                  0x0041eb40
                                                                  0x0041eb45
                                                                  0x0041eb45
                                                                  0x0041eb47
                                                                  0x0041eb4e
                                                                  0x0041eb50
                                                                  0x0041eb51
                                                                  0x0041eb54
                                                                  0x0041eb63

                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E990
                                                                  • EnumCalendarInfoW.KERNEL32(0041E7C4,00000000,00000000,00000004), ref: 0041E99B
                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041E9D0
                                                                  • EnumCalendarInfoW.KERNEL32(0041E85C,00000000,00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041E9DB
                                                                  • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041EA6C
                                                                  • EnumCalendarInfoW.KERNEL32(0041E7C4,00000000,00000000,00000004), ref: 0041EA77
                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041EAAE
                                                                  • EnumCalendarInfoW.KERNEL32(0041E85C,00000000,00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041EAB9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CalendarEnumInfoLocaleThread
                                                                  • String ID: $A$0oA$B.C.$hpA
                                                                  • API String ID: 683597275-4049206235
                                                                  • Opcode ID: 586092908fac795f1ae75f7d09ce9ba69cd4a05a951f472f02cb7e4a83f9f400
                                                                  • Instruction ID: 31764f9b4395ddee8a33e7efece694c8c2e23c621918c970f88beb3215b81749
                                                                  • Opcode Fuzzy Hash: 586092908fac795f1ae75f7d09ce9ba69cd4a05a951f472f02cb7e4a83f9f400
                                                                  • Instruction Fuzzy Hash: 1B61B6746012019FD710DF6ACC81A9AB765FB44354F10867AF911973E5DA38ED81CF9C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040A5C4, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E0040A5C4() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4afc10);
				 *0x4afc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4afc0c = _t2 - 6 >= 0;
				if( *0x4afc0c != 0) {
					 *0x4afc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4afc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4afc08 = _t8;
					return _t8;
				}
				return _t2;
			}





                                                                  0x0040a5c9
                                                                  0x0040a5ce
                                                                  0x0040a5dc
                                                                  0x0040a5e4
                                                                  0x0040a5f2
                                                                  0x0040a609
                                                                  0x0040a623
                                                                  0x0040a638
                                                                  0x0040a63d
                                                                  0x00000000
                                                                  0x0040a63d
                                                                  0x0040a642

                                                                  APIs
                                                                  • InitializeCriticalSection.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5C9
                                                                  • GetVersion.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5D7
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5FE
                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A604
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A618
                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A61E
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A632
                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A638
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                                                  • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                                                  • API String ID: 74573329-1403180336
                                                                  • Opcode ID: 93963328a1992207510c5a143f88d452738f2b7cd2c03137b8683a113ef3510e
                                                                  • Instruction ID: 77c12324a04305e01794a5ee660b83a9054d5f7758015fb80e29bcc474d3137b
                                                                  • Opcode Fuzzy Hash: 93963328a1992207510c5a143f88d452738f2b7cd2c03137b8683a113ef3510e
                                                                  • Instruction Fuzzy Hash: 9AF012A09813453CE6207FF79C0BB181D286A1271AF684C7BB880B62D3CEBE4654971E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041E1CC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 71%
                                                                  			E0041E1CC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e4b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x417064; // 0x417068
				E0040A098(_t151 + 0xbc, _t172);
				E0041E8EC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E5C0(_t214, _t151, _t151, _t211, _t214);
				E0041E67C(_t214, _t151, _t151, _t211, _t214);
				E0041E154(_t214, 0, 0x14,  &_v20);
				E00407DD4(_t151, _v20);
				E0041E154(_t214, 0x41e4cc, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A2E4(0x41e4cc, 0, _t219);
				E0041E154(_t214, 0x41e4cc, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A2E4(0x41e4cc, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E1A0(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E1A0(_t214, 0x2e, 0xe);
				E0041E154(_t214, 0x41e4cc, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A2E4(0x41e4cc, 0, _t219);
				_t212 = E0041E1A0(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EC38(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407DD4(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EC38(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407DD4(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E1A0(_t214, 0x3a, 0x1e);
				E0041E154(_t214, 0x41e520, 0x28,  &_v44);
				E00407DD4(_t151 + 0x14, _v44);
				E0041E154(_t214, 0x41e534, 0x29,  &_v48);
				E00407DD4(_t151 + 0x18, _v48);
				E004079F4( &_v12);
				E004079F4( &_v16);
				E0041E154(_t214, 0x41e4cc, 0x25,  &_v52);
				_t121 = E0041A2E4(0x41e4cc, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E1C( &_v8, 0x41e558);
				} else {
					E00407E1C( &_v8, 0x41e548);
				}
				E0041E154(_t214, 0x41e4cc, 0x23,  &_v56);
				_t128 = E0041A2E4(0x41e4cc, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E154(_t214, 0x41e4cc, 0x1005,  &_v60);
					if(E0041A2E4(0x41e4cc, 0, _t221) != 0) {
						E00407E1C( &_v12, L"AMPM ");
					} else {
						E00407E1C( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087A4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087A4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E1A0(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e4b8);
				return E00407A54( &_v60, 0xe);
			}





























                                                                  0x0041e1cc
                                                                  0x0041e1cc
                                                                  0x0041e1cd
                                                                  0x0041e1cf
                                                                  0x0041e1d4
                                                                  0x0041e1d4
                                                                  0x0041e1d6
                                                                  0x0041e1d8
                                                                  0x0041e1d8
                                                                  0x0041e1dd
                                                                  0x0041e1de
                                                                  0x0041e1e0
                                                                  0x0041e1e4
                                                                  0x0041e1e5
                                                                  0x0041e1ea
                                                                  0x0041e1ed
                                                                  0x0041e1f3
                                                                  0x0041e1f8
                                                                  0x0041e1fa
                                                                  0x0041e201
                                                                  0x0041e201
                                                                  0x0041e209
                                                                  0x0041e20f
                                                                  0x0041e218
                                                                  0x0041e221
                                                                  0x0041e22a
                                                                  0x0041e23c
                                                                  0x0041e246
                                                                  0x0041e25b
                                                                  0x0041e26a
                                                                  0x0041e27d
                                                                  0x0041e28c
                                                                  0x0041e2a2
                                                                  0x0041e2b9
                                                                  0x0041e2d0
                                                                  0x0041e2df
                                                                  0x0041e2f2
                                                                  0x0041e2f4
                                                                  0x0041e2f8
                                                                  0x0041e309
                                                                  0x0041e314
                                                                  0x0041e31d
                                                                  0x0041e32e
                                                                  0x0041e339
                                                                  0x0041e34e
                                                                  0x0041e362
                                                                  0x0041e36d
                                                                  0x0041e382
                                                                  0x0041e38d
                                                                  0x0041e395
                                                                  0x0041e39d
                                                                  0x0041e3b2
                                                                  0x0041e3bc
                                                                  0x0041e3c1
                                                                  0x0041e3c3
                                                                  0x0041e3dc
                                                                  0x0041e3c5
                                                                  0x0041e3cd
                                                                  0x0041e3cd
                                                                  0x0041e3f1
                                                                  0x0041e3fb
                                                                  0x0041e400
                                                                  0x0041e402
                                                                  0x0041e414
                                                                  0x0041e425
                                                                  0x0041e43e
                                                                  0x0041e427
                                                                  0x0041e42f
                                                                  0x0041e42f
                                                                  0x0041e425
                                                                  0x0041e443
                                                                  0x0041e446
                                                                  0x0041e449
                                                                  0x0041e44e
                                                                  0x0041e459
                                                                  0x0041e45e
                                                                  0x0041e461
                                                                  0x0041e464
                                                                  0x0041e469
                                                                  0x0041e474
                                                                  0x0041e489
                                                                  0x0041e48d
                                                                  0x0041e498
                                                                  0x0041e49b
                                                                  0x0041e49e
                                                                  0x0041e4b0

                                                                  APIs
                                                                  • IsValidLocale.KERNEL32(?,00000001,00000000,0041E4B1,?,?,?,?,00000000,00000000), ref: 0041E1F3
                                                                  • GetThreadLocale.KERNEL32(?,00000001,00000000,0041E4B1,?,?,?,?,00000000,00000000), ref: 0041E1FC
                                                                    • Part of subcall function 0041E1A0: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E2A2,?,00000001,00000000,0041E4B1), ref: 0041E1B3
                                                                    • Part of subcall function 0041E154: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E172
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Locale$Info$ThreadValid
                                                                  • String ID: AMPM$2$:mm$:mm:ss$AMPM $hpA$m/d/yy$mmmm d, yyyy
                                                                  • API String ID: 233154393-3514583240
                                                                  • Opcode ID: cd2e1eec404eaaf93342958035b3c9dc4f4edd91dbf45419f82dac3ab0a37c82
                                                                  • Instruction ID: 439dc5afb6c92fd399cedb1891f988b7bb4968893a10f06eaf7ea53368b32677
                                                                  • Opcode Fuzzy Hash: cd2e1eec404eaaf93342958035b3c9dc4f4edd91dbf45419f82dac3ab0a37c82
                                                                  • Instruction Fuzzy Hash: D57123387001496BDB05EBA7C881ADE76A6EF88304F50847BF904AB346D63DDD86875E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AB58, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 71%
                                                                  			E0040AB58(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40ac5c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4afc10);
				if(_t28 !=  *0x4afc28) {
					LeaveCriticalSection(0x4afc10);
					E004079F4(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4afc0c == 0) {
							_t18 = E0040A840(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086C4(_t44, E0040AC74);
								}
								L00403738();
								E0040A840(_t18, _t28,  &_v8, _t42, _t44);
								E004086C4(_t44, _v8);
							}
						} else {
							E0040AA3C(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4afc10);
					 *0x4afc28 = _t28;
					E0040A6C0(0x4afc2a, E004084C8( *_t44), 0xaa);
					LeaveCriticalSection(0x4afc10);
				} else {
					E0040856C(_t44, 0x55, 0x4afc2a);
					LeaveCriticalSection(0x4afc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040AC63);
				return E004079F4( &_v8);
			}









                                                                  0x0040ab58
                                                                  0x0040ab5b
                                                                  0x0040ab5d
                                                                  0x0040ab5e
                                                                  0x0040ab5f
                                                                  0x0040ab61
                                                                  0x0040ab65
                                                                  0x0040ab66
                                                                  0x0040ab6b
                                                                  0x0040ab6e
                                                                  0x0040ab76
                                                                  0x0040ab82
                                                                  0x0040aba9
                                                                  0x0040abb0
                                                                  0x0040abc2
                                                                  0x0040abcb
                                                                  0x0040abdc
                                                                  0x0040abe1
                                                                  0x0040abe9
                                                                  0x0040abee
                                                                  0x0040abf7
                                                                  0x0040abf7
                                                                  0x0040abfc
                                                                  0x0040ac04
                                                                  0x0040ac0e
                                                                  0x0040ac0e
                                                                  0x0040abcd
                                                                  0x0040abd1
                                                                  0x0040abd1
                                                                  0x0040abcb
                                                                  0x0040ac18
                                                                  0x0040ac1d
                                                                  0x0040ac37
                                                                  0x0040ac41
                                                                  0x0040ab84
                                                                  0x0040ab90
                                                                  0x0040ab9a
                                                                  0x0040ab9a
                                                                  0x0040ac48
                                                                  0x0040ac4b
                                                                  0x0040ac4e
                                                                  0x0040ac5b

                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B,?,?,00000000,00000000,00000000), ref: 0040AB76
                                                                  • LeaveCriticalSection.KERNEL32(004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B,?,?,00000000,00000000), ref: 0040AB9A
                                                                  • LeaveCriticalSection.KERNEL32(004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B,?,?,00000000,00000000), ref: 0040ABA9
                                                                  • IsValidLocale.KERNEL32(00000000,00000002,004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B), ref: 0040ABBB
                                                                  • EnterCriticalSection.KERNEL32(004AFC10,00000000,00000002,004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B), ref: 0040AC18
                                                                  • LeaveCriticalSection.KERNEL32(004AFC10,004AFC10,00000000,00000002,004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B), ref: 0040AC41
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                  • String ID: en-US,en,
                                                                  • API String ID: 975949045-3579323720
                                                                  • Opcode ID: df8d0f686803062bdab142a1b2de24a95a5c3d65ff11807a0e019821b71cc122
                                                                  • Instruction ID: 583594d50a991121d5869f76381f812cea75c141c18cde3dbdefc2834495f508
                                                                  • Opcode Fuzzy Hash: df8d0f686803062bdab142a1b2de24a95a5c3d65ff11807a0e019821b71cc122
                                                                  • Instruction Fuzzy Hash: 6721016074434477E620BBA78C03B2A2598AB46718FA1883BB540B73D2DE7C8D65836F
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00422F10, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 61%
                                                                  			E00422F10(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x42300a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E4A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0042004C() != 2) {
						if(E00422EE8(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422EDC();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422EE8(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422EDC();
							RegCloseKey(_v12);
						}
					}
					E0040871C( &_v20, _v8, 0x423120);
					E00405900(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E00423011);
				E004079F4( &_v20);
				return E004079F4( &_v8);
			}










                                                                  0x00422f16
                                                                  0x00422f19
                                                                  0x00422f1c
                                                                  0x00422f21
                                                                  0x00422f22
                                                                  0x00422f27
                                                                  0x00422f2a
                                                                  0x00422f3d
                                                                  0x00422f44
                                                                  0x00422f57
                                                                  0x00422fac
                                                                  0x00422fb9
                                                                  0x00422fc2
                                                                  0x00422fc2
                                                                  0x00422f59
                                                                  0x00422f74
                                                                  0x00422f81
                                                                  0x00422f8a
                                                                  0x00422f8a
                                                                  0x00422f74
                                                                  0x00422fd2
                                                                  0x00422fdd
                                                                  0x00422fe8
                                                                  0x00422fe8
                                                                  0x00422f46
                                                                  0x00422f46
                                                                  0x00422f48
                                                                  0x00422fee
                                                                  0x00422ff1
                                                                  0x00422ff4
                                                                  0x00422ffc
                                                                  0x00423009

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042300A), ref: 00422F37
                                                                    • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042300A), ref: 00422F8A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCloseHandleModuleProc
                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                  • API String ID: 4190037839-2401316094
                                                                  • Opcode ID: dff07c34f93b3e6c39e557406e904af098fa4b2a4b5bb26404aaa7a5872d83d8
                                                                  • Instruction ID: c5d1680bc85d9fc9140fa9d9073cf59edbb396945b13f7385cf79b6cc5318819
                                                                  • Opcode Fuzzy Hash: dff07c34f93b3e6c39e557406e904af098fa4b2a4b5bb26404aaa7a5872d83d8
                                                                  • Instruction Fuzzy Hash: 73217630B00228BBDB50EAA5DE42B9E77B8DB44304F91487BA500E3285DBBC9F01D72D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040D554, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 67%
                                                                  			E0040D554(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4a9c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4a9c40;
				_v52 = E0040DA04( *0x004A9C44);
				_v48 = E0040DA14( *0x004A9C48);
				_v44 = E0040DA24( *0x004A9C4C);
				_v40 = E0040DA34( *0x004A9C50);
				_v36 = E0040DA34( *0x004A9C54);
				_v32 = E0040DA34( *0x004A9C58);
				_v28 =  *0x004A9C5C;
				memcpy( &_v92, 0x4a9c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4a9c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4a9c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040DA44( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4b0640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4b0640 != 0) {
							_t191 =  *0x4b0640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4b0644 != 0) {
									_t191 =  *0x4b0644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4a9c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4b0640 != 0) {
						_t142 =  *0x4b0640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CEDC(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4a9c3c; // 0x0
									 *_v20 = _t126;
									 *0x4a9c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4b0644 != 0) {
							_t142 =  *0x4b0644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4a9c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4b0640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4b0640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4b0640(5,  &_v92);
						}
						return _t191;
					}
				}
			}







































                                                                  0x0040d568
                                                                  0x0040d56e
                                                                  0x0040d570
                                                                  0x0040d573
                                                                  0x0040d580
                                                                  0x0040d58d
                                                                  0x0040d59a
                                                                  0x0040d5a7
                                                                  0x0040d5b4
                                                                  0x0040d5c1
                                                                  0x0040d5ca
                                                                  0x0040d5d8
                                                                  0x0040d5da
                                                                  0x0040d5db
                                                                  0x0040d5e1
                                                                  0x0040d5e7
                                                                  0x0040d5ee
                                                                  0x0040d5f0
                                                                  0x0040d5f6
                                                                  0x0040d5fc
                                                                  0x0040d60c
                                                                  0x00000000
                                                                  0x0040d611
                                                                  0x0040d61e
                                                                  0x0040d623
                                                                  0x0040d625
                                                                  0x0040d627
                                                                  0x0040d627
                                                                  0x0040d62d
                                                                  0x0040d630
                                                                  0x0040d638
                                                                  0x0040d642
                                                                  0x0040d645
                                                                  0x0040d64a
                                                                  0x0040d665
                                                                  0x0040d64c
                                                                  0x0040d658
                                                                  0x0040d658
                                                                  0x0040d668
                                                                  0x0040d671
                                                                  0x0040d68a
                                                                  0x0040d68c
                                                                  0x0040d74e
                                                                  0x0040d74e
                                                                  0x0040d758
                                                                  0x0040d766
                                                                  0x0040d766
                                                                  0x0040d76a
                                                                  0x0040d7b7
                                                                  0x0040d7b9
                                                                  0x0040d7c0
                                                                  0x0040d7ca
                                                                  0x0040d7d8
                                                                  0x0040d7d8
                                                                  0x0040d7dc
                                                                  0x0040d7de
                                                                  0x0040d7e3
                                                                  0x0040d7e9
                                                                  0x0040d7f9
                                                                  0x0040d7fe
                                                                  0x0040d7fe
                                                                  0x0040d7dc
                                                                  0x00000000
                                                                  0x0040d76c
                                                                  0x0040d770
                                                                  0x0040d7ab
                                                                  0x0040d7b5
                                                                  0x00000000
                                                                  0x0040d778
                                                                  0x0040d77b
                                                                  0x0040d783
                                                                  0x00000000
                                                                  0x0040d79c
                                                                  0x0040d7a2
                                                                  0x0040d7a7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040d801
                                                                  0x0040d804
                                                                  0x00000000
                                                                  0x0040d804
                                                                  0x0040d783
                                                                  0x0040d770
                                                                  0x0040d76a
                                                                  0x0040d699
                                                                  0x0040d6a7
                                                                  0x0040d6a7
                                                                  0x0040d6ab
                                                                  0x0040d6b6
                                                                  0x0040d6b6
                                                                  0x0040d6ba
                                                                  0x0040d707
                                                                  0x0040d713
                                                                  0x0040d749
                                                                  0x0040d715
                                                                  0x0040d719
                                                                  0x0040d71f
                                                                  0x0040d724
                                                                  0x0040d729
                                                                  0x0040d730
                                                                  0x0040d736
                                                                  0x0040d73b
                                                                  0x0040d740
                                                                  0x0040d740
                                                                  0x0040d729
                                                                  0x0040d719
                                                                  0x00000000
                                                                  0x0040d6bc
                                                                  0x0040d6c1
                                                                  0x0040d6cb
                                                                  0x0040d6d9
                                                                  0x0040d6d9
                                                                  0x0040d6dd
                                                                  0x00000000
                                                                  0x0040d6df
                                                                  0x0040d6df
                                                                  0x0040d6e4
                                                                  0x0040d6ea
                                                                  0x0040d6fa
                                                                  0x00000000
                                                                  0x0040d6ff
                                                                  0x0040d6dd
                                                                  0x0040d673
                                                                  0x0040d67f
                                                                  0x0040d683
                                                                  0x00000000
                                                                  0x0040d685
                                                                  0x0040d806
                                                                  0x0040d80d
                                                                  0x0040d811
                                                                  0x0040d814
                                                                  0x0040d817
                                                                  0x0040d820
                                                                  0x0040d820
                                                                  0x00000000
                                                                  0x0040d826
                                                                  0x0040d683

                                                                  APIs
                                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D60C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionRaise
                                                                  • String ID:
                                                                  • API String ID: 3997070919-0
                                                                  • Opcode ID: bb38534db3716b5c0e8cc02abb66565b7a6061d3ab8a69af711d2669e69f4069
                                                                  • Instruction ID: c0290ffb1106a5c61d4348b5596b834e5d82be19a22c5125b9ccd60b821c4e33
                                                                  • Opcode Fuzzy Hash: bb38534db3716b5c0e8cc02abb66565b7a6061d3ab8a69af711d2669e69f4069
                                                                  • Instruction Fuzzy Hash: 42A13F75E006099FDB14DFE8D885BAEB7B5BB88310F14813AE905B73C0D778A949CB58
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041F8C0, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E0041F8C0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41fac6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ac798; // 0x40ea20
					E0040CD2C(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ac670; // 0x40ea28
						E0040CD2C(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ac4d0; // 0x40ea30
							E0040CD2C(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ac5c8; // 0x40ea38
							E0040CD2C(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040856C( &_v600, 0x105,  &_v558);
						E0041A538(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ac6e0; // 0x40eb00
						E0040CD2C(_t103,  &_v604, _t140, 3);
						E0041F3C0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ac67c; // 0x40e9c8
					E0040CD2C(_t82,  &_v632, _t140, 2);
					E0041F3C0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41facd);
				E004079F4( &_v632);
				E00407A54( &_v604, 3);
				return E004079F4( &_v8);
			}






































                                                                  0x0041f8c0
                                                                  0x0041f8c1
                                                                  0x0041f8cd
                                                                  0x0041f8d3
                                                                  0x0041f8d9
                                                                  0x0041f8df
                                                                  0x0041f8e5
                                                                  0x0041f8ea
                                                                  0x0041f8eb
                                                                  0x0041f8f0
                                                                  0x0041f8f3
                                                                  0x0041f8ff
                                                                  0x0041f8ff
                                                                  0x0041f902
                                                                  0x0041f910
                                                                  0x0041f915
                                                                  0x0041f904
                                                                  0x0041f904
                                                                  0x0041f91f
                                                                  0x0041f924
                                                                  0x0041f906
                                                                  0x0041f909
                                                                  0x0041f92e
                                                                  0x0041f933
                                                                  0x0041f90b
                                                                  0x0041f93d
                                                                  0x0041f942
                                                                  0x0041f942
                                                                  0x0041f909
                                                                  0x0041f904
                                                                  0x0041f94d
                                                                  0x0041f960
                                                                  0x0041f965
                                                                  0x0041f96e
                                                                  0x0041f98c
                                                                  0x0041f991
                                                                  0x0041f993
                                                                  0x00000000
                                                                  0x0041f999
                                                                  0x0041f9a2
                                                                  0x0041f9a8
                                                                  0x0041f9c0
                                                                  0x0041f9d1
                                                                  0x0041f9dc
                                                                  0x0041f9e2
                                                                  0x0041f9ec
                                                                  0x0041f9f2
                                                                  0x0041f9f9
                                                                  0x0041f9ff
                                                                  0x0041fa0c
                                                                  0x0041fa15
                                                                  0x0041fa1a
                                                                  0x0041fa2c
                                                                  0x0041fa31
                                                                  0x0041fa35
                                                                  0x0041fa35
                                                                  0x0041fa3e
                                                                  0x0041fa44
                                                                  0x0041fa4e
                                                                  0x0041fa54
                                                                  0x0041fa5b
                                                                  0x0041fa61
                                                                  0x0041fa6e
                                                                  0x0041fa77
                                                                  0x0041fa7c
                                                                  0x0041fa8e
                                                                  0x0041fa93
                                                                  0x0041fa97
                                                                  0x0041fa9a
                                                                  0x0041fa9d
                                                                  0x0041faa8
                                                                  0x0041fab8
                                                                  0x0041fac5

                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041FAC6), ref: 0041F960
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041FAC6), ref: 0041F98C
                                                                    • Part of subcall function 0040CD2C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CD71
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileLoadModuleNameQueryStringVirtual
                                                                  • String ID: @$$eA$(@$0@$8@
                                                                  • API String ID: 902310565-693499950
                                                                  • Opcode ID: 7e2933c987fcbf8755fa47fa3e752120357f595b88d160efd4e8fe01f8cc19a2
                                                                  • Instruction ID: 8907c0fdb59343008c76ceb90c3378100399d4465cadcd87230c2457523b253d
                                                                  • Opcode Fuzzy Hash: 7e2933c987fcbf8755fa47fa3e752120357f595b88d160efd4e8fe01f8cc19a2
                                                                  • Instruction Fuzzy Hash: 33510574A04659DFDB50EF68CD88BCDBBF4AB48304F0041E6A808A7351D778AE89CF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 72%
                                                                  			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4ad058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EC4(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4a9078; // 0x403920
					_t12 = E00407EC4(_t11);
					_t13 =  *0x4a9078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EC4(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                                                  0x004047b0
                                                                  0x004047b3
                                                                  0x004047b5
                                                                  0x004047be
                                                                  0x00404821
                                                                  0x00404826
                                                                  0x00404827
                                                                  0x00404828
                                                                  0x0040482a
                                                                  0x004047c0
                                                                  0x004047c9
                                                                  0x004047d8
                                                                  0x004047e4
                                                                  0x004047e9
                                                                  0x004047ef
                                                                  0x004047fd
                                                                  0x0040480b
                                                                  0x0040481a
                                                                  0x0040481a
                                                                  0x00404832

                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
                                                                  • WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
                                                                  • GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
                                                                  • WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite
                                                                  • String ID: 9@
                                                                  • API String ID: 3320372497-3209974744
                                                                  • Opcode ID: 4e270b9709a1e126671c3d07b356aced4a42befb1328ca478adcdb9b8427dfa1
                                                                  • Instruction ID: 039b6809bffddf7eb8364f6b1d7a8ef426dfe463875095ecbcfdc7d20cb8dc15
                                                                  • Opcode Fuzzy Hash: 4e270b9709a1e126671c3d07b356aced4a42befb1328ca478adcdb9b8427dfa1
                                                                  • Instruction Fuzzy Hash: F601FED25091503DE100F7668C85F971E8C8B0973EF10457F7618F31C1C5394D44827E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041F214, Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 62%
                                                                  			E0041F214(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f339);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041F01C(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ac6c0; // 0x4ad058
				if( *_t17 == 0) {
					_t19 =  *0x4ac4f8; // 0x40ea00
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E0040A364( *0x4b0634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ac524; // 0x4ad340
					E00405544(E00405800(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409F74();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f354, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f340);
				_t57 =  *0x41f1e4; // 0x41f1e8
				return E0040A098( &_v8, _t57);
			}
















                                                                  0x0041f21d
                                                                  0x0041f21e
                                                                  0x0041f221
                                                                  0x0041f226
                                                                  0x0041f227
                                                                  0x0041f22c
                                                                  0x0041f22f
                                                                  0x0041f242
                                                                  0x0041f244
                                                                  0x0041f24c
                                                                  0x0041f2ea
                                                                  0x0041f2ef
                                                                  0x0041f2fe
                                                                  0x0041f318
                                                                  0x0041f252
                                                                  0x0041f252
                                                                  0x0041f25c
                                                                  0x0041f27a
                                                                  0x0041f27c
                                                                  0x0041f28b
                                                                  0x0041f2a8
                                                                  0x0041f2c0
                                                                  0x0041f2da
                                                                  0x0041f2da
                                                                  0x0041f31f
                                                                  0x0041f322
                                                                  0x0041f325
                                                                  0x0041f32d
                                                                  0x0041f338

                                                                  APIs
                                                                    • Part of subcall function 0041F01C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F1C8), ref: 0041F04F
                                                                    • Part of subcall function 0041F01C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F073
                                                                    • Part of subcall function 0041F01C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F08E
                                                                    • Part of subcall function 0041F01C: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F129
                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F339), ref: 0041F275
                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F2A8
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F2BA
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F2C0
                                                                  • GetStdHandle.KERNEL32(000000F4,0041F354,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F2D4
                                                                  • WriteFile.KERNEL32(00000000,000000F4,0041F354,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F2DA
                                                                  • LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F2FE
                                                                  • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F318
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                                  • String ID:
                                                                  • API String ID: 135118572-0
                                                                  • Opcode ID: 6de1fb4f568848f1ad312383e8938cc37fb5761b850aa9aff36d0b460632ffaf
                                                                  • Instruction ID: b395f61791e0df98aef8ec842badcc0ffa5cccf14742596207c1dbdfc5c66452
                                                                  • Opcode Fuzzy Hash: 6de1fb4f568848f1ad312383e8938cc37fb5761b850aa9aff36d0b460632ffaf
                                                                  • Instruction Fuzzy Hash: 58319371640208BEE714EB95DC83FEA73ACEB05704F904476BA04F71D1DA746E548B6D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4ad059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4adae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4adae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4ad989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4adae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4adae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4ad059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4adae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4ad989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4adae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4adae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                                                  0x00404464
                                                                  0x00404464
                                                                  0x00404464
                                                                  0x0040446c
                                                                  0x0040446e
                                                                  0x004044fc
                                                                  0x004044ff
                                                                  0x0040476c
                                                                  0x0040476d
                                                                  0x0040476e
                                                                  0x00404771
                                                                  0x00403d9c
                                                                  0x00403d9d
                                                                  0x00403d9e
                                                                  0x00403d9f
                                                                  0x00403da0
                                                                  0x00403da3
                                                                  0x00403da5
                                                                  0x00403dac
                                                                  0x00403db5
                                                                  0x00403dba
                                                                  0x00403ea1
                                                                  0x00403ea3
                                                                  0x00403eb6
                                                                  0x00403eb8
                                                                  0x00403eba
                                                                  0x00403ebc
                                                                  0x00403ec2
                                                                  0x00403ec6
                                                                  0x00403ec6
                                                                  0x00403ec9
                                                                  0x00403ec9
                                                                  0x00403ed2
                                                                  0x00403ed9
                                                                  0x00403ed9
                                                                  0x00403ea5
                                                                  0x00403ea5
                                                                  0x00403eaa
                                                                  0x00403eaa
                                                                  0x00403dc0
                                                                  0x00403dc9
                                                                  0x00403dcf
                                                                  0x00403dcb
                                                                  0x00403dcb
                                                                  0x00403dcb
                                                                  0x00403ddb
                                                                  0x00403dea
                                                                  0x00403df7
                                                                  0x00403e67
                                                                  0x00403e6e
                                                                  0x00403e70
                                                                  0x00403e72
                                                                  0x00403e74
                                                                  0x00403e7a
                                                                  0x00403e7e
                                                                  0x00403e7e
                                                                  0x00403e81
                                                                  0x00403e81
                                                                  0x00403e91
                                                                  0x00403e98
                                                                  0x00403e98
                                                                  0x00403df9
                                                                  0x00403df9
                                                                  0x00403e05
                                                                  0x00403e0b
                                                                  0x00000000
                                                                  0x00403e0d
                                                                  0x00403e1e
                                                                  0x00403e22
                                                                  0x00403e24
                                                                  0x00403e24
                                                                  0x00403e3a
                                                                  0x00000000
                                                                  0x00403e52
                                                                  0x00403e54
                                                                  0x00403e57
                                                                  0x00403e60
                                                                  0x00403e63
                                                                  0x00403e63
                                                                  0x00403e3a
                                                                  0x00403e0b
                                                                  0x00403df7
                                                                  0x00403ee7
                                                                  0x00404777
                                                                  0x00404777
                                                                  0x00404779
                                                                  0x00404779
                                                                  0x00404505
                                                                  0x00404507
                                                                  0x0040450a
                                                                  0x0040450b
                                                                  0x0040450e
                                                                  0x00404511
                                                                  0x00404514
                                                                  0x00404516
                                                                  0x00404517
                                                                  0x0040462c
                                                                  0x0040462f
                                                                  0x00404631
                                                                  0x00404724
                                                                  0x0040472f
                                                                  0x00404736
                                                                  0x00404738
                                                                  0x0040473b
                                                                  0x00404740
                                                                  0x00404741
                                                                  0x00404743
                                                                  0x00000000
                                                                  0x00404745
                                                                  0x00404745
                                                                  0x0040474b
                                                                  0x0040474d
                                                                  0x0040474d
                                                                  0x00404750
                                                                  0x00404758
                                                                  0x0040475f
                                                                  0x0040476a
                                                                  0x0040476a
                                                                  0x00404637
                                                                  0x00404637
                                                                  0x0040463a
                                                                  0x0040463d
                                                                  0x0040463f
                                                                  0x00000000
                                                                  0x00404645
                                                                  0x00404645
                                                                  0x0040464c
                                                                  0x004046a9
                                                                  0x004046a9
                                                                  0x004046ae
                                                                  0x004046b4
                                                                  0x004046b9
                                                                  0x004046ba
                                                                  0x004046ba
                                                                  0x004046c6
                                                                  0x004046d7
                                                                  0x004046dd
                                                                  0x004046dd
                                                                  0x004046df
                                                                  0x004046ec
                                                                  0x004046f3
                                                                  0x004046f7
                                                                  0x004046f9
                                                                  0x004046ff
                                                                  0x00404701
                                                                  0x00404703
                                                                  0x00404703
                                                                  0x004046e1
                                                                  0x004046e1
                                                                  0x004046e5
                                                                  0x004046e5
                                                                  0x00404708
                                                                  0x00404708
                                                                  0x0040470a
                                                                  0x0040470d
                                                                  0x00404714
                                                                  0x00404716
                                                                  0x0040471a
                                                                  0x0040464e
                                                                  0x0040464e
                                                                  0x00404653
                                                                  0x0040465b
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040465d
                                                                  0x0040465f
                                                                  0x00404666
                                                                  0x00000000
                                                                  0x00404668
                                                                  0x0040466c
                                                                  0x00404671
                                                                  0x00404672
                                                                  0x00404678
                                                                  0x00404680
                                                                  0x00404686
                                                                  0x0040468b
                                                                  0x0040468c
                                                                  0x00000000
                                                                  0x0040468c
                                                                  0x00404680
                                                                  0x00000000
                                                                  0x00404666
                                                                  0x00404695
                                                                  0x00404698
                                                                  0x0040469b
                                                                  0x0040469d
                                                                  0x0040471d
                                                                  0x0040471d
                                                                  0x00000000
                                                                  0x0040469f
                                                                  0x0040469f
                                                                  0x004046a2
                                                                  0x004046a5
                                                                  0x004046a7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004046a7
                                                                  0x0040469d
                                                                  0x0040464c
                                                                  0x0040463f
                                                                  0x0040451d
                                                                  0x00404520
                                                                  0x00404522
                                                                  0x0040452c
                                                                  0x00404532
                                                                  0x00404549
                                                                  0x00404549
                                                                  0x00404555
                                                                  0x0040455b
                                                                  0x0040455d
                                                                  0x00404564
                                                                  0x00404566
                                                                  0x0040456b
                                                                  0x00404573
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00404575
                                                                  0x00404577
                                                                  0x0040457e
                                                                  0x00000000
                                                                  0x00404580
                                                                  0x00404583
                                                                  0x00404588
                                                                  0x0040458e
                                                                  0x00404596
                                                                  0x0040459b
                                                                  0x004045a0
                                                                  0x00000000
                                                                  0x004045a0
                                                                  0x00404596
                                                                  0x00000000
                                                                  0x0040457e
                                                                  0x004045a9
                                                                  0x004045a9
                                                                  0x004045a9
                                                                  0x004045ae
                                                                  0x004045b1
                                                                  0x004045b3
                                                                  0x004045b6
                                                                  0x004045b9
                                                                  0x004045c4
                                                                  0x004045c6
                                                                  0x004045c9
                                                                  0x004045cb
                                                                  0x004045cd
                                                                  0x004045d3
                                                                  0x004045d5
                                                                  0x004045d5
                                                                  0x004045bb
                                                                  0x004045be
                                                                  0x004045be
                                                                  0x004045da
                                                                  0x004045e0
                                                                  0x004045e4
                                                                  0x004045ea
                                                                  0x004045f1
                                                                  0x004045f1
                                                                  0x004045f6
                                                                  0x00404603
                                                                  0x00404534
                                                                  0x00404534
                                                                  0x0040453a
                                                                  0x00404604
                                                                  0x00404608
                                                                  0x0040460d
                                                                  0x0040460f
                                                                  0x00404611
                                                                  0x00404619
                                                                  0x00404620
                                                                  0x00404625
                                                                  0x00404625
                                                                  0x0040462b
                                                                  0x00404540
                                                                  0x00404540
                                                                  0x00404545
                                                                  0x00404547
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00404547
                                                                  0x0040453a
                                                                  0x00404524
                                                                  0x00404524
                                                                  0x00404528
                                                                  0x00404528
                                                                  0x00404522
                                                                  0x00404517
                                                                  0x00404474
                                                                  0x00404474
                                                                  0x00404476
                                                                  0x0040447a
                                                                  0x0040447d
                                                                  0x0040447f
                                                                  0x004044b8
                                                                  0x004044bc
                                                                  0x004044bd
                                                                  0x004044bf
                                                                  0x004044c1
                                                                  0x004044c3
                                                                  0x004044c6
                                                                  0x004044c8
                                                                  0x004044ca
                                                                  0x004044cf
                                                                  0x004044d1
                                                                  0x004044d3
                                                                  0x004044d9
                                                                  0x004044db
                                                                  0x004044db
                                                                  0x004044e2
                                                                  0x004044e2
                                                                  0x004044e5
                                                                  0x004044e7
                                                                  0x004044f0
                                                                  0x004044f5
                                                                  0x004044f5
                                                                  0x004044f7
                                                                  0x004044f8
                                                                  0x004044f9
                                                                  0x004044fa
                                                                  0x00404481
                                                                  0x00404481
                                                                  0x00404488
                                                                  0x0040448a
                                                                  0x00404490
                                                                  0x00404492
                                                                  0x00404494
                                                                  0x00404499
                                                                  0x0040449b
                                                                  0x0040449d
                                                                  0x0040449f
                                                                  0x004044a1
                                                                  0x004044ac
                                                                  0x004044b1
                                                                  0x004044b1
                                                                  0x004044b3
                                                                  0x004044b4
                                                                  0x004044b5
                                                                  0x0040448c
                                                                  0x0040448c
                                                                  0x0040448d
                                                                  0x0040448e
                                                                  0x0040448e
                                                                  0x0040448a
                                                                  0x0040447f

                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5439aca8df4603b27f37f25116b021730c29e514c4b4e173baf39aeb11cdd27a
                                                                  • Instruction ID: 0a757bcfe66f4df8a837bb95f72d8b736428374affe9d1eaec42a64222243fb9
                                                                  • Opcode Fuzzy Hash: 5439aca8df4603b27f37f25116b021730c29e514c4b4e173baf39aeb11cdd27a
                                                                  • Instruction Fuzzy Hash: 83C115A27106000BD714AE7DDD8476ABA8A9BC5716F18827FF244EB3D6DA7CCD418348
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040665C, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 88%
                                                                  			E0040665C(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B04(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E00406860(_t71);
								_t57 =  *0x4ad8f8; // 0x4ab284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E0040633C( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                                                  0x00406663
                                                                  0x00406665
                                                                  0x00406667
                                                                  0x0040666a
                                                                  0x0040666a
                                                                  0x00406671
                                                                  0x00406678
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00406686
                                                                  0x0040668d
                                                                  0x00406725
                                                                  0x00406725
                                                                  0x00406725
                                                                  0x00406729
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00406734
                                                                  0x0040673a
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040673c
                                                                  0x0040673c
                                                                  0x00406741
                                                                  0x00406747
                                                                  0x0040674e
                                                                  0x00406758
                                                                  0x0040675d
                                                                  0x00406764
                                                                  0x0040676b
                                                                  0x00406779
                                                                  0x00406787
                                                                  0x0040677b
                                                                  0x00406783
                                                                  0x00406783
                                                                  0x00406779
                                                                  0x0040678d
                                                                  0x004067af
                                                                  0x004067b8
                                                                  0x004067bc
                                                                  0x004067c0
                                                                  0x00000000
                                                                  0x0040678f
                                                                  0x0040678f
                                                                  0x00406794
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004067a0
                                                                  0x004067a6
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004067a8
                                                                  0x00000000
                                                                  0x004067a8
                                                                  0x0040678f
                                                                  0x004067c5
                                                                  0x004067c5
                                                                  0x004067d4
                                                                  0x004067db
                                                                  0x004067de
                                                                  0x004067de
                                                                  0x00000000
                                                                  0x004067d4
                                                                  0x00000000
                                                                  0x00406725
                                                                  0x00406698
                                                                  0x0040669e
                                                                  0x004066a4
                                                                  0x00406700
                                                                  0x00406703
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040670a
                                                                  0x00406712
                                                                  0x00406718
                                                                  0x00406723
                                                                  0x00000000
                                                                  0x00406723
                                                                  0x0040671a
                                                                  0x00000000
                                                                  0x0040671a
                                                                  0x00000000
                                                                  0x004066a6
                                                                  0x004066a9
                                                                  0x00000000
                                                                  0x004066b8
                                                                  0x004066b8
                                                                  0x004066b8
                                                                  0x00000000
                                                                  0x004066c1
                                                                  0x004066c4
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004066c9
                                                                  0x004066f2
                                                                  0x004066f6
                                                                  0x004066fb
                                                                  0x004066fe
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004066fe
                                                                  0x004066d2
                                                                  0x004066d8
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x004066df
                                                                  0x004066e2
                                                                  0x004066e9
                                                                  0x00000000
                                                                  0x004066e9
                                                                  0x004067e5
                                                                  0x004067f0

                                                                  APIs
                                                                    • Part of subcall function 00406B04: GetCurrentThreadId.KERNEL32 ref: 00406B07
                                                                  • GetTickCount.KERNEL32 ref: 00406693
                                                                  • GetTickCount.KERNEL32 ref: 004066AB
                                                                  • GetCurrentThreadId.KERNEL32 ref: 004066DA
                                                                  • GetTickCount.KERNEL32 ref: 00406705
                                                                  • GetTickCount.KERNEL32 ref: 0040673C
                                                                  • GetTickCount.KERNEL32 ref: 00406766
                                                                  • GetCurrentThreadId.KERNEL32 ref: 004067D6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 3968769311-0
                                                                  • Opcode ID: 72bf5cf191fff23eea650aef81e54304f71ab1849b51d2c2f8be95d33ba0f9a3
                                                                  • Instruction ID: d55af3395c34765ca91144e68d0792783d215dccc41bd3b69e0d2f57a8242420
                                                                  • Opcode Fuzzy Hash: 72bf5cf191fff23eea650aef81e54304f71ab1849b51d2c2f8be95d33ba0f9a3
                                                                  • Instruction Fuzzy Hash: C441A0712083418EE721AF7CC44432BBAD5AF84358F16893EE4DA973C1EB7DC8948756
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004063F8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 36%
                                                                  			E004063F8(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064A6);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064AD);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E004071E4();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                                                  0x004063f9
                                                                  0x004063fb
                                                                  0x00406400
                                                                  0x0040641a
                                                                  0x004064ad
                                                                  0x004064ad
                                                                  0x00000000
                                                                  0x00406420
                                                                  0x00406420
                                                                  0x00406423
                                                                  0x00406424
                                                                  0x00406426
                                                                  0x0040642d
                                                                  0x00000000
                                                                  0x00406439
                                                                  0x00406441
                                                                  0x00406446
                                                                  0x00406447
                                                                  0x0040644c
                                                                  0x0040644f
                                                                  0x00406455
                                                                  0x00406459
                                                                  0x0040645a
                                                                  0x0040645f
                                                                  0x00406466
                                                                  0x00406490
                                                                  0x00406492
                                                                  0x00406495
                                                                  0x00406498
                                                                  0x004064a5
                                                                  0x00406468
                                                                  0x00406468
                                                                  0x00406483
                                                                  0x00406486
                                                                  0x0040648e
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x0040648e
                                                                  0x00406479
                                                                  0x0040647c
                                                                  0x004064b4
                                                                  0x004064ba
                                                                  0x004064ba
                                                                  0x00406466
                                                                  0x0040642d
                                                                  0x00000000

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040640D
                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406413
                                                                  • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040642F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                  • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                  • API String ID: 4275029093-79381301
                                                                  • Opcode ID: 9a328c14a2360e788c5d7c27423bd1e3d2ec7813e67ce0fbf63762a3592cbdfc
                                                                  • Instruction ID: 0ade09f5ec255af418c15bc26d56a5e77a61777008c3a3a20ffec8f8ea5cdbb2
                                                                  • Opcode Fuzzy Hash: 9a328c14a2360e788c5d7c27423bd1e3d2ec7813e67ce0fbf63762a3592cbdfc
                                                                  • Instruction Fuzzy Hash: 5E115E71D00204BEDB20EFA5D845B6EBBB8DB40715F1180BBF815B36C2D67D9A908A1D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040768C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 43%
                                                                  			E0040768C(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4ad058 == 0) {
					if( *0x4a9032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4ad344 == 0xd7b2 &&  *0x4ad34c > 0) {
						 *0x4ad35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E004081CC(0x407720);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                                                  0x00407694
                                                                  0x004076fa
                                                                  0x004076fc
                                                                  0x004076fe
                                                                  0x00407703
                                                                  0x00407708
                                                                  0x0040770a
                                                                  0x0040770a
                                                                  0x00407710
                                                                  0x00407696
                                                                  0x0040769f
                                                                  0x004076af
                                                                  0x004076af
                                                                  0x004076cb
                                                                  0x004076de
                                                                  0x004076f2
                                                                  0x004076f2

                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?,0040553F), ref: 004076C5
                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?), ref: 004076CB
                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?), ref: 004076E6
                                                                  • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?), ref: 004076EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite
                                                                  • String ID: Error$Runtime error at 00000000
                                                                  • API String ID: 3320372497-2970929446
                                                                  • Opcode ID: bcadf97d171622b971a48ef55ce44254769ff37e7ce13582472eefcd77e0394f
                                                                  • Instruction ID: 8e7c00c9dcfef4ecea202c25e54e487df448fc8b33d2ce18683e8ba9e0f24e41
                                                                  • Opcode Fuzzy Hash: bcadf97d171622b971a48ef55ce44254769ff37e7ce13582472eefcd77e0394f
                                                                  • Instruction Fuzzy Hash: 8DF0C2E1E8820078EA207BA54C86F5B2A5C4752B2AF10493FF621B56C2C6BD5884872F
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00429208, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 77%
                                                                  			E00429208(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428EC8(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427140();
					return E00428EC8(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427714();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428C20(_t110);
						}
						E00429164(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429180(_v788 - 1, _t125) != 0) {
								L0042772C();
								E00428EC8(_v792);
								L0042772C();
								E00428EC8( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004291B0(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L0042771C();
							E00428EC8(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427724();
							E00428EC8(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                                                  0x00429208
                                                                  0x00429214
                                                                  0x0042921a
                                                                  0x00429220
                                                                  0x00429230
                                                                  0x00429237
                                                                  0x00429237
                                                                  0x00429242
                                                                  0x00429250
                                                                  0x004293db
                                                                  0x004293e2
                                                                  0x004293e3
                                                                  0x00000000
                                                                  0x00429256
                                                                  0x00429259
                                                                  0x00429277
                                                                  0x0042925b
                                                                  0x00429266
                                                                  0x00429266
                                                                  0x00429286
                                                                  0x00429292
                                                                  0x00429295
                                                                  0x00429302
                                                                  0x00429308
                                                                  0x00429309
                                                                  0x0042930f
                                                                  0x00429310
                                                                  0x00429312
                                                                  0x00429317
                                                                  0x0042931b
                                                                  0x0042931d
                                                                  0x0042931d
                                                                  0x00429328
                                                                  0x00429333
                                                                  0x0042933e
                                                                  0x00429347
                                                                  0x0042934a
                                                                  0x00429366
                                                                  0x0042936d
                                                                  0x00429378
                                                                  0x0042938f
                                                                  0x00429394
                                                                  0x004293a8
                                                                  0x004293ad
                                                                  0x004293c0
                                                                  0x004293c0
                                                                  0x004293c9
                                                                  0x0042934c
                                                                  0x0042934c
                                                                  0x0042934d
                                                                  0x00429353
                                                                  0x00429359
                                                                  0x0042935b
                                                                  0x0042935d
                                                                  0x00429360
                                                                  0x00429363
                                                                  0x00429363
                                                                  0x00429366
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00429366
                                                                  0x00429297
                                                                  0x00429297
                                                                  0x00429298
                                                                  0x0042929a
                                                                  0x004292a0
                                                                  0x004292a2
                                                                  0x004292b1
                                                                  0x004292b2
                                                                  0x004292bc
                                                                  0x004292bd
                                                                  0x004292c2
                                                                  0x004292cd
                                                                  0x004292ce
                                                                  0x004292d8
                                                                  0x004292d9
                                                                  0x004292de
                                                                  0x004292f9
                                                                  0x004292fb
                                                                  0x004292fc
                                                                  0x004292ff
                                                                  0x004292ff
                                                                  0x00000000
                                                                  0x004292a0
                                                                  0x00429295

                                                                  APIs
                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004292BD
                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004292D9
                                                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429312
                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0042938F
                                                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004293A8
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 004293E3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                  • String ID:
                                                                  • API String ID: 351091851-0
                                                                  • Opcode ID: 2794ac47a9dfeb26b88a03ac4d1a853a299fb3d03b0a8c1988b6f7382be60e0b
                                                                  • Instruction ID: ed5b5572db2c6aea52d03e12d037d8ed927b089f3383118c81215fa9c213cc81
                                                                  • Opcode Fuzzy Hash: 2794ac47a9dfeb26b88a03ac4d1a853a299fb3d03b0a8c1988b6f7382be60e0b
                                                                  • Instruction Fuzzy Hash: CC51DA75A012399BCB22DB59DD81BD9B3FCAF4C304F8041DAE508E7251DA34AF818F69
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041F01C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 85%
                                                                  			E0041F01C(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f1c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4b0634,  &_v1056, 0x105);
					_v12 = E0041F010(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A69C( &_v534, 0x104, E004204FC() + 2);
				_t83 = 0x41f1dc;
				_t100 = 0x41f1dc;
				_t95 =  *0x414ecc; // 0x414f24
				if(E00405F48(_t102, _t95) != 0) {
					_t83 = E004084C8( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407ED8(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f1e0;
					}
				}
				_t55 =  *0x4ac774; // 0x40e9f8
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E0040A364( *0x4b0634),  *_t18,  &_v1568, 0x100);
				E00405BC8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A934(4,  &_v1636);
				E00407ED8(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f1cf);
				return E004079F4( &_v1640);
			}





























                                                                  0x0041f02a
                                                                  0x0041f030
                                                                  0x0041f033
                                                                  0x0041f035
                                                                  0x0041f039
                                                                  0x0041f03a
                                                                  0x0041f03f
                                                                  0x0041f042
                                                                  0x0041f04f
                                                                  0x0041f05e
                                                                  0x0041f08e
                                                                  0x0041f09a
                                                                  0x0041f09f
                                                                  0x0041f0a5
                                                                  0x0041f0a5
                                                                  0x0041f0c7
                                                                  0x0041f0cc
                                                                  0x0041f0d1
                                                                  0x0041f0d8
                                                                  0x0041f0e5
                                                                  0x0041f0ef
                                                                  0x0041f0f3
                                                                  0x0041f0fa
                                                                  0x0041f104
                                                                  0x0041f104
                                                                  0x0041f0fa
                                                                  0x0041f115
                                                                  0x0041f11a
                                                                  0x0041f129
                                                                  0x0041f136
                                                                  0x0041f141
                                                                  0x0041f147
                                                                  0x0041f154
                                                                  0x0041f15a
                                                                  0x0041f164
                                                                  0x0041f16a
                                                                  0x0041f171
                                                                  0x0041f177
                                                                  0x0041f17e
                                                                  0x0041f184
                                                                  0x0041f1a0
                                                                  0x0041f1a8
                                                                  0x0041f1b1
                                                                  0x0041f1b4
                                                                  0x0041f1b7
                                                                  0x0041f1c7

                                                                  APIs
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F1C8), ref: 0041F04F
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F073
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F08E
                                                                  • LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F129
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                  • String ID: $OA
                                                                  • API String ID: 3990497365-3057587682
                                                                  • Opcode ID: a96d2beb162df43ddadfc5db31274654c9e37a74e946f5556500ab8d9869eb07
                                                                  • Instruction ID: d6d88cd0fe853d51226c3c26c9cb5cf48511ec36f022bd765e41d06481bb46b4
                                                                  • Opcode Fuzzy Hash: a96d2beb162df43ddadfc5db31274654c9e37a74e946f5556500ab8d9869eb07
                                                                  • Instruction Fuzzy Hash: 92412170A002189FDB20DF69CD81BCABBF9AB59304F4044FAE508E7241D7799E95CF59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00491188, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 80%
                                                                  			E00491188(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E00406284(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x491281);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405C98(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x48f524
						 *((intOrPtr*)(_t66 + 8)) = E004078B4(0, E00491094, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x48f524
						 *((intOrPtr*)(_t66 + 8)) = E004078B4(0, E00491094, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041E0D0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ac740; // 0x40ed5c
						E0041F47C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E004070F0();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x491288);
				return E004079F4( &_v20);
			}


















                                                                  0x00491188
                                                                  0x00491188
                                                                  0x00491188
                                                                  0x00491189
                                                                  0x0049118b
                                                                  0x00491192
                                                                  0x00491197
                                                                  0x00491199
                                                                  0x0049119c
                                                                  0x0049119c
                                                                  0x004911a1
                                                                  0x004911a3
                                                                  0x004911a6
                                                                  0x004911aa
                                                                  0x004911ab
                                                                  0x004911b0
                                                                  0x004911b3
                                                                  0x004911ba
                                                                  0x004911bf
                                                                  0x004911c5
                                                                  0x004911ca
                                                                  0x004911d2
                                                                  0x004911d6
                                                                  0x004911d6
                                                                  0x004911d6
                                                                  0x004911d8
                                                                  0x004911df
                                                                  0x00491260
                                                                  0x00491268
                                                                  0x004911e1
                                                                  0x004911e5
                                                                  0x00491208
                                                                  0x0049121a
                                                                  0x004911e7
                                                                  0x004911ed
                                                                  0x00491200
                                                                  0x00491200
                                                                  0x00491221
                                                                  0x0049122d
                                                                  0x00491235
                                                                  0x00491238
                                                                  0x00491242
                                                                  0x0049124f
                                                                  0x00491254
                                                                  0x00491254
                                                                  0x00491221
                                                                  0x0049126d
                                                                  0x00491270
                                                                  0x00491273
                                                                  0x00491280

                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,00491281,?,0048F520,00000000), ref: 00491223
                                                                    • Part of subcall function 004078B4: CreateThread.KERNEL32 ref: 0040790E
                                                                  • GetCurrentThread.KERNEL32 ref: 0049125B
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00491263
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$Current$CreateErrorLast
                                                                  • String ID: 87G$\@
                                                                  • API String ID: 3539746228-2066971451
                                                                  • Opcode ID: 0c7a064095abbba4d6b7da4e4b0f066ab91424e297beb825eafe8628d3b7bd59
                                                                  • Instruction ID: cd7bd7be20694b87a1c2bb2b5688f5d4ed930c7c57bb5d88aec25e4adc3e1893
                                                                  • Opcode Fuzzy Hash: 0c7a064095abbba4d6b7da4e4b0f066ab91424e297beb825eafe8628d3b7bd59
                                                                  • Instruction Fuzzy Hash: 3A313530904746AEDB20EB72C8417AB7FE4AF09304F40C97FE555E72E1D638A444CB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004A1754, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 34%
                                                                  			E004A1754(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4a17de);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4b36f1 & 0x00000001) == 0) {
					E004079F4( &_v8);
				} else {
					E00407E1C( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4a2a64);
				_push(L"For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087A4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084C8(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004A17E5);
				return E00407A54( &_v12, 2);
			}










                                                                  0x004a1754
                                                                  0x004a1754
                                                                  0x004a1757
                                                                  0x004a1759
                                                                  0x004a175c
                                                                  0x004a1760
                                                                  0x004a1761
                                                                  0x004a1766
                                                                  0x004a1769
                                                                  0x004a1773
                                                                  0x004a1787
                                                                  0x004a1775
                                                                  0x004a177d
                                                                  0x004a177d
                                                                  0x004a178c
                                                                  0x004a1791
                                                                  0x004a1794
                                                                  0x004a1795
                                                                  0x004a179a
                                                                  0x004a17a7
                                                                  0x004a17be
                                                                  0x004a17c5
                                                                  0x004a17c8
                                                                  0x004a17cb
                                                                  0x004a17dd

                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004A17BE
                                                                  Strings
                                                                  • Setup, xrefs: 004A17AE
                                                                  • For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004A179A
                                                                  • /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004A1778
                                                                  • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004A178C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Message
                                                                  • String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
                                                                  • API String ID: 2030045667-3658955972
                                                                  • Opcode ID: a94d50d81a6e2cc3bfa3c026c0632b711f985fbaceea9a46abe21cd4780a8ba2
                                                                  • Instruction ID: 88dead5f9a7c20edb7beb83f6ba38d9cb82b01f16d90bc6a7ad013ea96492960
                                                                  • Opcode Fuzzy Hash: a94d50d81a6e2cc3bfa3c026c0632b711f985fbaceea9a46abe21cd4780a8ba2
                                                                  • Instruction Fuzzy Hash: 8101D638744308BAE311EB91CD43F9AB7ACD756B48F60047BB500B26E1D6FC6E40952D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0042F6DC, Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 68%
                                                                  			E0042F6DC(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __esi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t361;
				void* _t363;
				intOrPtr _t364;

				_t368 = __fp0;
				_t358 = __edi;
				_t361 = _t363;
				_t364 = _t363 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430584(_t272,  &_v20) != 0) {
								_push( &_v14);
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430584(_t275,  &_v24) != 0) {
											_push( &_v12);
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428ADC(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4ab3d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427130();
													_push(_t361);
													_push(0x42fad4);
													_push( *[fs:eax]);
													 *[fs:eax] = _t364;
													_t289 = _v12 & 0x0000ffff;
													E00429890( &_v48, _v12 & 0x0000ffff, _v28, __edi, __esi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E004289E4(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4ab3d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fb09);
													return E00429164( &_v48);
												}
											}
										} else {
											E00428ADC(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427130();
										_push(_t361);
										_push(0x42fa1b);
										_push( *[fs:eax]);
										 *[fs:eax] = _t364;
										_t294 =  *_v32 & 0x0000ffff;
										E00429890( &_v48,  *_v32 & 0x0000ffff, _v28, __edi, __esi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E004289E4(_t294);
										}
										_v9 = E0042F4F4( &_v48, _v8, _v32, _t358, _t361, _t368);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fb09);
										return E00429164( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427130();
										_push(_t361);
										_push(0x42f976);
										_push( *[fs:eax]);
										 *[fs:eax] = _t364;
										_t299 = _v14 & 0x0000ffff;
										E00429890( &_v48, _v14 & 0x0000ffff, _v32, __edi, __esi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E004289E4(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fb09);
										return E00429164( &_v48);
									}
								}
							} else {
								E00428ADC(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F274(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F260(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430584( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427130();
									_push(_t361);
									_push(0x42f887);
									_push( *[fs:eax]);
									 *[fs:eax] = _t364;
									_t306 =  *_v28 & 0x0000ffff;
									E00429890( &_v48,  *_v28 & 0x0000ffff, _v32, __edi, __esi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E004289E4(_t306);
									}
									_v9 = E0042F4F4(_v28, _v8,  &_v48, _t358, _t361, _t368);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fb09);
									return E00429164( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427130();
										_push(_t361);
										_push(0x42f7f0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t364;
										_t311 = _v12 & 0x0000ffff;
										E00429890( &_v48, _v12 & 0x0000ffff, _v28, __edi, __esi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E004289E4(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fb09);
										return E00429164( &_v48);
									}
								}
							} else {
								E00428ADC(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F274(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F260(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}























                                                                  0x0042f6dc
                                                                  0x0042f6dc
                                                                  0x0042f6dd
                                                                  0x0042f6df
                                                                  0x0042f6e3
                                                                  0x0042f6e6
                                                                  0x0042f6e9
                                                                  0x0042f6ec
                                                                  0x0042f6f3
                                                                  0x0042f700
                                                                  0x0042f891
                                                                  0x0042f897
                                                                  0x0042f8ae
                                                                  0x0042f8d0
                                                                  0x0042f8df
                                                                  0x0042f8f2
                                                                  0x0042f9ac
                                                                  0x0042f9b9
                                                                  0x0042fa2e
                                                                  0x0042fa3d
                                                                  0x0042fa50
                                                                  0x0042fb04
                                                                  0x00000000
                                                                  0x0042fa56
                                                                  0x0042fa60
                                                                  0x0042fafa
                                                                  0x0042faff
                                                                  0x00000000
                                                                  0x0042fa62
                                                                  0x0042fa65
                                                                  0x0042fa66
                                                                  0x0042fa6d
                                                                  0x0042fa6e
                                                                  0x0042fa73
                                                                  0x0042fa76
                                                                  0x0042fa79
                                                                  0x0042fa83
                                                                  0x0042fa90
                                                                  0x0042fa92
                                                                  0x0042fa92
                                                                  0x0042fab6
                                                                  0x0042fabb
                                                                  0x0042fac0
                                                                  0x0042fac3
                                                                  0x0042fac6
                                                                  0x0042fad3
                                                                  0x0042fad3
                                                                  0x0042fa60
                                                                  0x0042fa30
                                                                  0x0042fa30
                                                                  0x00000000
                                                                  0x0042fa30
                                                                  0x0042f9bb
                                                                  0x0042f9be
                                                                  0x0042f9bf
                                                                  0x0042f9c6
                                                                  0x0042f9c7
                                                                  0x0042f9cc
                                                                  0x0042f9cf
                                                                  0x0042f9d5
                                                                  0x0042f9de
                                                                  0x0042f9ed
                                                                  0x0042f9ef
                                                                  0x0042f9ef
                                                                  0x0042fa02
                                                                  0x0042fa07
                                                                  0x0042fa0a
                                                                  0x0042fa0d
                                                                  0x0042fa1a
                                                                  0x0042fa1a
                                                                  0x0042f8f8
                                                                  0x0042f902
                                                                  0x0042f99c
                                                                  0x0042f9a1
                                                                  0x00000000
                                                                  0x0042f904
                                                                  0x0042f907
                                                                  0x0042f908
                                                                  0x0042f90f
                                                                  0x0042f910
                                                                  0x0042f915
                                                                  0x0042f918
                                                                  0x0042f91b
                                                                  0x0042f925
                                                                  0x0042f932
                                                                  0x0042f934
                                                                  0x0042f934
                                                                  0x0042f958
                                                                  0x0042f95d
                                                                  0x0042f962
                                                                  0x0042f965
                                                                  0x0042f968
                                                                  0x0042f975
                                                                  0x0042f975
                                                                  0x0042f902
                                                                  0x0042f8d2
                                                                  0x0042f8d2
                                                                  0x00000000
                                                                  0x0042f8d2
                                                                  0x0042f8b0
                                                                  0x0042f8bc
                                                                  0x00000000
                                                                  0x0042f8bc
                                                                  0x0042f899
                                                                  0x0042f8a2
                                                                  0x00000000
                                                                  0x0042f8a2
                                                                  0x0042f706
                                                                  0x0042f709
                                                                  0x0042f720
                                                                  0x0042f746
                                                                  0x0042f755
                                                                  0x0042f768
                                                                  0x0042f826
                                                                  0x0042f827
                                                                  0x0042f82e
                                                                  0x0042f82f
                                                                  0x0042f834
                                                                  0x0042f837
                                                                  0x0042f83d
                                                                  0x0042f846
                                                                  0x0042f859
                                                                  0x0042f85b
                                                                  0x0042f85b
                                                                  0x0042f86e
                                                                  0x0042f873
                                                                  0x0042f876
                                                                  0x0042f879
                                                                  0x0042f886
                                                                  0x0042f76e
                                                                  0x0042f778
                                                                  0x0042f816
                                                                  0x0042f81b
                                                                  0x00000000
                                                                  0x0042f77a
                                                                  0x0042f77d
                                                                  0x0042f77e
                                                                  0x0042f785
                                                                  0x0042f786
                                                                  0x0042f78b
                                                                  0x0042f78e
                                                                  0x0042f791
                                                                  0x0042f79b
                                                                  0x0042f7ac
                                                                  0x0042f7ae
                                                                  0x0042f7ae
                                                                  0x0042f7d2
                                                                  0x0042f7d7
                                                                  0x0042f7dc
                                                                  0x0042f7df
                                                                  0x0042f7e2
                                                                  0x0042f7ef
                                                                  0x0042f7ef
                                                                  0x0042f778
                                                                  0x0042f748
                                                                  0x0042f748
                                                                  0x00000000
                                                                  0x0042f748
                                                                  0x0042f722
                                                                  0x0042f72e
                                                                  0x00000000
                                                                  0x0042f72e
                                                                  0x0042f70b
                                                                  0x0042f714
                                                                  0x0042fb09
                                                                  0x0042fb11
                                                                  0x0042fb11
                                                                  0x0042f709

                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74738e14bd11834c42270b1f526ff37a822d84726435ceec5f4335d4c6c5fa18
                                                                  • Instruction ID: 66614a77be29197391dbf0046290447a78b6802db73ccca8e639b69c8d9a2377
                                                                  • Opcode Fuzzy Hash: 74738e14bd11834c42270b1f526ff37a822d84726435ceec5f4335d4c6c5fa18
                                                                  • Instruction Fuzzy Hash: 8AD16F74F002199FCF00DBA5D4928FEBBB5EF49300BD084BBE840A7351D638A949DB65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00422D94, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 91%
                                                                  			E00422D94(void* __eax, void* __ebx, char __ecx, short* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				char _v8;
				short* _v12;
				char _v16;
				int _v20;
				int _v24;
				signed int _t58;
				char _t66;
				intOrPtr _t82;
				void* _t87;
				signed int _t93;
				void* _t96;

				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t87 = __eax;
				_push(_t96);
				_push(0x422eca);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffffec;
				while(1) {
					_v24 = 0;
					if(RegQueryValueExW(_t87, _v12, 0,  &_v20, 0,  &_v24) != 0) {
						break;
					}
					_t9 =  &_a8; // 0x42300a
					if(_v20 ==  *_t9 || _v20 == _a4) {
						if(_v24 != 0) {
							__eflags = _v24 - 0x70000000;
							if(__eflags >= 0) {
								E0041F378();
							}
							_t80 = _v24 + 1 >> 1;
							E00407B7C( &_v8, _v24 + 1 >> 1, 0, __eflags);
							_t58 = RegQueryValueExW(_t87, _v12, 0,  &_v20, E00407F74( &_v8),  &_v24);
							__eflags = _t58 - 0xea;
							if(_t58 == 0xea) {
								continue;
							} else {
								__eflags = _t58;
								if(_t58 != 0) {
									break;
								}
								_t22 =  &_a8; // 0x42300a
								__eflags = _v20 -  *_t22;
								if(_v20 ==  *_t22) {
									L12:
									_t93 = _v24 >> 1;
									while(1) {
										__eflags = _t93;
										if(_t93 == 0) {
											break;
										}
										_t66 = _v8;
										__eflags =  *((short*)(_t66 + _t93 * 2 - 2));
										if( *((short*)(_t66 + _t93 * 2 - 2)) == 0) {
											_t93 = _t93 - 1;
											__eflags = _t93;
											continue;
										}
										break;
									}
									__eflags = _v20 - 7;
									if(_v20 == 7) {
										__eflags = _t93;
										if(_t93 != 0) {
											_t93 = _t93 + 1;
											__eflags = _t93;
										}
									}
									E00408644( &_v8, _t80, _t93);
									__eflags = _v20 - 7;
									if(_v20 == 7) {
										__eflags = _t93;
										if(_t93 != 0) {
											(E00407F74( &_v8))[_t93 * 2 - 2] = 0;
										}
									}
									_t37 =  &_v16; // 0x42300a
									E00407DD4( *_t37, _v8);
									break;
								}
								__eflags = _v20 - _a4;
								if(_v20 != _a4) {
									break;
								}
								goto L12;
							}
						} else {
							_t13 =  &_v16; // 0x42300a
							E004079F4( *_t13);
							break;
						}
					} else {
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E00422ED1);
				return E004079F4( &_v8);
			}














                                                                  0x00422d9f
                                                                  0x00422da2
                                                                  0x00422da5
                                                                  0x00422da8
                                                                  0x00422dac
                                                                  0x00422dad
                                                                  0x00422db2
                                                                  0x00422db5
                                                                  0x00422dba
                                                                  0x00422dbc
                                                                  0x00422dd7
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00422de0
                                                                  0x00422de3
                                                                  0x00422df5
                                                                  0x00422e06
                                                                  0x00422e0d
                                                                  0x00422e0f
                                                                  0x00422e0f
                                                                  0x00422e1d
                                                                  0x00422e21
                                                                  0x00422e3e
                                                                  0x00422e43
                                                                  0x00422e48
                                                                  0x00000000
                                                                  0x00422e4e
                                                                  0x00422e4e
                                                                  0x00422e50
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00422e55
                                                                  0x00422e55
                                                                  0x00422e58
                                                                  0x00422e62
                                                                  0x00422e65
                                                                  0x00422e6a
                                                                  0x00422e6a
                                                                  0x00422e6c
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00422e6e
                                                                  0x00422e71
                                                                  0x00422e77
                                                                  0x00422e69
                                                                  0x00422e69
                                                                  0x00000000
                                                                  0x00422e69
                                                                  0x00000000
                                                                  0x00422e77
                                                                  0x00422e79
                                                                  0x00422e7d
                                                                  0x00422e7f
                                                                  0x00422e81
                                                                  0x00422e83
                                                                  0x00422e83
                                                                  0x00422e83
                                                                  0x00422e81
                                                                  0x00422e89
                                                                  0x00422e8e
                                                                  0x00422e92
                                                                  0x00422e94
                                                                  0x00422e96
                                                                  0x00422ea0
                                                                  0x00422ea0
                                                                  0x00422e96
                                                                  0x00422ea7
                                                                  0x00422ead
                                                                  0x00000000
                                                                  0x00422eb2
                                                                  0x00422e5d
                                                                  0x00422e60
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00422e60
                                                                  0x00422df7
                                                                  0x00422df7
                                                                  0x00422dfa
                                                                  0x00000000
                                                                  0x00422dff
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00000000
                                                                  0x00422de3
                                                                  0x00422eb6
                                                                  0x00422eb9
                                                                  0x00422ebc
                                                                  0x00422ec9

                                                                  APIs
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00422ECA,?,004A136C,00000000), ref: 00422DD0
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00422ECA,?,004A136C), ref: 00422E3E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID: 0B$0B
                                                                  • API String ID: 3660427363-2047223620
                                                                  • Opcode ID: 85ea2ee95df027a8257bc04a9519c47954d8331ee6ef31d063f3570c986b0507
                                                                  • Instruction ID: 98124c36cd85d2e56ec74749d84b118a58c0a5b819721e5426fed98b2f6fb40a
                                                                  • Opcode Fuzzy Hash: 85ea2ee95df027a8257bc04a9519c47954d8331ee6ef31d063f3570c986b0507
                                                                  • Instruction Fuzzy Hash: AE414F31A00229BBDB14DB95DA81ABFB3B8FF14700F91446AE800B7290D778AE41D799
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0041C8B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 75%
                                                                  			E0041C8B0(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c993);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E004079F4(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E1C( &_v8, L"yyyy");
				} else {
					E00407E1C( &_v8, 0x41c9ac);
				}
				_t32 = E004084C8(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040856C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E0040888C( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c99a);
				return E004079F4( &_v8);
			}














                                                                  0x0041c8bd
                                                                  0x0041c8c0
                                                                  0x0041c8c2
                                                                  0x0041c8c6
                                                                  0x0041c8c7
                                                                  0x0041c8cc
                                                                  0x0041c8cf
                                                                  0x0041c8d4
                                                                  0x0041c8e0
                                                                  0x0041c8eb
                                                                  0x0041c8f6
                                                                  0x0041c8fd
                                                                  0x0041c916
                                                                  0x0041c8ff
                                                                  0x0041c907
                                                                  0x0041c907
                                                                  0x0041c92a
                                                                  0x0041c943
                                                                  0x0041c952
                                                                  0x0041c958
                                                                  0x0041c962
                                                                  0x0041c966
                                                                  0x0041c96b
                                                                  0x0041c96b
                                                                  0x0041c978
                                                                  0x0041c978
                                                                  0x0041c958
                                                                  0x0041c97f
                                                                  0x0041c982
                                                                  0x0041c985
                                                                  0x0041c992

                                                                  APIs
                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C993), ref: 0041C936
                                                                  • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C993), ref: 0041C93C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DateFormatLocaleThread
                                                                  • String ID: $yyyy
                                                                  • API String ID: 3303714858-404527807
                                                                  • Opcode ID: df7dc0c0cfe83e2716fada29b3ec226a844ef90c6556877d7290f236e844f23c
                                                                  • Instruction ID: 7872b70f8d9c9f4bf3ec9f73f967c83ea165cdf14193664953d7fcc649099f55
                                                                  • Opcode Fuzzy Hash: df7dc0c0cfe83e2716fada29b3ec226a844ef90c6556877d7290f236e844f23c
                                                                  • Instruction Fuzzy Hash: C8218371A502189BDB10EF55CD82AAEB3B8EF08740F5044BAF844E7291D6389E40C7AA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040AA3C, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 58%
                                                                  			E0040AA3C(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4afc08()) {
					_v16 = E0040A9F8( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4afc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A9F8( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408530(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4afc04(0, 0,  &_v20);
					_t68 = E0040A9F8( &_v12);
					if(_v8 != _v12 || E0040A9D4(_v16, _v12, _t68) != 0) {
						 *0x4afc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}





















                                                                  0x0040aa44
                                                                  0x0040aa46
                                                                  0x0040aa4a
                                                                  0x0040aa56
                                                                  0x0040aa60
                                                                  0x0040aa63
                                                                  0x0040aa65
                                                                  0x0040aa6c
                                                                  0x0040aa6f
                                                                  0x0040aa80
                                                                  0x0040aa86
                                                                  0x0040aa89
                                                                  0x0040aa8c
                                                                  0x0040aa8f
                                                                  0x0040aa95
                                                                  0x0040aa9b
                                                                  0x0040aaab
                                                                  0x0040aaab
                                                                  0x0040aab4
                                                                  0x0040aab9
                                                                  0x0040aabd
                                                                  0x0040aac2
                                                                  0x0040aac7
                                                                  0x0040aac9
                                                                  0x0040aaca
                                                                  0x0040aad1
                                                                  0x0040aad9
                                                                  0x0040aade
                                                                  0x0040aade
                                                                  0x0040aae4
                                                                  0x0040aae7
                                                                  0x0040aae7
                                                                  0x0040aad1
                                                                  0x0040aaee
                                                                  0x0040aaf5
                                                                  0x0040aaf5
                                                                  0x0040aafe
                                                                  0x0040ab08
                                                                  0x0040ab16
                                                                  0x0040ab1e
                                                                  0x0040ab3b
                                                                  0x0040ab3b
                                                                  0x0040ab43
                                                                  0x00000000
                                                                  0x0040ab4b
                                                                  0x0040ab55

                                                                  APIs
                                                                  • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040AA4D
                                                                  • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040AAAB
                                                                  • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040AB08
                                                                  • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040AB3B
                                                                    • Part of subcall function 0040A9F8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040AAB9), ref: 0040AA0F
                                                                    • Part of subcall function 0040A9F8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040AAB9), ref: 0040AA2C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$LanguagesPreferred$Language
                                                                  • String ID:
                                                                  • API String ID: 2255706666-0
                                                                  • Opcode ID: cd06836042f7dc8c715063394acf5e4e52feefd8764bcfa4f6b7f58fc5ac6852
                                                                  • Instruction ID: b1904a49824afe99751246d4952eda1d7de773daf142b1b34e0f1b3e25ee96c1
                                                                  • Opcode Fuzzy Hash: cd06836042f7dc8c715063394acf5e4e52feefd8764bcfa4f6b7f58fc5ac6852
                                                                  • Instruction Fuzzy Hash: 07317A70A0021A9BDB10EBE9C885AAFB7B8FF04304F40427AE911F72D1DB789E45CB55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040E4A8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 65%
                                                                  			E0040E4A8(void* __ebx, void* __esi, struct HINSTANCE__* _a4, char _a8) {
				char _v8;
				_Unknown_base(*)()* _v12;
				CHAR* _t31;
				intOrPtr _t38;
				intOrPtr _t39;
				struct HINSTANCE__* _t41;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_v8 = 0;
				_t2 =  &_a8; // 0x42300a
				_t31 =  *_t2;
				_t41 = _a4;
				_push(_t43);
				_push(0x40e546);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				if(_t31 >> 0x10 != 0) {
					_push(_t43);
					 *[fs:eax] = _t45;
					E00407A18( &_v8);
					E00408104( &_v8, 0, _t31,  *[fs:eax]);
					_v12 = GetProcAddress(_t41, E004081CC(_v8));
					_t38 = 0x40e529;
					 *[fs:eax] = _t38;
					_push(E0040E530);
					return E00407A18( &_v8);
				} else {
					_v12 = GetProcAddress(_t41, _t31);
					_pop(_t39);
					 *[fs:eax] = _t39;
					_push(E0040E54D);
					return E00407A18( &_v8);
				}
			}












                                                                  0x0040e4a9
                                                                  0x0040e4ab
                                                                  0x0040e4b2
                                                                  0x0040e4b5
                                                                  0x0040e4b5
                                                                  0x0040e4b8
                                                                  0x0040e4bd
                                                                  0x0040e4be
                                                                  0x0040e4c3
                                                                  0x0040e4c6
                                                                  0x0040e4ce
                                                                  0x0040e4de
                                                                  0x0040e4e7
                                                                  0x0040e4ed
                                                                  0x0040e4fc
                                                                  0x0040e510
                                                                  0x0040e515
                                                                  0x0040e518
                                                                  0x0040e51b
                                                                  0x0040e528
                                                                  0x0040e4d0
                                                                  0x0040e4d7
                                                                  0x0040e532
                                                                  0x0040e535
                                                                  0x0040e538
                                                                  0x0040e545
                                                                  0x0040e545

                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0040E50B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID: 0B
                                                                  • API String ID: 190572456-3041020555
                                                                  • Opcode ID: 73c9e18d93592e43fe666bfe4bf432486626273dc5cba755a9ef1ec8c293c77a
                                                                  • Instruction ID: 64ac29280dfebcd60019ca95f25d34e387ec400068b91dc547cac48b7599c2c3
                                                                  • Opcode Fuzzy Hash: 73c9e18d93592e43fe666bfe4bf432486626273dc5cba755a9ef1ec8c293c77a
                                                                  • Instruction Fuzzy Hash: 6D117770614608BFE701DF62DC5295EB7ACDB49718BA14C7BF404F26C1E63C5F109559
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00421B7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 79%
                                                                  			E00421B7C(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				struct _cpinfo _v24;
				void* __ebp;
				void* _t14;
				struct _cpinfo _t20;
				void* _t23;
				void* _t29;
				int _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t36;
				int _t40;

				_t32 = __edx;
				_t30 = __ecx;
				if(__edx != 0) {
					_t36 = _t36 + 0xfffffff0;
					_t14 = E00406284(_t14, _t35);
				}
				_t29 = _t32;
				_t34 = _t14;
				if(_t30 != 0) {
					 *(_t34 + 0xc) = _t30;
				} else {
					 *(_t34 + 0xc) = GetACP();
				}
				 *((intOrPtr*)(_t34 + 0x10)) = _a8;
				 *((intOrPtr*)(_t34 + 0x14)) = _a4;
				_t40 = GetCPInfo( *(_t34 + 0xc),  &_v24);
				if(_t40 == 0) {
					_t31 =  *0x4ac694; // 0x40ec78
					E0041F440(_t31, 1);
					E004070F0();
				}
				_t20 = _v24;
				 *(_t34 + 8) = _t20;
				 *((char*)(_t34 + 4)) = _t20 - 0x00000001 & 0xffffff00 | _t40 == 0x00000000;
				_t23 = _t34;
				if(_t29 != 0) {
					E004062DC(_t23);
					_pop( *[fs:0x0]);
				}
				return _t34;
			}
















                                                                  0x00421b7c
                                                                  0x00421b7c
                                                                  0x00421b86
                                                                  0x00421b88
                                                                  0x00421b8b
                                                                  0x00421b8b
                                                                  0x00421b90
                                                                  0x00421b92
                                                                  0x00421b96
                                                                  0x00421ba2
                                                                  0x00421b98
                                                                  0x00421b9d
                                                                  0x00421b9d
                                                                  0x00421ba8
                                                                  0x00421bae
                                                                  0x00421bbe
                                                                  0x00421bc0
                                                                  0x00421bc2
                                                                  0x00421bcf
                                                                  0x00421bd4
                                                                  0x00421bd4
                                                                  0x00421bd9
                                                                  0x00421bdc
                                                                  0x00421be3
                                                                  0x00421be6
                                                                  0x00421bea
                                                                  0x00421bec
                                                                  0x00421bf1
                                                                  0x00421bf8
                                                                  0x00421c02

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Info
                                                                  • String ID: x@
                                                                  • API String ID: 1807457897-1747526965
                                                                  • Opcode ID: cf44248a1c658bdd47b36df632dd9645ef3597e39912394a14df77dcb10368e0
                                                                  • Instruction ID: 462749be72c426496f1a41d89de2effdbae1b1a2d75a6ab79572deab56c71eea
                                                                  • Opcode Fuzzy Hash: cf44248a1c658bdd47b36df632dd9645ef3597e39912394a14df77dcb10368e0
                                                                  • Instruction Fuzzy Hash: 9C012631A006008FC320EF6AE881957BBF89F14358700853FFC49C7752E639E9008BA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00422EE8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00422EE8(void* __eax, short* __ecx, void* __edx, void** _a4, char _a8, int _a12) {
				short* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t1 =  &_a8; // 0x42300a
				_t10 =  *_t1;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				return RegOpenKeyExW(_t9, _t8, _a12, _t10, _a4);
			}






                                                                  0x00422ee8
                                                                  0x00422ee8
                                                                  0x00422eec
                                                                  0x00422eec
                                                                  0x00422ef1
                                                                  0x00422ef3
                                                                  0x00422ef3
                                                                  0x00422f0b

                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,0B,?,00000000,?,00422FAA,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042300A), ref: 00422F04
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID: 0B$Control Panel\Desktop\ResourceLocale
                                                                  • API String ID: 71445658-3141456704
                                                                  • Opcode ID: 3b69ebcaa1c44acc297296391af532f1a488bbb5d67ca1580915a5ac9ed8a3b1
                                                                  • Instruction ID: 754d8ca44475c60336da28a52261fe1ed214884b621adf6beb20dea320f59cf5
                                                                  • Opcode Fuzzy Hash: 3b69ebcaa1c44acc297296391af532f1a488bbb5d67ca1580915a5ac9ed8a3b1
                                                                  • Instruction Fuzzy Hash: ABD092729102287BAB109A89DC41DFB7B9DAB19360F41852AFD4497200C2B4AC519BE8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00420ACC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  C-Code - Quality: 100%
                                                                  			E00420ACC() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E4A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4a9e30 = _t1;
				}
				if( *0x4a9e30 == 0) {
					 *0x4a9e30 = E0041A5FC;
					return E0041A5FC;
				}
				return _t1;
			}






                                                                  0x00420ad2
                                                                  0x00420ad7
                                                                  0x00420adb
                                                                  0x00420ae3
                                                                  0x00420ae8
                                                                  0x00420ae8
                                                                  0x00420af4
                                                                  0x00420afb
                                                                  0x00000000
                                                                  0x00420afb
                                                                  0x00420b01

                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00420BA8,00000000,00420BC0,?,?,00420B5D), ref: 00420AD2
                                                                    • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.364819078.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.364809348.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365188955.00000000004A9000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365202516.00000000004B2000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365211766.00000000004B6000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000000.00000002.365220446.00000000004B8000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                  • API String ID: 1646373207-1127948838
                                                                  • Opcode ID: d3fba4843dc8b289438757c69ca8191ca322e81c70d910c138525665c107990f
                                                                  • Instruction ID: 4be4f1343aa80eda7f8312904a91226add29b11054fd17f8baa2da6a23536271
                                                                  • Opcode Fuzzy Hash: d3fba4843dc8b289438757c69ca8191ca322e81c70d910c138525665c107990f
                                                                  • Instruction Fuzzy Hash: 71D05EB03203115FE710DBE5A8C1B5B2ECAA307319F80043BA40065293C7BD9C50C71C
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Analysis Process: PhraseExpressSetup.tmp PID: 5552 Parent PID: 4064 PhraseExpressSetup.tmpCOMMON

                                                                  Execution Graph

                                                                  Execution Coverage:12.3%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:1.4%
                                                                  Total number of Nodes:1937
                                                                  Total number of Limit Nodes:125

                                                                  Graph

                                                                  execution_graph 23394 40f601 23395 40f608 23394->23395 23396 40f60d 23394->23396 23398 40f4e0 23395->23398 23401 40f318 23398->23401 23403 40f32d 23401->23403 23402 40f41c 23402->23396 23403->23402 23404 40f3e0 FreeLibrary 23403->23404 23405 40f3fd LocalFree 23403->23405 23404->23403 23405->23403 23406 636440 23407 63644b 23406->23407 23409 636460 GetLastError 23407->23409 23410 63648b 23407->23410 23414 5ea178 23407->23414 23409->23410 23411 63646a GetLastError 23409->23411 23411->23410 23412 636474 GetTickCount 23411->23412 23412->23410 23413 636482 Sleep 23412->23413 23413->23407 23421 5e9f94 23414->23421 23416 5ea18e 23417 5ea192 23416->23417 23418 5ea1ae DeleteFileW GetLastError 23416->23418 23417->23407 23427 5e9fd0 23418->23427 23422 5e9f9e 23421->23422 23423 5e9fa2 23421->23423 23422->23416 23424 5e9fab Wow64DisableWow64FsRedirection 23423->23424 23425 5e9fc4 SetLastError 23423->23425 23426 5e9fbf 23424->23426 23425->23426 23426->23416 23428 5e9fdf 23427->23428 23429 5e9fd5 Wow64RevertWow64FsRedirection 23427->23429 23428->23407 23429->23428 23430 639a20 23435 45a650 23430->23435 23432 639a8c 23434 639a41 23434->23432 23441 62dc7c 23434->23441 23436 45a65b 23435->23436 23437 45a66a 23435->23437 23459 45a31c 105 API calls 23436->23459 23440 45a683 23437->23440 23460 40b8d8 23437->23460 23440->23434 23450 62dcf8 23441->23450 23456 62dcad 23441->23456 23442 62dd45 23519 5aafbc 23442->23519 23450->23442 23458 5aafbc 106 API calls 23450->23458 23510 4092e8 12 API calls 23450->23510 23511 408cc0 23450->23511 23515 408b88 23450->23515 23456->23450 23457 5aafbc 106 API calls 23456->23457 23495 40993c 23456->23495 23502 408cb8 23456->23502 23506 408aec 23456->23506 23457->23456 23458->23450 23463 40b610 23460->23463 23464 40b633 23463->23464 23465 40b64e 23463->23465 23466 40b63e 23464->23466 23486 4055ec 12 API calls 23464->23486 23469 40b69b 23465->23469 23488 4055ec 12 API calls 23465->23488 23487 40b9fc 28 API calls 23466->23487 23471 40b6a9 23469->23471 23489 4055ec 12 API calls 23469->23489 23473 40b6bb 23471->23473 23475 40b783 23471->23475 23477 40b745 23473->23477 23490 40b5cc 12 API calls 23473->23490 23481 40b7c9 23475->23481 23493 40ad0c 59 API calls 23475->23493 23476 40b649 23476->23440 23477->23476 23479 40b610 59 API calls 23477->23479 23479->23477 23494 40b9fc 28 API calls 23481->23494 23482 40b6d3 23482->23477 23491 40abe0 59 API calls 23482->23491 23484 40b71f 23492 4054ac 12 API calls 23484->23492 23486->23466 23487->23476 23488->23469 23489->23471 23490->23482 23491->23484 23492->23477 23493->23481 23494->23477 23496 409987 23495->23496 23499 409949 23495->23499 23497 408730 12 API calls 23496->23497 23498 409984 23497->23498 23498->23456 23499->23496 23500 409961 23499->23500 23500->23498 23501 408730 12 API calls 23500->23501 23501->23498 23504 408c30 23502->23504 23503 408c6b 23503->23456 23504->23503 23535 4054ac 12 API calls 23504->23535 23509 408af0 23506->23509 23507 408b30 23507->23456 23509->23507 23536 4054ac 12 API calls 23509->23536 23510->23450 23513 408c74 23511->23513 23512 408cb1 23512->23450 23513->23512 23537 4054ac 12 API calls 23513->23537 23518 408b8c 23515->23518 23516 408bce 23516->23450 23518->23516 23538 4054ac 12 API calls 23518->23538 23520 5aafcc 23519->23520 23521 5aafd7 23519->23521 23527 408730 23520->23527 23539 5aaf60 106 API calls 23521->23539 23523 5aafe2 23523->23520 23540 4265c4 12 API calls 23523->23540 23525 5aaff7 23541 407e08 12 API calls 23525->23541 23528 408751 23527->23528 23529 408736 23527->23529 23531 40870c 23528->23531 23529->23528 23542 4054ac 12 API calls 23529->23542 23532 408712 23531->23532 23533 40872d 23531->23533 23532->23533 23543 4054ac 12 API calls 23532->23543 23533->23434 23535->23503 23536->23507 23537->23512 23538->23516 23539->23523 23540->23525 23542->23528 23543->23533 23544 64d4a0 23556 40efec GetModuleHandleW 23544->23556 23550 64d515 23567 642f10 23550->23567 23552 64d51a 23598 595f5c 23552->23598 23555 64d59a 23557 40f027 23556->23557 23606 408170 23557->23606 23560 642ea0 GetModuleHandleW 23624 412174 23560->23624 23562 642eb5 23563 59644c 23562->23563 23564 59645b 23563->23564 23566 596478 23563->23566 23565 596465 SendMessageW 23564->23565 23564->23566 23565->23566 23566->23550 23635 5edfdc 14 API calls 23567->23635 23569 642f3e 23570 643048 23569->23570 23636 5a3640 13 API calls 23569->23636 23663 40876c 23570->23663 23573 642f5c 23575 642fad 23573->23575 23597 642f62 23573->23597 23577 642fb7 23575->23577 23578 64303c 23575->23578 23576 40876c 12 API calls 23579 6430c3 23576->23579 23658 5a36a0 14 API calls 23577->23658 23582 643044 23578->23582 23583 64304a 23578->23583 23579->23552 23581 5a36a0 14 API calls 23581->23597 23582->23570 23662 6427d8 283 API calls 23582->23662 23660 642038 136 API calls 23583->23660 23584 642fc7 23637 5a9c50 23584->23637 23586 64305f 23661 40856c 12 API calls 23586->23661 23590 642fd6 23659 5a9be8 106 API calls 23590->23659 23591 64307e 23641 40843c 23591->23641 23592 643069 23592->23570 23593 642f82 23593->23575 23596 643004 23596->23552 23597->23575 23597->23581 23597->23593 23601 595f70 23598->23601 23599 595fb5 ShowWindow 23599->23555 23600 595fa8 23603 408aec 12 API calls 23600->23603 23601->23599 23601->23600 23602 595f84 SetWindowTextW 23601->23602 23604 595f94 23601->23604 23602->23600 23603->23599 23605 595fa1 SetWindowTextW 23604->23605 23605->23600 23607 4081a8 23606->23607 23610 408104 23607->23610 23611 40814c GetWindowLongW SetWindowLongW SetErrorMode 23610->23611 23612 408114 23610->23612 23611->23560 23612->23611 23615 40e8c4 GetSystemInfo 23612->23615 23616 5a4c6c FormatMessageW 23612->23616 23615->23612 23617 5a4c92 23616->23617 23620 408894 23617->23620 23621 4088a4 23620->23621 23622 408730 12 API calls 23621->23622 23623 4088be 23622->23623 23623->23612 23625 4121a8 23624->23625 23626 41219c GetProcAddress 23624->23626 23628 408730 12 API calls 23625->23628 23627 4121fc 23626->23627 23629 408730 12 API calls 23627->23629 23631 4121be 23628->23631 23630 412211 23629->23630 23630->23562 23632 4121d5 GetProcAddress 23631->23632 23633 408730 12 API calls 23632->23633 23634 4121f4 23633->23634 23634->23562 23635->23569 23636->23573 23638 5a9c5a 23637->23638 23639 5a9c9f 23638->23639 23667 5a9bd4 107 API calls 23638->23667 23639->23590 23642 408452 23641->23642 23643 408463 23641->23643 23675 4083a4 GetStdHandle WriteFile GetStdHandle WriteFile 23642->23675 23644 40846c GetCurrentThreadId 23643->23644 23646 408479 23643->23646 23644->23646 23648 4084e8 23646->23648 23668 405554 23646->23668 23647 40845c 23647->23643 23671 40809c 23648->23671 23651 4084ed 23654 408513 FreeLibrary 23651->23654 23656 408519 23651->23656 23652 405554 9 API calls 23653 4084d0 23652->23653 23653->23648 23653->23652 23654->23656 23655 408552 23656->23655 23657 40854a ExitProcess 23656->23657 23658->23584 23659->23596 23660->23586 23661->23592 23662->23591 23665 408772 23663->23665 23664 408798 23664->23576 23665->23664 23685 4054ac 12 API calls 23665->23685 23667->23639 23676 40ea80 23668->23676 23670 40555a 23670->23653 23672 4080ab 23671->23672 23673 4080e0 23671->23673 23672->23673 23674 4080da KiUserCallbackDispatcher 23672->23674 23673->23651 23674->23672 23675->23647 23677 40eab5 TlsGetValue 23676->23677 23678 40ea8f 23676->23678 23679 40ea9a 23677->23679 23680 40eabf 23677->23680 23678->23670 23684 40ea3c 12 API calls 23679->23684 23680->23670 23682 40ea9f TlsGetValue 23683 40eaae 23682->23683 23683->23670 23684->23682 23685->23665 23686 40f428 23687 40f4cf 23686->23687 23688 40f44e 23686->23688 23688->23687 23690 40f038 23688->23690 23691 40f063 23690->23691 23692 40f0d4 RaiseException 23691->23692 23693 40f0fc 23691->23693 23710 40f169 23692->23710 23694 40f191 LoadLibraryA 23693->23694 23695 40f19c 23693->23695 23700 40f232 23693->23700 23693->23710 23694->23695 23698 40f1a0 GetLastError 23695->23698 23699 40f1eb 23695->23699 23696 40f29b 23697 40f29f GetLastError 23696->23697 23696->23710 23702 40f2b0 23697->23702 23703 40f1b1 23698->23703 23706 40f1f9 23699->23706 23707 40f22c FreeLibrary 23699->23707 23700->23696 23701 40f28f GetProcAddress 23700->23701 23700->23710 23701->23696 23704 40f2c2 RaiseException 23702->23704 23702->23710 23703->23699 23705 40f1c3 RaiseException 23703->23705 23704->23710 23705->23710 23706->23700 23708 40f1ff LocalAlloc 23706->23708 23707->23700 23708->23700 23709 40f20f 23708->23709 23709->23700 23710->23688 23711 42c4c8 23712 42c4e3 23711->23712 23713 42c4d6 VariantClear 23711->23713 23715 42c4ea 23712->23715 23716 42c4f9 23712->23716 23728 42c2c4 23713->23728 23717 408730 12 API calls 23715->23717 23718 42c500 23716->23718 23720 42c50f 23716->23720 23721 42c4e1 23717->23721 23719 40870c 12 API calls 23718->23719 23719->23721 23720->23721 23722 42c530 23720->23722 23723 42c527 23720->23723 23733 435ffc 47 API calls 23722->23733 23732 42c42c 113 API calls 23723->23732 23726 42c539 23726->23721 23727 42c54e VariantClear VariantInit 23726->23727 23727->23721 23729 42c2c8 23728->23729 23730 42c2cd 23728->23730 23734 42c070 107 API calls 23729->23734 23730->23721 23732->23721 23733->23726 23734->23730 23735 40d84c 23736 40d863 23735->23736 23737 40d86c 23735->23737 23796 40481c 10 API calls 23736->23796 23739 40d886 23737->23739 23740 40d879 23737->23740 23797 403f88 23739->23797 23746 404504 23740->23746 23743 40d868 23744 40d88b 23821 40d81c 10 API calls 23744->23821 23747 404514 23746->23747 23748 40459c 23746->23748 23749 404521 23747->23749 23750 404558 23747->23750 23751 4045a5 23748->23751 23752 403e3c 23748->23752 23753 40452c 23749->23753 23757 403f88 10 API calls 23749->23757 23756 403f88 10 API calls 23750->23756 23755 4045bd 23751->23755 23768 4046cc 23751->23768 23754 404817 23752->23754 23759 403e60 VirtualQuery 23752->23759 23760 403f3f 23752->23760 23753->23743 23754->23743 23763 4045e0 23755->23763 23769 4046a4 23755->23769 23787 4045c4 23755->23787 23776 40456f 23756->23776 23774 404539 23757->23774 23758 404730 23762 403f88 10 API calls 23758->23762 23780 404749 23758->23780 23770 403f07 23759->23770 23771 403e99 23759->23771 23761 403ef2 23760->23761 23766 403f88 10 API calls 23760->23766 23761->23743 23783 4047e0 23762->23783 23773 404620 Sleep 23763->23773 23763->23787 23764 404595 23764->23743 23788 403f56 23766->23788 23767 404551 23767->23743 23768->23758 23777 404708 Sleep 23768->23777 23768->23780 23772 403f88 10 API calls 23769->23772 23775 403f88 10 API calls 23770->23775 23771->23770 23779 403ec6 VirtualAlloc 23771->23779 23789 4046ad 23772->23789 23778 404638 Sleep 23773->23778 23773->23787 23774->23767 23781 40430c 10 API calls 23774->23781 23791 403f0e 23775->23791 23776->23764 23784 40430c 10 API calls 23776->23784 23777->23758 23785 404722 Sleep 23777->23785 23778->23763 23779->23770 23786 403edc VirtualAlloc 23779->23786 23780->23743 23781->23767 23782 4046c5 23782->23743 23783->23780 23790 40430c 10 API calls 23783->23790 23784->23764 23785->23768 23786->23761 23786->23770 23787->23743 23788->23761 23794 40430c 10 API calls 23788->23794 23789->23782 23792 40430c 10 API calls 23789->23792 23793 404804 23790->23793 23791->23761 23822 40430c 23791->23822 23792->23782 23793->23743 23794->23761 23796->23743 23798 403fa0 23797->23798 23799 4041e8 23797->23799 23810 403fb2 23798->23810 23812 40403d Sleep 23798->23812 23800 404300 23799->23800 23801 4041ac 23799->23801 23802 403d34 VirtualAlloc 23800->23802 23803 404309 23800->23803 23807 4041c6 Sleep 23801->23807 23813 404206 23801->23813 23805 403d6f 23802->23805 23806 403d5f 23802->23806 23803->23744 23804 403fc1 23804->23744 23805->23744 23808 403ce8 2 API calls 23806->23808 23811 4041dc Sleep 23807->23811 23807->23813 23808->23805 23809 4040a0 23820 4040ac 23809->23820 23847 403c6c 23809->23847 23810->23804 23810->23809 23815 404081 Sleep 23810->23815 23811->23801 23812->23810 23814 404053 Sleep 23812->23814 23816 403c6c VirtualAlloc 23813->23816 23817 404224 23813->23817 23814->23798 23815->23809 23819 404097 Sleep 23815->23819 23816->23817 23817->23744 23819->23810 23820->23744 23821->23743 23823 404404 23822->23823 23827 404321 23822->23827 23824 404327 23823->23824 23825 403d98 23823->23825 23829 404330 23824->23829 23833 4043e2 Sleep 23824->23833 23836 404419 23824->23836 23826 4044fe 23825->23826 23842 403ce8 23825->23842 23826->23761 23827->23824 23830 40439e Sleep 23827->23830 23829->23761 23830->23824 23832 4043b8 Sleep 23830->23832 23832->23827 23833->23836 23837 4043f8 Sleep 23833->23837 23834 403dd9 23838 403dd0 23834->23838 23839 403de2 VirtualQuery VirtualFree 23834->23839 23835 403dbf VirtualFree 23835->23838 23840 404498 VirtualFree 23836->23840 23841 40443c 23836->23841 23837->23824 23838->23761 23839->23834 23839->23838 23840->23761 23841->23761 23843 403d30 23842->23843 23844 403cf1 23842->23844 23843->23834 23843->23835 23844->23843 23845 403cfc Sleep 23844->23845 23845->23843 23846 403d16 Sleep 23845->23846 23846->23844 23851 403c00 23847->23851 23849 403c75 VirtualAlloc 23850 403c8c 23849->23850 23850->23820 23852 403ba0 23851->23852 23852->23849 23853 60594c 23854 605957 23853->23854 23859 601d10 23854->23859 23858 605976 23870 601c6c 23859->23870 23861 601d18 23862 58b7d0 23861->23862 23863 58b7db 23862->23863 23875 58f8f8 115 API calls 23863->23875 23865 58b832 23876 592fe0 110 API calls 23865->23876 23867 58b856 23877 58aa3c 23867->23877 23869 58b8f1 23869->23858 23871 601c89 GetVersion 23870->23871 23872 601cb8 23870->23872 23871->23872 23873 601c96 23871->23873 23872->23861 23874 601c9e CoCreateInstance 23873->23874 23874->23872 23875->23865 23876->23867 23878 58aa46 23877->23878 23881 4f347c 23878->23881 23880 58aa8c 23880->23869 23882 4f3488 23881->23882 23896 46b758 76 API calls 23882->23896 23884 4f3493 23897 4fa000 111 API calls 23884->23897 23886 4f349a 23888 4f34be 23886->23888 23902 4ed61c 105 API calls 23886->23902 23892 4f3517 23888->23892 23898 4f4804 23888->23898 23893 4f3562 23892->23893 23903 4f4a80 105 API calls 23892->23903 23904 4f4874 105 API calls 23892->23904 23905 4eed84 97 API calls 23893->23905 23895 4f35e6 23895->23880 23896->23884 23897->23886 23899 4f4813 23898->23899 23900 4f4820 23899->23900 23906 58f3b0 23899->23906 23900->23892 23902->23888 23903->23892 23904->23892 23905->23895 23907 58f3bd 23906->23907 23908 58f3f1 23907->23908 23910 58f2d4 23907->23910 23908->23900 23914 58f363 23910->23914 23919 58f2f6 23910->23919 23911 58f347 23911->23914 23925 58f714 107 API calls 23911->23925 23912 40870c 12 API calls 23913 58f383 23912->23913 23913->23908 23914->23912 23917 58f333 23923 4265c4 12 API calls 23917->23923 23919->23911 23922 40e810 76 API calls 23919->23922 23920 58f342 23924 407e08 12 API calls 23920->23924 23922->23917 23923->23920 23925->23914 23926 5c75b0 23927 5c75d7 23926->23927 23938 5c75c7 23926->23938 23928 5c75fe 23927->23928 23929 5c76b1 23927->23929 23927->23938 23934 5c7b6e 23928->23934 23937 5c7605 23928->23937 23930 5c76f3 23929->23930 23929->23938 23947 5d4c40 76 API calls 23929->23947 23933 5c7740 23930->23933 23948 5b53a4 12 API calls 23930->23948 23940 5d4f04 23933->23940 23934->23938 23949 5bfba8 76 API calls 23934->23949 23937->23938 23950 5bfba8 76 API calls 23937->23950 23951 5b5450 23940->23951 23943 5d4f48 23944 5d4f5d 23943->23944 23976 5d4c40 76 API calls 23943->23976 23944->23938 23947->23930 23948->23933 23949->23938 23950->23938 23952 5b546a 23951->23952 23953 5b5456 23951->23953 23952->23943 23955 5bbb98 23952->23955 23953->23952 23977 5b53a4 12 API calls 23953->23977 23956 5bbbb9 23955->23956 23957 5bbc13 23955->23957 23956->23957 23958 5bbc18 23956->23958 23959 5bbc6d 23956->23959 23960 5bbc0c 23956->23960 23961 5bbc3c 23956->23961 23962 5bbc24 23956->23962 23968 5bbdc5 23956->23968 23972 5bbd4e 23956->23972 23973 5bbc92 23956->23973 23957->23943 23978 408754 SysFreeString 23958->23978 23959->23957 23980 5bbe40 113 API calls 23959->23980 23964 408730 12 API calls 23960->23964 23979 42c574 113 API calls 23961->23979 23966 40870c 12 API calls 23962->23966 23964->23957 23966->23957 23968->23957 23971 5bbb98 113 API calls 23968->23971 23969 5bbd31 23981 4054ac 12 API calls 23969->23981 23971->23968 23972->23957 23974 5bbb98 113 API calls 23972->23974 23973->23957 23973->23969 23975 5bbb98 113 API calls 23973->23975 23974->23972 23975->23973 23976->23944 23977->23952 23978->23957 23979->23957 23980->23957 23981->23957 23982 4285cf SetErrorMode 23983 5a4614 23986 5a43d0 23983->23986 23985 5a461e 24011 4272d4 23986->24011 23989 5a43ed AllocateAndInitializeSid 23990 5a43e4 23989->23990 23991 5a441f GetVersion 23989->23991 23990->23985 23992 5a443f GetModuleHandleW 23991->23992 23993 5a4456 23991->23993 23994 412174 14 API calls 23992->23994 23995 5a445a CheckTokenMembership 23993->23995 23996 5a447d GetCurrentThread OpenThreadToken 23993->23996 24001 5a4454 23994->24001 23997 5a446e 23995->23997 23998 5a45a4 FreeSid 23995->23998 23999 5a4499 GetLastError 23996->23999 24000 5a44ce GetTokenInformation 23996->24000 23997->23998 23998->23985 23999->23990 24002 5a44af GetCurrentProcess OpenProcessToken 23999->24002 24003 5a44f8 GetLastError 24000->24003 24004 5a4511 24000->24004 24001->23993 24002->23990 24002->24000 24003->23990 24003->24004 24005 5a4519 GetTokenInformation 24004->24005 24005->23990 24010 5a4543 24005->24010 24006 5a4574 24015 4054ac 12 API calls 24006->24015 24008 5a4550 EqualSid 24008->24010 24009 5a4593 CloseHandle 24009->23985 24010->24006 24010->24008 24012 4272e2 24011->24012 24013 4272dd 24011->24013 24012->23989 24012->23990 24016 427284 48 API calls 24013->24016 24015->24009 24016->24012 24017 4210cc 24026 4097c0 24017->24026 24019 4210d9 DeleteFileW 24020 421121 24019->24020 24021 4210eb GetLastError GetFileAttributesW 24019->24021 24022 42111b SetLastError 24021->24022 24023 4210fd 24021->24023 24022->24020 24023->24022 24024 421106 24023->24024 24025 42110d RemoveDirectoryW 24024->24025 24025->24020 24027 4097c6 24026->24027 24027->24019 24028 5ea350 24029 5e9f94 2 API calls 24028->24029 24030 5ea366 24029->24030 24031 5ea36a 24030->24031 24032 5ea388 GetFileAttributesW GetLastError 24030->24032 24033 5e9fd0 Wow64RevertWow64FsRedirection 24032->24033 24034 5ea3ae 24033->24034 24035 635e53 24036 635e69 24035->24036 24037 635ea6 24036->24037 24038 635e6d 24036->24038 24039 635ed0 24037->24039 24040 635eaf 24037->24040 24041 635e88 CoTaskMemFree 24038->24041 24053 5a2674 24039->24053 24042 5a2674 12 API calls 24040->24042 24044 635ebc 24042->24044 24047 409a14 12 API calls 24044->24047 24045 635edd 24061 409a14 24045->24061 24048 635ece 24047->24048 24072 635b5c 24048->24072 24051 40876c 12 API calls 24052 635f0e 24051->24052 24054 5a26a2 24053->24054 24057 5a267e 24053->24057 24055 408aec 12 API calls 24054->24055 24056 5a26ab 24055->24056 24056->24045 24057->24054 24058 5a2691 24057->24058 24059 409a14 12 API calls 24058->24059 24060 5a269f 24059->24060 24060->24045 24062 409a86 24061->24062 24063 409a18 24061->24063 24064 409a20 24063->24064 24068 408aec 24063->24068 24064->24062 24066 408aec 12 API calls 24064->24066 24069 409a2f 24064->24069 24065 408b30 24065->24048 24066->24069 24068->24065 24081 4054ac 12 API calls 24068->24081 24069->24062 24070 408aec 12 API calls 24069->24070 24071 409a82 24070->24071 24071->24048 24073 635b6a 24072->24073 24082 5a4104 24073->24082 24075 635b92 24076 635bc3 24075->24076 24085 5a402c 24075->24085 24076->24051 24079 5a402c 14 API calls 24080 635bba RegCloseKey 24079->24080 24080->24076 24081->24065 24083 5a410f 24082->24083 24084 5a4115 RegOpenKeyExW 24082->24084 24083->24084 24084->24075 24088 5a3ee4 24085->24088 24089 5a3f0a RegQueryValueExW 24088->24089 24090 5a3f4f 24089->24090 24097 5a3f2d 24089->24097 24091 40870c 12 API calls 24090->24091 24093 5a4019 24091->24093 24092 5a3f47 24094 40870c 12 API calls 24092->24094 24093->24079 24094->24090 24096 408894 12 API calls 24096->24097 24097->24090 24097->24092 24097->24096 24098 408cb8 12 API calls 24097->24098 24106 4265b8 12 API calls 24097->24106 24099 5a3f82 RegQueryValueExW 24098->24099 24099->24089 24100 5a3f9e 24099->24100 24100->24090 24101 40993c 12 API calls 24100->24101 24102 5a3fde 24101->24102 24103 5a3ff0 24102->24103 24105 408cb8 12 API calls 24102->24105 24104 408aec 12 API calls 24103->24104 24104->24090 24105->24103 24106->24097 24107 60c750 24108 60c763 24107->24108 24109 60c777 24107->24109 24108->24109 24170 5ead48 12 API calls 24108->24170 24115 5a59b8 24109->24115 24114 60c7a1 24116 5a59c4 24115->24116 24117 5a59e7 GetActiveWindow GetFocus 24116->24117 24171 5898f4 GetCurrentThreadId EnumThreadWindows 24117->24171 24120 5a5a1b 24122 5a5aad SetFocus 24120->24122 24173 412e84 24120->24173 24121 5a5a0b RegisterClassW 24121->24120 24124 40870c 12 API calls 24122->24124 24126 5a5ac9 24124->24126 24125 5a5a53 24125->24122 24177 595d50 24125->24177 24132 60c480 24126->24132 24128 5a5a86 24129 412e84 CreateWindowExW 24128->24129 24130 5a5a9c 24129->24130 24130->24122 24131 5a5aa5 ShowWindow 24130->24131 24131->24122 24187 5a3b4c GetSystemDirectoryW 24132->24187 24134 60c4bc 24135 5a2674 12 API calls 24134->24135 24136 60c4cc 24135->24136 24189 409a9c 24136->24189 24138 60c4e1 24139 60c4f4 24138->24139 24140 4099bc 12 API calls 24138->24140 24141 409a9c 12 API calls 24139->24141 24140->24139 24142 60c50f 24141->24142 24143 60c513 24142->24143 24144 60c52d 24142->24144 24145 409a14 12 API calls 24143->24145 24146 409a14 12 API calls 24144->24146 24148 60c523 24145->24148 24147 60c53d 24146->24147 24149 5f3d9c 112 API calls 24147->24149 24150 5f3d9c 112 API calls 24148->24150 24151 60c52b 24149->24151 24150->24151 24152 5ea058 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection CreateProcessW GetLastError 24151->24152 24153 60c58c 24152->24153 24154 60c59a CloseHandle 24153->24154 24155 5eae9c 14 API calls 24153->24155 24156 60c37c 167 API calls 24154->24156 24155->24154 24157 60c5ab 24156->24157 24158 60c5ec 24157->24158 24159 421ba4 105 API calls 24157->24159 24160 40876c 12 API calls 24158->24160 24161 60c5cb 24159->24161 24162 60c606 24160->24162 24163 5ab1a0 12 API calls 24161->24163 24164 40876c 12 API calls 24162->24164 24165 60c5d8 24163->24165 24166 60c613 24164->24166 24167 4265c4 12 API calls 24165->24167 24166->24114 24168 60c5e7 24167->24168 24169 407e08 12 API calls 24168->24169 24169->24158 24170->24109 24172 58997c 24171->24172 24172->24120 24172->24121 24186 405988 24173->24186 24175 412e97 CreateWindowExW 24176 412ed1 24175->24176 24176->24125 24178 595dad 24177->24178 24179 595d65 24177->24179 24181 408aec 12 API calls 24178->24181 24179->24178 24180 595d6e GetWindowTextW 24179->24180 24182 408894 12 API calls 24180->24182 24185 595dab 24181->24185 24183 595d8f 24182->24183 24184 408aec 12 API calls 24183->24184 24183->24185 24184->24185 24185->24128 24186->24175 24188 5a3b6d 24187->24188 24188->24134 24190 409ab2 24189->24190 24191 409b37 24190->24191 24192 40993c 12 API calls 24190->24192 24193 409aed 24190->24193 24191->24191 24192->24193 24193->24191 24194 408aec 12 API calls 24193->24194 24194->24191 24195 4f58dc 24196 4f590b 24195->24196 24201 4ee470 117 API calls 24196->24201 24198 4f591d 24202 4d408c 119 API calls 24198->24202 24200 4f5922 24201->24198 24202->24200 24203 637fd0 24208 5ee0a8 58 API calls 24203->24208 24205 637ff0 24209 637d50 24205->24209 24208->24205 24210 637d62 24209->24210 24211 637f7d 24209->24211 24255 45a3a8 24210->24255 24214 408cc0 12 API calls 24215 637d78 24214->24215 24259 5ab294 24215->24259 24221 637db4 24222 637de9 24221->24222 24290 5a467c GetDC 24221->24290 24223 637df9 24222->24223 24224 637e08 24222->24224 24225 408b88 12 API calls 24223->24225 24226 408b88 12 API calls 24224->24226 24228 637e06 24225->24228 24226->24228 24230 637e1e 24228->24230 24231 637e2d 24228->24231 24229 637dd6 24229->24222 24234 408aec 12 API calls 24229->24234 24232 408b88 12 API calls 24230->24232 24233 408b88 12 API calls 24231->24233 24235 637e2b 24232->24235 24233->24235 24234->24222 24236 637e43 24235->24236 24237 637e52 24235->24237 24239 408b88 12 API calls 24236->24239 24238 408b88 12 API calls 24237->24238 24240 637e50 24238->24240 24239->24240 24287 5a56a8 24240->24287 24242 637e87 24243 5a56a8 12 API calls 24242->24243 24244 637ea0 24243->24244 24245 5a56a8 12 API calls 24244->24245 24246 637eb9 24245->24246 24247 5a56a8 12 API calls 24246->24247 24248 637ed2 24247->24248 24249 595f5c 14 API calls 24248->24249 24253 637eea 24249->24253 24250 637f5e 24250->24211 24251 637f67 SendNotifyMessageW 24250->24251 24251->24211 24252 45a3a8 105 API calls 24252->24253 24253->24250 24253->24252 24254 408aec 12 API calls 24253->24254 24254->24253 24256 45a3b5 24255->24256 24257 45a3c4 24255->24257 24293 45a31c 105 API calls 24256->24293 24257->24214 24260 5ab2a2 24259->24260 24262 5ab2bb 24260->24262 24294 5ab1e0 12 API calls 24260->24294 24264 5ab2dd 24262->24264 24295 5ab1e0 12 API calls 24262->24295 24267 5ab313 24264->24267 24296 5ab1e0 12 API calls 24264->24296 24268 408894 12 API calls 24267->24268 24269 5ab346 24267->24269 24297 5ab1e0 12 API calls 24267->24297 24268->24267 24270 40a3a0 24269->24270 24272 40a3b7 24270->24272 24271 40a3c6 24276 40a694 24271->24276 24272->24271 24273 40a3ed 24272->24273 24298 40a430 28 API calls 24272->24298 24273->24271 24299 40e24c 26 API calls 24273->24299 24280 40a6b1 24276->24280 24277 40a6c1 24277->24221 24279 408b88 12 API calls 24279->24280 24280->24277 24280->24279 24282 408aec 12 API calls 24280->24282 24285 40a694 59 API calls 24280->24285 24300 4086ec SysAllocStringLen SysFreeString SysReAllocStringLen 24280->24300 24301 40a670 12 API calls 24280->24301 24302 40aabc 59 API calls 24280->24302 24303 40e278 54 API calls 24280->24303 24304 40ba40 28 API calls 24280->24304 24282->24280 24285->24280 24305 421a28 24287->24305 24289 5a56c0 24289->24242 24291 4097c0 24290->24291 24292 5a46b1 EnumFontsW ReleaseDC 24291->24292 24292->24229 24294->24262 24295->24264 24296->24267 24297->24267 24298->24272 24299->24273 24300->24280 24301->24280 24302->24280 24303->24280 24304->24280 24306 421a36 24305->24306 24307 421a2c 24305->24307 24306->24289 24309 4054ac 12 API calls 24307->24309 24309->24306 24310 642197 24311 6421b2 24310->24311 24312 5a56a8 12 API calls 24311->24312 24313 6421f6 24312->24313 24314 5a56a8 12 API calls 24313->24314 24315 64220f 24314->24315 24316 5a56a8 12 API calls 24315->24316 24317 642228 24316->24317 24318 5a56a8 12 API calls 24317->24318 24319 642241 24318->24319 24320 595f5c 14 API calls 24319->24320 24321 642259 24320->24321 24343 5a2f4c 24321->24343 24324 64228b 24326 6422a4 24324->24326 24327 642294 24324->24327 24347 640f38 24326->24347 24502 640918 107 API calls 24327->24502 24329 642286 24501 426598 76 API calls 24329->24501 24331 6422a9 24495 5f31cc 24331->24495 24333 642299 24333->24331 24334 64229d 24333->24334 24503 640ad8 147 API calls 24334->24503 24338 6422a2 24338->24331 24340 6422d1 24341 40876c 12 API calls 24340->24341 24342 6422eb 24341->24342 24344 4097c0 24343->24344 24345 5a2f56 GetFileAttributesW 24344->24345 24346 5a2f61 24345->24346 24346->24324 24500 63ff9c 132 API calls 24346->24500 24348 640f6b 24347->24348 24349 640f82 24348->24349 24350 640f89 24348->24350 24793 638030 6 API calls 24349->24793 24352 640fc7 24350->24352 24505 5f3018 SendMessageW 24350->24505 24354 640ff1 24352->24354 24356 640fe7 24352->24356 24357 640ff3 24352->24357 24518 5f3d9c 24354->24518 24794 5f3b5c 117 API calls 24356->24794 24795 5f3d40 113 API calls 24357->24795 24361 409a14 12 API calls 24362 641051 24361->24362 24363 5f3d9c 112 API calls 24362->24363 24364 641059 24363->24364 24365 409a14 12 API calls 24364->24365 24366 64106c 24365->24366 24367 5f3d9c 112 API calls 24366->24367 24368 641074 24367->24368 24541 5a3580 13 API calls 24368->24541 24370 64107c 24371 409a14 12 API calls 24370->24371 24372 64108c 24371->24372 24373 5f3d9c 112 API calls 24372->24373 24374 641094 24373->24374 24542 6381e0 112 API calls 24374->24542 24376 641099 24543 640864 107 API calls 24376->24543 24378 6410a0 24544 610204 12 API calls 24378->24544 24380 6410b1 24545 612e4c 13 API calls 24380->24545 24382 6410cc 24546 5ab1a0 12 API calls 24382->24546 24384 6410de 24385 408aec 12 API calls 24384->24385 24388 6410eb 24385->24388 24386 641173 24547 640864 107 API calls 24386->24547 24392 64112f 24388->24392 24796 638ac8 132 API calls 24388->24796 24389 64118c 24548 6106bc 13 API calls 24389->24548 24392->24386 24798 638ac8 132 API calls 24392->24798 24393 64112a 24797 426598 76 API calls 24393->24797 24394 6411aa 24397 6411b8 24394->24397 24800 5ead48 12 API calls 24394->24800 24400 6411c1 24397->24400 24401 6411d3 24397->24401 24398 64116e 24799 426598 76 API calls 24398->24799 24801 408bd0 12 API calls 24400->24801 24802 640ed8 12 API calls 24401->24802 24405 6411d1 24549 6390fc 112 API calls 24405->24549 24407 6411ef 24409 64120e 24407->24409 24803 5ead48 12 API calls 24407->24803 24550 636254 24409->24550 24412 641344 24413 6413d5 24412->24413 24708 62d308 24412->24708 24416 64140f 24413->24416 24808 63ff9c 132 API calls 24413->24808 24711 6406d8 113 API calls 24416->24711 24417 641232 24670 63658c 24417->24670 24423 641405 24423->24416 24809 426598 76 API calls 24423->24809 24424 408aec 12 API calls 24425 641247 24424->24425 24429 408aec 12 API calls 24425->24429 24426 5f3d9c 112 API calls 24430 6413d0 24426->24430 24431 64125a 24429->24431 24807 426598 76 API calls 24430->24807 24434 408aec 12 API calls 24431->24434 24433 64144b 24436 64144d Sleep 24433->24436 24437 64146a 24433->24437 24438 64127c 24434->24438 24812 596410 24436->24812 24713 5ab1a0 12 API calls 24437->24713 24441 408aec 12 API calls 24438->24441 24444 641289 24441->24444 24442 641418 24442->24433 24712 610704 18 API calls 24442->24712 24810 63ff9c 132 API calls 24442->24810 24811 426598 76 API calls 24442->24811 24443 641484 24816 5a4e80 16 API calls 24443->24816 24447 408aec 12 API calls 24444->24447 24449 641296 24447->24449 24448 641499 24714 63fdd0 24448->24714 24451 408aec 12 API calls 24449->24451 24453 6412a3 24451->24453 24804 640e20 105 API calls 24453->24804 24455 6414a7 GetTickCount 24724 6114d8 24455->24724 24457 6412b9 24805 62cba8 16 API calls 24457->24805 24460 6414cb 24817 5f4020 112 API calls 24460->24817 24461 6412c5 24806 62cca0 105 API calls 24461->24806 24464 6414f1 24465 641580 24464->24465 24818 62cefc 12 API calls 24464->24818 24819 5f4020 112 API calls 24465->24819 24468 6415d2 24470 64160a 24468->24470 24471 596410 162 API calls 24468->24471 24469 641531 24469->24465 24472 6415a5 24469->24472 24473 64153b 24469->24473 24820 6406d8 113 API calls 24470->24820 24474 6415e7 GetTickCount 24471->24474 24476 5f3d9c 112 API calls 24472->24476 24475 62d308 113 API calls 24473->24475 24474->24470 24477 6415f6 MsgWaitForMultipleObjects 24474->24477 24479 64156e 24475->24479 24476->24465 24477->24468 24479->24465 24483 5f3d9c 112 API calls 24479->24483 24480 641629 24481 64162f 24480->24481 24482 64166b 24480->24482 24485 641669 24481->24485 24821 63ff9c 132 API calls 24481->24821 24484 64169b 24482->24484 24822 63ff9c 132 API calls 24482->24822 24483->24465 24484->24485 24488 5f3d9c 112 API calls 24484->24488 24823 6406d8 113 API calls 24485->24823 24488->24485 24490 6416bd 24491 64175e 24490->24491 24824 62d0a0 24490->24824 24827 5a4f10 15 API calls 24491->24827 24494 641793 24494->24331 24496 5f31dc SendMessageW 24495->24496 24498 5f31f7 24495->24498 24496->24498 24497 5f320a 24504 40856c 12 API calls 24497->24504 24498->24497 25755 46dab4 GetWindowLongW DestroyWindow 24498->25755 24500->24329 24502->24333 24503->24338 24504->24340 24506 5f3074 24505->24506 24507 5f3041 24505->24507 24828 46da00 GetClassInfoW 24506->24828 24838 426600 105 API calls 24507->24838 24510 5f306f 24839 407e08 12 API calls 24510->24839 24513 5f3098 24840 5ead48 12 API calls 24513->24840 24514 5f30a2 24517 5f30bc SendMessageW 24514->24517 24841 5a4dd0 17 API calls 24514->24841 24517->24352 24519 5f3dce 24518->24519 24520 5f3ee4 24518->24520 24845 5f3a34 GetSystemTimeAsFileTime FileTimeToSystemTime 24519->24845 24521 5f3f3e 24520->24521 24854 5f3518 50 API calls 24520->24854 24524 40876c 12 API calls 24521->24524 24526 5f3f58 24524->24526 24525 5f3dd6 24846 421ba4 105 API calls 24525->24846 24528 40870c 12 API calls 24526->24528 24530 5f3f60 24528->24530 24529 5f3e47 24847 5f3d8c 107 API calls 24529->24847 24530->24361 24532 5f3eda 24853 5f3d8c 107 API calls 24532->24853 24533 5f3ea2 24533->24532 24536 409be4 12 API calls 24533->24536 24539 5f3ed2 24536->24539 24537 5f3e4f 24537->24533 24538 5f3d8c 107 API calls 24537->24538 24848 409be4 24537->24848 24538->24537 24852 5f3d8c 107 API calls 24539->24852 24541->24370 24542->24376 24543->24378 24544->24380 24545->24382 24546->24384 24547->24389 24548->24394 24549->24407 24551 63625c 24550->24551 24551->24551 24855 5eb53c 24551->24855 24554 408aec 12 API calls 24555 636288 24554->24555 24556 409a14 12 API calls 24555->24556 24557 63629b 24556->24557 24558 5f3d9c 112 API calls 24557->24558 24559 6362a3 24558->24559 24560 6362b7 24559->24560 24886 5f34a8 50 API calls 24559->24886 24562 5a2674 12 API calls 24560->24562 24563 6362c4 24562->24563 24564 409a14 12 API calls 24563->24564 24565 6362d4 24564->24565 24566 6362de CreateDirectoryW 24565->24566 24567 6362e8 GetLastError 24566->24567 24568 63634d 24566->24568 24887 5ab1a0 12 API calls 24567->24887 24874 60ce24 24568->24874 24571 636300 24888 4207b0 12 API calls 24571->24888 24572 636355 24574 63637e 24572->24574 24577 409a14 12 API calls 24572->24577 24576 40876c 12 API calls 24574->24576 24575 636314 24578 5a4c6c 13 API calls 24575->24578 24579 636398 24576->24579 24580 63636b 24577->24580 24582 636324 24578->24582 24583 40876c 12 API calls 24579->24583 24881 6361fc 24580->24881 24889 5ab170 12 API calls 24582->24889 24586 6363a5 24583->24586 24584 636376 24892 60ce7c 24584->24892 24586->24412 24592 635c18 24586->24592 24588 636339 24890 4265c4 12 API calls 24588->24890 24590 636348 24891 407e08 12 API calls 24590->24891 24593 635c20 24592->24593 24593->24593 24594 5a3b20 GetWindowsDirectoryW 24593->24594 24595 635c3d 24594->24595 24596 408aec 12 API calls 24595->24596 24597 635c4a 24596->24597 24598 5a3b4c GetSystemDirectoryW 24597->24598 24599 635c52 24598->24599 24600 408aec 12 API calls 24599->24600 24601 635c5f 24600->24601 25085 5a3b78 24601->25085 24603 635c67 24604 408aec 12 API calls 24603->24604 24605 635c74 24604->24605 25090 5a3c20 24605->25090 24608 408aec 12 API calls 24609 635c90 24608->24609 24610 4272d4 48 API calls 24609->24610 24611 635c95 24610->24611 24612 635cb6 24611->24612 24613 635c9a 24611->24613 24614 40870c 12 API calls 24612->24614 24615 5a344c 13 API calls 24613->24615 24616 635cb4 24614->24616 24617 635ca7 24615->24617 24618 635cfb 24616->24618 25117 5a2b70 12 API calls 24616->25117 24619 408aec 12 API calls 24617->24619 25106 635aac 24618->25106 24619->24616 24622 635cd6 24624 408aec 12 API calls 24622->24624 24626 635ce3 24624->24626 24625 408aec 12 API calls 24627 635d17 24625->24627 24626->24618 24631 408aec 12 API calls 24626->24631 24628 635d35 24627->24628 24629 409a14 12 API calls 24627->24629 24630 635aac 16 API calls 24628->24630 24629->24628 24632 635d44 24630->24632 24631->24618 24633 408aec 12 API calls 24632->24633 24634 635d51 24633->24634 24635 635d79 24634->24635 24636 5a2674 12 API calls 24634->24636 24639 635aac 16 API calls 24635->24639 24648 635de0 24635->24648 24637 635d67 24636->24637 24642 409a14 12 API calls 24637->24642 24638 635ea6 24640 635ed0 24638->24640 24641 635eaf 24638->24641 24643 635d91 24639->24643 24645 5a2674 12 API calls 24640->24645 24644 5a2674 12 API calls 24641->24644 24642->24635 24646 408aec 12 API calls 24643->24646 24647 635ebc 24644->24647 24649 635edd 24645->24649 24650 635d9e 24646->24650 24653 409a14 12 API calls 24647->24653 24648->24638 24654 635e53 24648->24654 24655 635e1a 24648->24655 24651 409a14 12 API calls 24649->24651 24652 635db1 24650->24652 25118 5ead48 12 API calls 24650->25118 24656 635ece 24651->24656 24658 635aac 16 API calls 24652->24658 24653->24656 24654->24638 24663 635e6d 24654->24663 24659 635e35 CoTaskMemFree 24655->24659 24660 635b5c 16 API calls 24656->24660 24661 635dc0 24658->24661 24659->24417 24662 635ef4 24660->24662 24664 408aec 12 API calls 24661->24664 24665 40876c 12 API calls 24662->24665 24668 635e88 CoTaskMemFree 24663->24668 24666 635dcd 24664->24666 24667 635f0e 24665->24667 24666->24648 25119 5ead48 12 API calls 24666->25119 24667->24417 24668->24417 24671 636594 24670->24671 24671->24671 24672 5a3b4c GetSystemDirectoryW 24671->24672 24673 6365b3 24672->24673 24674 5a2674 12 API calls 24673->24674 24675 6365be 24674->24675 24676 409a14 12 API calls 24675->24676 24677 6365ce 24676->24677 25133 5e9b00 24677->25133 24680 63663e 24681 5a3b4c GetSystemDirectoryW 24680->24681 24683 636646 24681->24683 24682 5a2674 12 API calls 24684 636621 24682->24684 24685 5a2674 12 API calls 24683->24685 24686 409a14 12 API calls 24684->24686 24688 636651 24685->24688 24687 636631 24686->24687 24689 6361fc 117 API calls 24687->24689 24690 4099bc 12 API calls 24688->24690 24689->24680 24691 63665e 24690->24691 25136 428574 SetErrorMode 24691->25136 24693 63666b 24694 428574 2 API calls 24693->24694 24695 636678 24694->24695 24696 6366ab 24695->24696 25139 421ba4 105 API calls 24695->25139 24697 412174 14 API calls 24696->24697 24699 6366bb 24697->24699 24702 6366d1 24699->24702 25141 5ead48 12 API calls 24699->25141 24700 6366a3 25140 5ead48 12 API calls 24700->25140 24704 40876c 12 API calls 24702->24704 24705 6366eb 24704->24705 24706 40870c 12 API calls 24705->24706 24707 6366f3 24706->24707 24707->24424 25158 62d0bc 24708->25158 24710 62d326 24710->24413 24710->24426 24711->24442 24712->24442 24713->24443 25238 605794 24714->25238 24718 63fe16 24719 62d0a0 113 API calls 24718->24719 24721 63fe4f 24718->24721 24719->24721 24720 63fe87 24723 6406d8 113 API calls 24720->24723 24721->24720 25263 59178c 111 API calls 24721->25263 24723->24455 24725 6114e1 24724->24725 24726 5f3d9c 112 API calls 24725->24726 24727 611523 24726->24727 24728 5a3b4c GetSystemDirectoryW 24727->24728 24729 61152e 24728->24729 25517 4216cc 24729->25517 24731 612151 24733 612167 24731->24733 24734 612157 SHChangeNotify 24731->24734 24738 612175 24733->24738 25628 5edfa4 SendMessageTimeoutW 24733->25628 24734->24733 24789 612184 24738->24789 25629 6113f0 136 API calls 24738->25629 24744 409a14 12 API calls 24774 611bd1 24744->24774 24746 5ab1a0 12 API calls 24746->24774 24749 5a4104 RegOpenKeyExW 24749->24774 24752 61199c 24757 611b06 24752->24757 24752->24774 25578 611484 13 API calls 24752->25578 25579 610cdc 122 API calls 24752->25579 25580 5ea614 GetFileAttributesW Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection GetLastError 24752->25580 25581 610de4 188 API calls 24752->25581 25582 611074 143 API calls 24752->25582 25585 611288 128 API calls 24752->25585 25586 61047c 12 API calls 24752->25586 24753 4265c4 12 API calls 24753->24774 24756 408b34 12 API calls 24756->24774 25583 5f4020 112 API calls 24757->25583 25584 5edcd4 53 API calls 24757->25584 24758 611f77 RegSetValueExW 24759 611f9a RegCloseKey 24758->24759 24758->24774 24759->24774 24764 407e08 12 API calls 24764->24774 24765 611d5c SHChangeNotify 25618 5a2b48 12 API calls 24765->25618 24767 5ee348 12 API calls 24767->24789 24770 612053 RegDeleteValueW 24771 61206b RegCloseKey 24770->24771 24775 612067 24770->24775 24771->24774 24774->24731 24774->24744 24774->24746 24774->24749 24774->24753 24774->24756 24774->24758 24774->24759 24774->24764 24774->24765 24774->24770 24774->24771 24786 610778 142 API calls 24774->24786 25565 611484 13 API calls 24774->25565 25566 5a4044 RegQueryValueExW 24774->25566 25587 5ebcd0 24774->25587 25619 5ee2c4 12 API calls 24774->25619 25620 610cdc 122 API calls 24774->25620 25621 5a33c4 WritePrivateProfileStringW WriteProfileStringW 24774->25621 25622 5a3268 GetPrivateProfileStringW GetProfileStringW 24774->25622 25623 5a3410 WritePrivateProfileStringW WriteProfileStringW 24774->25623 25624 5a41c4 55 API calls 24774->25624 25625 5a4348 19 API calls 24774->25625 25626 421ba4 105 API calls 24774->25626 25627 61047c 12 API calls 24774->25627 24775->24771 24776 409a14 12 API calls 24781 611539 24776->24781 24777 5a2f70 13 API calls 24777->24789 24780 5a2f84 13 API calls 24780->24781 24781->24752 24781->24776 24781->24780 24784 5f3d9c 112 API calls 24781->24784 24787 61184f 24781->24787 24788 5f4020 112 API calls 24781->24788 25520 611484 13 API calls 24781->25520 25521 5ecd00 24781->25521 25574 5ea614 GetFileAttributesW Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection GetLastError 24781->25574 25576 5ee270 12 API calls 24781->25576 25577 61047c 12 API calls 24781->25577 24783 612208 24783->24460 24784->24781 24786->24774 24787->24781 24790 5f4020 112 API calls 24787->24790 25575 5ecfcc 19 API calls 24787->25575 24788->24781 24789->24767 24789->24777 24789->24783 24792 6121f4 SHChangeNotify 24789->24792 24790->24787 24792->24789 24793->24350 24794->24354 24795->24354 24796->24393 24798->24398 24800->24397 24801->24405 24802->24405 24803->24409 24804->24457 24805->24461 24806->24412 24808->24423 24810->24442 24813 596416 24812->24813 24815 596423 24813->24815 25676 5962fc PeekMessageW 24813->25676 24815->24433 24816->24448 24817->24464 24818->24469 24819->24468 24820->24480 24821->24485 24822->24484 24823->24490 25736 62cf5c 24824->25736 24826 62d0b4 24826->24491 24827->24494 24829 46da30 24828->24829 24830 46da59 24829->24830 24831 46da3e UnregisterClassW 24829->24831 24832 46da4f RegisterClassW 24829->24832 24833 412e84 CreateWindowExW 24830->24833 24831->24832 24832->24830 24834 46da87 24833->24834 24835 46daa4 24834->24835 24842 46d864 24834->24842 24835->24513 24835->24514 24837 46da9b SetWindowLongW 24837->24835 24838->24510 24840->24514 24841->24514 24843 46d874 VirtualAlloc 24842->24843 24844 46d8a2 24842->24844 24843->24844 24844->24837 24845->24525 24846->24529 24847->24537 24849 409bef 24848->24849 24850 408894 12 API calls 24849->24850 24851 409c25 24850->24851 24851->24537 24852->24532 24853->24520 24854->24521 24872 5eb544 24855->24872 24858 5eb583 CreateDirectoryW 24859 5eb5ff 24858->24859 24860 5eb58d GetLastError 24858->24860 24861 408aec 12 API calls 24859->24861 24860->24872 24862 5eb609 24861->24862 24864 40876c 12 API calls 24862->24864 24865 5eb623 24864->24865 24867 40876c 12 API calls 24865->24867 24868 5eb630 24867->24868 24868->24554 24869 5a4c6c 13 API calls 24869->24872 24872->24858 24872->24869 24895 5a3cd4 24872->24895 24920 5eb2a4 24872->24920 24940 5ab1a0 12 API calls 24872->24940 24941 4207b0 12 API calls 24872->24941 24942 5ab170 12 API calls 24872->24942 24943 4265c4 12 API calls 24872->24943 24944 407e08 12 API calls 24872->24944 24875 60ce41 24874->24875 24876 60ce33 24874->24876 24878 40870c 12 API calls 24875->24878 24877 408aec 12 API calls 24876->24877 24879 60ce3f 24877->24879 24880 60ce48 24878->24880 24879->24572 24880->24572 25015 45f7b4 24881->25015 24883 636218 25019 636114 24883->25019 24885 636233 24885->24584 24886->24560 24887->24571 24888->24575 24889->24588 24890->24590 24893 408aec 12 API calls 24892->24893 24894 60ce8b 24893->24894 24894->24574 24945 5a344c 24895->24945 24898 5a3d04 24899 5a344c 13 API calls 24898->24899 24902 5a3d51 24898->24902 24901 5a3d14 24899->24901 24903 5a3d20 24901->24903 24905 5a2f70 13 API calls 24901->24905 24953 5a2a98 24902->24953 24903->24902 24906 4272d4 48 API calls 24903->24906 24905->24903 24908 5a3d29 24906->24908 24912 5a344c 13 API calls 24908->24912 24919 5a3d46 24908->24919 24909 5a2674 12 API calls 24911 5a3d66 24909->24911 24913 408aec 12 API calls 24911->24913 24914 5a3d3a 24912->24914 24915 5a3d70 24913->24915 24917 5a2f70 13 API calls 24914->24917 24914->24919 24916 40876c 12 API calls 24915->24916 24918 5a3d8a 24916->24918 24917->24919 24918->24872 24919->24902 24965 5a3b20 GetWindowsDirectoryW 24919->24965 24921 5eb2c8 24920->24921 24922 5a2674 12 API calls 24921->24922 24923 5eb2e1 24922->24923 24981 408b34 24923->24981 24926 5a2e4c 12 API calls 24929 5eb2ec 24926->24929 24927 409a9c 12 API calls 24927->24929 24929->24926 24929->24927 24933 5eb368 24929->24933 24985 5eb22c 24929->24985 24993 5ea260 24929->24993 25001 5ab1a0 12 API calls 24929->25001 25002 4265c4 12 API calls 24929->25002 25003 407e08 12 API calls 24929->25003 24934 408aec 12 API calls 24933->24934 24935 5eb373 24934->24935 24936 40876c 12 API calls 24935->24936 24937 5eb38d 24936->24937 24938 40876c 12 API calls 24937->24938 24939 5eb39a 24938->24939 24939->24872 24940->24872 24941->24872 24942->24872 24943->24872 24946 40993c 12 API calls 24945->24946 24947 5a345f 24946->24947 24948 5a347a GetEnvironmentVariableW 24947->24948 24952 5a348d 24947->24952 24967 5a3ebc 12 API calls 24947->24967 24948->24947 24949 5a3486 24948->24949 24951 40870c 12 API calls 24949->24951 24951->24952 24952->24898 24962 5a2f70 24952->24962 24954 5a2aa1 24953->24954 24954->24954 24955 5a2ac8 GetFullPathNameW 24954->24955 24956 5a2aeb 24955->24956 24957 5a2ad4 24955->24957 24959 408aec 12 API calls 24956->24959 24957->24956 24958 5a2adc 24957->24958 24960 408894 12 API calls 24958->24960 24961 5a2ae9 24959->24961 24960->24961 24961->24909 24968 5a2ef8 24962->24968 24966 5a3b41 24965->24966 24966->24902 24967->24947 24974 5a2e4c 24968->24974 24970 5a2f18 24971 5a2f20 GetFileAttributesW 24970->24971 24972 40870c 12 API calls 24971->24972 24973 5a2f3d 24972->24973 24973->24898 24975 5a2e5d 24974->24975 24976 5a2e98 24975->24976 24977 5a2ea3 24975->24977 24979 408aec 12 API calls 24976->24979 24978 409be4 12 API calls 24977->24978 24980 5a2ea1 24978->24980 24979->24980 24980->24970 24983 408b38 24981->24983 24982 408b5c 24982->24929 24983->24982 25004 4054ac 12 API calls 24983->25004 24986 40870c 12 API calls 24985->24986 24989 5eb24d 24986->24989 24990 5eb27e 24989->24990 25005 4097e8 24989->25005 25008 409c88 24989->25008 24991 40870c 12 API calls 24990->24991 24992 5eb293 24991->24992 24992->24929 24994 5e9f94 2 API calls 24993->24994 24995 5ea276 24994->24995 24996 5ea27a 24995->24996 25012 5a2f84 24995->25012 24996->24929 24999 5e9fd0 Wow64RevertWow64FsRedirection 25000 5ea2b5 24999->25000 25000->24929 25001->24929 25002->24929 25004->24982 25006 408894 12 API calls 25005->25006 25007 4097f5 25006->25007 25007->24989 25009 409c9d 25008->25009 25010 40993c 12 API calls 25009->25010 25011 409cf2 25009->25011 25010->25011 25011->24989 25013 5a2ef8 13 API calls 25012->25013 25014 5a2f8e GetLastError 25013->25014 25014->24999 25016 45f7be 25015->25016 25026 45f8ac FindResourceW 25016->25026 25018 45f7ee 25018->24883 25038 45f284 25019->25038 25021 636149 25022 40876c 12 API calls 25021->25022 25023 6361e3 25022->25023 25024 40870c 12 API calls 25023->25024 25025 6361eb 25024->25025 25025->24885 25027 45f8d1 25026->25027 25028 45f8d8 LoadResource 25026->25028 25036 45f80c 105 API calls 25027->25036 25030 45f8f2 SizeofResource LockResource 25028->25030 25031 45f8eb 25028->25031 25034 45f910 25030->25034 25037 45f80c 105 API calls 25031->25037 25032 45f8d7 25032->25028 25034->25018 25035 45f8f1 25035->25030 25036->25032 25037->25035 25041 45ef4c 25038->25041 25040 45f29e 25040->25021 25042 45ef55 25041->25042 25045 45ef90 25042->25045 25044 45ef71 25044->25040 25046 45efab 25045->25046 25047 45f056 25046->25047 25048 45efd8 25046->25048 25080 420e28 CreateFileW 25047->25080 25072 420e80 25048->25072 25051 45f060 25052 45f054 25051->25052 25081 42127c 14 API calls 25051->25081 25054 408aec 12 API calls 25052->25054 25053 45eff5 25053->25052 25076 42127c 14 API calls 25053->25076 25058 45f0c5 25054->25058 25056 45f07b GetLastError 25082 425310 14 API calls 25056->25082 25061 40876c 12 API calls 25058->25061 25060 45f014 GetLastError 25077 425310 14 API calls 25060->25077 25064 45f0df 25061->25064 25062 45f094 25083 4266bc 105 API calls 25062->25083 25064->25044 25066 45f02d 25078 4266bc 105 API calls 25066->25078 25067 45f0b6 25084 407e08 12 API calls 25067->25084 25070 45f04f 25079 407e08 12 API calls 25070->25079 25073 420e96 25072->25073 25074 420ece 25072->25074 25075 420ec8 CreateFileW 25073->25075 25074->25053 25075->25074 25076->25060 25077->25066 25078->25070 25080->25051 25081->25056 25082->25062 25083->25067 25086 40870c 12 API calls 25085->25086 25087 5a3b88 GetModuleHandleW 25086->25087 25088 412174 14 API calls 25087->25088 25089 5a3b9d 25088->25089 25089->24603 25091 5a3c7b 25090->25091 25092 5a3c3f GetVersion 25090->25092 25093 40870c 12 API calls 25091->25093 25092->25091 25094 5a3c4f 25092->25094 25095 5a3c82 25093->25095 25096 5a3b4c GetSystemDirectoryW 25094->25096 25097 40876c 12 API calls 25095->25097 25098 5a3c57 25096->25098 25099 5a3c9c 25097->25099 25100 5a2674 12 API calls 25098->25100 25099->24608 25101 5a3c62 25100->25101 25120 4099bc 25101->25120 25103 5a3c6f 25104 5a2a98 13 API calls 25103->25104 25105 5a3c79 25104->25105 25105->25095 25107 5a4104 RegOpenKeyExW 25106->25107 25108 635ad2 25107->25108 25109 635ad6 25108->25109 25110 635af8 25108->25110 25112 5a402c 14 API calls 25109->25112 25111 40870c 12 API calls 25110->25111 25113 635aff 25111->25113 25114 635ae2 25112->25114 25113->24625 25115 635aed RegCloseKey 25114->25115 25116 40870c 12 API calls 25114->25116 25115->25113 25116->25115 25117->24622 25118->24652 25119->24648 25121 409a0b 25120->25121 25122 4099c0 25120->25122 25121->25103 25123 4099ca 25122->25123 25129 408aec 25122->25129 25123->25121 25125 409a00 25123->25125 25126 4099e5 25123->25126 25124 408b30 25124->25103 25127 40993c 12 API calls 25125->25127 25128 40993c 12 API calls 25126->25128 25131 4099ea 25127->25131 25128->25131 25129->25124 25132 4054ac 12 API calls 25129->25132 25131->25103 25132->25124 25135 5e9b0d 25133->25135 25142 5e9a3c 25133->25142 25135->24680 25135->24682 25137 4097c0 25136->25137 25138 4285ac LoadLibraryW 25137->25138 25138->24693 25139->24700 25140->24696 25141->24702 25143 4097c0 25142->25143 25144 5e9a59 GetFileVersionInfoSizeW 25143->25144 25145 5e9ada 25144->25145 25146 5e9a67 25144->25146 25147 4272d4 48 API calls 25145->25147 25149 5e9a6e GetFileVersionInfoW 25146->25149 25148 5e9adf 25147->25148 25150 5e9aec 25148->25150 25157 5e9860 108 API calls 25148->25157 25151 5e9aac 25149->25151 25152 5e9a92 VerQueryValueW 25149->25152 25150->25135 25156 4054ac 12 API calls 25151->25156 25152->25151 25155 5e9ad2 25155->25135 25156->25155 25157->25150 25159 62d0d7 25158->25159 25178 62cd4c 25159->25178 25162 62d102 25164 62d123 25162->25164 25210 62c01c 12 API calls 25162->25210 25163 62d217 25168 62d224 25163->25168 25213 62c034 105 API calls 25163->25213 25190 606c38 25164->25190 25168->24710 25169 62d132 25169->25168 25197 62c2c4 25169->25197 25173 62d18c 25211 62c0c8 105 API calls 25173->25211 25175 62d1bd 25212 5bbee4 113 API calls 25175->25212 25177 62d201 25177->24710 25214 5c8860 25178->25214 25180 62ceac 25181 62cec3 25180->25181 25184 5b5408 12 API calls 25180->25184 25183 40876c 12 API calls 25181->25183 25182 62cd88 25182->25180 25219 5d4ad4 12 API calls 25182->25219 25220 5b5408 25182->25220 25185 62cee0 25183->25185 25184->25181 25186 408730 12 API calls 25185->25186 25187 62cee8 25186->25187 25187->25162 25187->25163 25230 5c8ae0 25190->25230 25192 606c47 25193 5c8ae0 12 API calls 25192->25193 25194 606c69 25193->25194 25195 5c8ae0 12 API calls 25194->25195 25196 606c8b 25195->25196 25196->25169 25198 62c41b 25197->25198 25200 62c2de 25197->25200 25206 62c490 25198->25206 25200->25198 25202 5b5408 12 API calls 25200->25202 25203 408aec 12 API calls 25200->25203 25204 408b88 12 API calls 25200->25204 25235 4086ec SysAllocStringLen SysFreeString SysReAllocStringLen 25200->25235 25236 4265c4 12 API calls 25200->25236 25237 407e08 12 API calls 25200->25237 25202->25200 25203->25200 25204->25200 25207 62c4ad 25206->25207 25208 5b5408 12 API calls 25207->25208 25209 62c4bd 25208->25209 25209->25173 25210->25164 25211->25175 25212->25177 25213->25168 25224 5b5680 25214->25224 25216 408730 12 API calls 25217 5c8911 25216->25217 25217->25182 25218 5c888b 25218->25216 25219->25182 25221 5b5416 25220->25221 25222 5b544b 25221->25222 25229 5b53a4 12 API calls 25221->25229 25222->25182 25225 408b88 12 API calls 25224->25225 25227 5b5690 25225->25227 25226 5b56ca 25226->25218 25227->25226 25228 408cc0 12 API calls 25227->25228 25228->25227 25229->25222 25231 5b5680 12 API calls 25230->25231 25232 5c8b0a 25231->25232 25233 408730 12 API calls 25232->25233 25234 5c8b5c 25233->25234 25234->25192 25235->25200 25236->25200 25239 6057a5 25238->25239 25264 5ae480 25239->25264 25241 6057c9 25268 5ae8b0 25241->25268 25243 6057dc 25282 4d0b80 119 API calls 25243->25282 25245 605801 25283 4f01f8 25245->25283 25247 605818 25288 4d57d8 114 API calls 25247->25288 25249 605828 25289 4d1354 25249->25289 25251 605835 25293 4d57d8 114 API calls 25251->25293 25253 60589b 25254 6058dc 25253->25254 25255 409a9c 12 API calls 25253->25255 25256 4f01f8 12 API calls 25254->25256 25257 6058ce 25255->25257 25258 6058fd 25256->25258 25259 4f01f8 12 API calls 25257->25259 25260 40870c 12 API calls 25258->25260 25259->25254 25261 605912 25260->25261 25262 605984 12 API calls 25261->25262 25262->24718 25263->24720 25265 5ae489 25264->25265 25294 58b368 25265->25294 25267 5ae4bb 25267->25241 25471 5abfcc 25268->25471 25272 5ae8fa 25274 5ae9f1 25272->25274 25502 5aef00 105 API calls 25272->25502 25274->25243 25275 5ae924 25503 5ae398 105 API calls 25275->25503 25277 5ae940 25504 5ac230 109 API calls 25277->25504 25279 5ae962 MulDiv MulDiv 25281 5ae9ba 25279->25281 25281->25243 25282->25245 25515 4f01a4 12 API calls 25283->25515 25285 4f021b 25286 40870c 12 API calls 25285->25286 25287 4f024c 25286->25287 25287->25247 25288->25249 25290 4d1365 25289->25290 25291 4d139d 25290->25291 25516 4d12d0 119 API calls 25290->25516 25291->25251 25293->25253 25295 58b37c 25294->25295 25309 58a99c 25295->25309 25297 58b4bb 25297->25267 25298 58b3a2 25298->25297 25313 459f98 25298->25313 25302 58b47d 25302->25267 25303 58b44c 25326 40e810 76 API calls 25303->25326 25305 58b469 25327 426600 105 API calls 25305->25327 25307 58b478 25328 407e08 12 API calls 25307->25328 25310 58a9a5 25309->25310 25329 4f3330 25310->25329 25312 58a9bb 25312->25298 25314 459fae 25313->25314 25315 459fe3 25314->25315 25378 459e00 105 API calls 25314->25378 25364 459f0c 25315->25364 25318 459ffe 25321 45a01b 25318->25321 25379 459e64 76 API calls 25318->25379 25320 45a033 25320->25302 25323 4068c8 25320->25323 25321->25320 25380 459e9c 76 API calls 25321->25380 25451 40e7c4 25323->25451 25326->25305 25327->25307 25330 4f333a 25329->25330 25339 4eec04 25330->25339 25332 4f3350 25333 46d864 VirtualAlloc 25332->25333 25334 4f335b 25333->25334 25345 4d1190 25334->25345 25336 4f336d 25337 4d1354 119 API calls 25336->25337 25338 4f337f 25337->25338 25338->25312 25340 4eec0e 25339->25340 25349 46b29c 25340->25349 25342 4eec24 25353 4d0528 25342->25353 25344 4eec46 25344->25332 25346 4d1196 25345->25346 25347 4cfc58 113 API calls 25346->25347 25348 4d11ba 25347->25348 25348->25336 25350 46b2a3 25349->25350 25351 46b2c8 25350->25351 25357 46b5dc 109 API calls 25350->25357 25351->25342 25354 4d052e 25353->25354 25358 4cfc58 25354->25358 25356 4d0559 25356->25344 25357->25351 25359 4cfbe4 25358->25359 25360 4cfc74 EnterCriticalSection 25359->25360 25361 46abf8 111 API calls 25360->25361 25362 4cfc9b 25361->25362 25363 4cfd2e LeaveCriticalSection 25362->25363 25363->25356 25365 459f70 25364->25365 25368 459f2d 25364->25368 25366 40870c 12 API calls 25365->25366 25367 459f87 25366->25367 25367->25318 25368->25365 25369 459f0c 114 API calls 25368->25369 25370 459f45 25369->25370 25371 4068c8 13 API calls 25370->25371 25372 459f52 25371->25372 25381 40bca8 25372->25381 25376 459f62 25389 458704 25376->25389 25378->25315 25379->25321 25380->25320 25397 40bc80 VirtualQuery 25381->25397 25384 40bcf8 25385 40bd25 25384->25385 25386 40bd06 25384->25386 25385->25376 25386->25385 25399 40bcb0 25386->25399 25390 458715 25389->25390 25391 458724 FindResourceW 25390->25391 25392 458734 25391->25392 25396 458760 25391->25396 25393 45f7b4 109 API calls 25392->25393 25394 458745 25393->25394 25413 45eda0 25394->25413 25396->25365 25398 40bc9a 25397->25398 25398->25384 25400 40bcc0 GetModuleFileNameW 25399->25400 25402 40bcdc 25399->25402 25403 40cf3c GetModuleFileNameW 25400->25403 25402->25376 25404 40cf8a 25403->25404 25405 40ce18 72 API calls 25404->25405 25406 40cfb6 25405->25406 25407 40cfd0 25406->25407 25408 40cfc8 LoadLibraryExW 25406->25408 25409 40876c 12 API calls 25407->25409 25408->25407 25410 40cfed 25409->25410 25411 40870c 12 API calls 25410->25411 25412 40cff5 25411->25412 25412->25402 25418 45f980 25413->25418 25415 45edbc 25422 4639cc 25415->25422 25417 45edd7 25417->25396 25419 45f98b 25418->25419 25420 40b8d8 59 API calls 25419->25420 25421 45f9c0 25420->25421 25421->25415 25423 463de0 76 API calls 25422->25423 25424 463a05 25423->25424 25425 463a44 25424->25425 25426 463a79 25424->25426 25428 463e04 107 API calls 25425->25428 25427 463e04 107 API calls 25426->25427 25429 463a8a 25427->25429 25430 463a4f 25428->25430 25432 463a93 25429->25432 25433 463aa0 25429->25433 25431 455434 105 API calls 25430->25431 25434 463a57 25431->25434 25435 463e04 107 API calls 25432->25435 25436 463e04 107 API calls 25433->25436 25439 463e04 107 API calls 25434->25439 25441 463a6c 25435->25441 25437 463abb 25436->25437 25438 463964 105 API calls 25437->25438 25438->25441 25439->25441 25440 455140 105 API calls 25442 463af1 25440->25442 25441->25440 25443 40ea80 12 API calls 25442->25443 25444 463b16 25443->25444 25445 470090 12 API calls 25444->25445 25446 463b25 25444->25446 25445->25446 25447 4b6818 59 API calls 25446->25447 25449 463b8e 25446->25449 25447->25449 25448 463c0c 25448->25417 25449->25448 25450 4b62c0 76 API calls 25449->25450 25450->25449 25454 40e734 25451->25454 25455 40870c 12 API calls 25454->25455 25456 40e755 25455->25456 25457 40e7a0 25456->25457 25458 40993c 12 API calls 25456->25458 25459 40870c 12 API calls 25457->25459 25460 40e767 25458->25460 25461 4068da 25459->25461 25470 40e440 MultiByteToWideChar 25460->25470 25461->25303 25463 40e77b 25464 40e781 25463->25464 25465 40e78e 25463->25465 25467 40993c 12 API calls 25464->25467 25466 40870c 12 API calls 25465->25466 25468 40e78c 25466->25468 25467->25468 25469 408aec 12 API calls 25468->25469 25469->25457 25470->25463 25472 5abffa 25471->25472 25473 5ac050 25471->25473 25475 5a467c 3 API calls 25472->25475 25511 5a4aa8 15 API calls 25473->25511 25476 5ac001 25475->25476 25478 5ac025 25476->25478 25479 5ac005 25476->25479 25477 5ac058 25512 4d0adc 120 API calls 25477->25512 25478->25473 25485 5a467c 3 API calls 25478->25485 25505 4d0adc 120 API calls 25479->25505 25482 5ac062 25513 5abfb4 MulDiv 25482->25513 25483 5ac00e 25506 5abfb4 MulDiv 25483->25506 25488 5ac030 25485->25488 25487 5ac06a 25514 4d0a1c 119 API calls 25487->25514 25488->25473 25491 5ac034 25488->25491 25489 5ac016 25507 4d0a1c 119 API calls 25489->25507 25508 4d0adc 120 API calls 25491->25508 25493 5ac01f 25495 40870c 12 API calls 25493->25495 25497 5ac088 25495->25497 25496 5ac03d 25509 5abfb4 MulDiv 25496->25509 25501 5ac0a0 20 API calls 25497->25501 25499 5ac045 25510 4d0a1c 119 API calls 25499->25510 25501->25272 25502->25275 25503->25277 25504->25279 25505->25483 25506->25489 25507->25493 25508->25496 25509->25499 25510->25493 25511->25477 25512->25482 25513->25487 25514->25493 25515->25285 25516->25291 25518 4097c0 25517->25518 25519 4216d6 SetCurrentDirectoryW 25518->25519 25519->24781 25520->24781 25522 5ecd32 25521->25522 25523 5ecd4e 25522->25523 25524 5ecd5d 25522->25524 25525 408b34 12 API calls 25523->25525 25526 409a9c 12 API calls 25524->25526 25531 5ecd58 25525->25531 25527 5ecd75 25526->25527 25528 5ecd8f 25527->25528 25529 409a9c 12 API calls 25527->25529 25646 5a2ba0 12 API calls 25528->25646 25529->25528 25532 5a3b4c GetSystemDirectoryW 25531->25532 25534 5ece78 25531->25534 25532->25534 25533 5ecd99 25537 5ecdb4 25533->25537 25647 5a2ba0 12 API calls 25533->25647 25630 5ea058 25534->25630 25548 5ece03 25537->25548 25648 5a3ed8 48 API calls 25537->25648 25538 5ecdca 25540 5ecdce 25538->25540 25541 5ece05 25538->25541 25544 5a3b4c GetSystemDirectoryW 25540->25544 25542 5a3b20 GetWindowsDirectoryW 25541->25542 25545 5ece12 25542->25545 25543 5eceab 25546 5ecebe CloseHandle 25543->25546 25547 5eceb5 GetLastError 25543->25547 25549 5ecddb 25544->25549 25550 5a2674 12 API calls 25545->25550 25637 5ecc6c 25546->25637 25551 5eced7 25547->25551 25548->25531 25649 5a2b48 12 API calls 25548->25649 25553 5a2674 12 API calls 25549->25553 25554 5ece1d 25550->25554 25556 40876c 12 API calls 25551->25556 25557 5ecde6 25553->25557 25558 409a9c 12 API calls 25554->25558 25559 5ecef1 25556->25559 25560 409a9c 12 API calls 25557->25560 25558->25548 25561 40870c 12 API calls 25559->25561 25560->25548 25562 5ecef9 25561->25562 25563 40870c 12 API calls 25562->25563 25564 5ecf01 25563->25564 25564->24781 25565->24774 25567 5a40c0 25566->25567 25568 5a4067 25566->25568 25567->24774 25568->25567 25569 4272d4 48 API calls 25568->25569 25570 5a4076 25569->25570 25570->25567 25572 5a407b 25570->25572 25571 5a407f RegEnumValueW 25571->25572 25572->25567 25572->25571 25573 5a40b9 25572->25573 25573->25567 25574->24781 25575->24787 25576->24781 25577->24781 25578->24752 25579->24752 25580->24752 25581->24752 25582->24752 25583->24757 25584->24752 25585->24752 25586->24752 25588 5ebd22 25587->25588 25598 5ebf01 25587->25598 25589 5ebd34 25588->25589 25650 5ea494 25588->25650 25592 5ebd5f 25589->25592 25593 5ebd42 25589->25593 25589->25598 25590 5ebf18 25594 40876c 12 API calls 25590->25594 25670 5a2bf8 12 API calls 25592->25670 25595 5a2674 12 API calls 25593->25595 25596 5ebf60 25594->25596 25600 5ebd4d 25595->25600 25601 40876c 12 API calls 25596->25601 25598->25590 25664 5ea684 25598->25664 25603 409a14 12 API calls 25600->25603 25604 5ebf6d 25601->25604 25602 5ebd6a 25605 408b34 12 API calls 25602->25605 25606 5ebd5d 25603->25606 25604->24774 25605->25606 25657 5ea2d0 25606->25657 25608 5ebd87 25608->25598 25615 5ebd94 25608->25615 25609 5ebecb FindNextFileW 25610 5ebee3 FindClose 25609->25610 25609->25615 25610->24774 25611 5ebdf1 25612 409a14 12 API calls 25611->25612 25671 5ea6fc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection SetFileAttributesW GetLastError 25611->25671 25612->25611 25613 409a14 12 API calls 25613->25615 25615->25609 25615->25610 25615->25611 25615->25613 25616 5ebcd0 24 API calls 25615->25616 25617 5ea178 5 API calls 25615->25617 25616->25615 25617->25615 25618->24774 25619->24774 25620->24774 25621->24774 25622->24774 25623->24774 25624->24774 25625->24774 25626->24774 25627->24774 25628->24738 25629->24789 25631 5e9f94 2 API calls 25630->25631 25632 5ea071 25631->25632 25633 5ea07c CreateProcessW GetLastError 25632->25633 25634 5ea075 25632->25634 25635 5e9fd0 Wow64RevertWow64FsRedirection 25633->25635 25634->25543 25636 5ea0d1 25635->25636 25636->25543 25638 5ecca4 25637->25638 25639 5ecc90 WaitForInputIdle 25637->25639 25640 5eccc6 GetExitCodeProcess 25638->25640 25644 5eccab MsgWaitForMultipleObjects 25638->25644 25639->25638 25642 5eccda CloseHandle 25640->25642 25643 5eccd4 25640->25643 25642->25551 25643->25642 25644->25638 25645 5eccc4 25644->25645 25645->25640 25646->25533 25647->25537 25648->25538 25649->25531 25651 5e9f94 2 API calls 25650->25651 25652 5ea4aa 25651->25652 25653 5ea4ae 25652->25653 25672 5a2f94 25652->25672 25653->25589 25656 5e9fd0 Wow64RevertWow64FsRedirection 25656->25653 25658 5e9f94 2 API calls 25657->25658 25659 5ea2e9 25658->25659 25660 5ea2ed 25659->25660 25661 5ea30c FindFirstFileW GetLastError 25659->25661 25660->25608 25662 5e9fd0 Wow64RevertWow64FsRedirection 25661->25662 25663 5ea332 25662->25663 25663->25608 25665 5e9f94 2 API calls 25664->25665 25667 5ea69a 25665->25667 25666 5ea69e 25666->25590 25667->25666 25668 5ea6ba RemoveDirectoryW GetLastError 25667->25668 25669 5e9fd0 Wow64RevertWow64FsRedirection 25668->25669 25669->25666 25670->25602 25671->25615 25673 4097c0 25672->25673 25674 5a2f9e GetFileAttributesW 25673->25674 25675 5a2fa9 25674->25675 25675->25656 25677 59631d 25676->25677 25678 5963fe 25676->25678 25679 59632d 25677->25679 25680 596323 IsWindowUnicode 25677->25680 25678->24813 25681 59633e PeekMessageW 25679->25681 25682 596354 PeekMessageA 25679->25682 25680->25679 25683 596368 25681->25683 25682->25683 25683->25678 25697 598074 GetCapture 25683->25697 25685 5963a3 25685->25678 25704 596194 25685->25704 25694 5963e1 TranslateMessage 25695 5963ee DispatchMessageW 25694->25695 25696 5963f6 DispatchMessageA 25694->25696 25695->25678 25696->25678 25698 598089 25697->25698 25702 59809b 25697->25702 25698->25702 25732 4ec734 7 API calls 25698->25732 25700 5980a6 25701 5980ac GetParent 25700->25701 25700->25702 25733 4ec734 7 API calls 25700->25733 25701->25700 25701->25702 25702->25685 25705 5961a8 25704->25705 25706 5961bf 25704->25706 25705->25706 25734 597654 162 API calls 25705->25734 25706->25678 25708 59604c 25706->25708 25709 59605c 25708->25709 25710 596096 25708->25710 25709->25710 25711 596083 TranslateMDISysAccel 25709->25711 25710->25678 25712 59609c 25710->25712 25711->25710 25713 59618a 25712->25713 25714 5960b7 25712->25714 25713->25678 25727 596004 25713->25727 25714->25713 25715 5960c2 GetCapture 25714->25715 25716 59614c GetWindowThreadProcessId GetWindowThreadProcessId 25715->25716 25720 5960cd 25715->25720 25716->25713 25717 59616d SendMessageW 25716->25717 25717->25713 25718 596129 25717->25718 25718->25713 25721 5960fe 25720->25721 25723 5960e7 GetParent 25720->25723 25724 5960de 25720->25724 25735 4ec790 7 API calls 25720->25735 25722 596104 IsWindowUnicode 25721->25722 25721->25724 25725 59612d SendMessageA 25722->25725 25726 59610e SendMessageW 25722->25726 25723->25720 25724->25722 25725->25713 25725->25718 25726->25713 25726->25718 25728 596049 25727->25728 25729 596015 IsWindowUnicode 25727->25729 25728->25678 25728->25694 25730 596021 IsDialogMessageW 25729->25730 25731 596036 IsDialogMessageA 25729->25731 25730->25728 25731->25728 25732->25700 25733->25700 25734->25706 25735->25720 25737 62cf77 25736->25737 25738 62cd4c 12 API calls 25737->25738 25739 62cf9a 25738->25739 25740 62d052 25739->25740 25741 62cfa2 25739->25741 25743 62d05f 25740->25743 25754 62c034 105 API calls 25740->25754 25742 606c38 12 API calls 25741->25742 25745 62cfad 25742->25745 25743->24826 25745->25743 25746 62c2c4 15 API calls 25745->25746 25747 62cff6 25746->25747 25752 62c0c8 105 API calls 25747->25752 25749 62d027 25753 5bbee4 113 API calls 25749->25753 25751 62d03c 25751->24826 25752->25749 25753->25751 25754->25743 25756 46dad0 25755->25756 25756->24497 25757 405374 25758 405399 25757->25758 25759 405387 VirtualFree 25758->25759 25760 40539d 25758->25760 25759->25758 25761 405403 VirtualFree 25760->25761 25762 405419 25760->25762 25761->25760 25763 636a54 25764 636a8e 25763->25764 25772 636ab9 25763->25772 25773 63689c 25764->25773 25765 408aec 12 API calls 25767 636af5 25765->25767 25769 40870c 12 API calls 25767->25769 25771 636b0a 25769->25771 25770 408aec 12 API calls 25770->25772 25772->25765 25774 6368cc 25773->25774 25775 636961 25774->25775 25776 63692b 25774->25776 25777 40870c 12 API calls 25775->25777 25779 5a2a98 13 API calls 25776->25779 25778 636968 25777->25778 25786 5f4020 112 API calls 25778->25786 25781 636952 25779->25781 25783 5a2e4c 12 API calls 25781->25783 25782 63695f 25784 40876c 12 API calls 25782->25784 25783->25782 25785 6369b4 25784->25785 25785->25770 25786->25782 25787 636494 25802 60ce90 25787->25802 25790 60ce7c 12 API calls 25791 6364b5 25790->25791 25792 636510 25791->25792 25794 6364cf GetTickCount 25791->25794 25805 5f34a8 50 API calls 25791->25805 25793 40870c 12 API calls 25792->25793 25796 636525 25793->25796 25795 5ebcd0 26 API calls 25794->25795 25798 6364f1 25795->25798 25798->25792 25799 409a14 12 API calls 25798->25799 25800 636508 25799->25800 25801 5f3d9c 112 API calls 25800->25801 25801->25792 25806 60d5ec 25802->25806 25805->25794 25807 60ce9c 25806->25807 25808 60d5ff 25806->25808 25807->25790 25826 5f4020 112 API calls 25808->25826 25810 60d61f CloseHandle 25811 60d644 WaitForSingleObject 25810->25811 25812 60d659 GetExitCodeProcess 25811->25812 25813 60d62f 25811->25813 25815 60d697 25812->25815 25816 60d667 25812->25816 25814 5f3d9c 112 API calls 25813->25814 25817 60d639 TerminateProcess 25814->25817 25820 5f3d9c 112 API calls 25815->25820 25818 60d679 25816->25818 25819 60d66d 25816->25819 25817->25811 25827 5f4020 112 API calls 25818->25827 25821 5f3d9c 112 API calls 25819->25821 25823 60d6a1 CloseHandle 25820->25823 25824 60d677 25821->25824 25823->25807 25825 60d6bc Sleep 25823->25825 25824->25823 25825->25807 25826->25810 25827->25824 25828 636878 25829 63689a 25828->25829 25830 636888 FreeLibrary 25828->25830 25830->25829

                                                                  Executed Functions

                                                                  Function 005A43D0, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 181memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A4412
                                                                  • GetVersion.KERNEL32(00000000,005A45BB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A442F
                                                                  • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005A45BB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A4449
                                                                  • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005A45BB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A4464
                                                                  • FreeSid.ADVAPI32(00000000,005A45C2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A45B5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
                                                                  • String ID: CheckTokenMembership$advapi32.dll$"d
                                                                  • API String ID: 2691416632-3419945155
                                                                  • Opcode ID: 6035384f0be8bffbb6091d7286a8d61865775141e390b65ac26e64e696c496cb
                                                                  • Instruction ID: 8be25b1eaa60826a9289c4b804e0d8c89bfcc54eba99b55f2596c762bcfabe6e
                                                                  • Opcode Fuzzy Hash: 6035384f0be8bffbb6091d7286a8d61865775141e390b65ac26e64e696c496cb
                                                                  • Instruction Fuzzy Hash: 10516671E053056BDB10EBE58C42BAE7BA8FB4E304F200866FA00E7592D6B8D9418B65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00601C6C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersion.KERNEL32(00000000,00601D02,?,00000000,00000000,?,00601D18,?,0060596B), ref: 00601C89
                                                                  • CoCreateInstance.OLE32(00652B18,00000000,00000001,00652B28,00000000,00000000,00601D02,?,00000000,00000000,?,00601D18,?,0060596B), ref: 00601CAF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInstanceVersion
                                                                  • String ID: (+e
                                                                  • API String ID: 1462612201-2193073908
                                                                  • Opcode ID: 7f0fb1c261bc18011f4cffbc940c87181d0ec2ef76144eb024790562188bb7c6
                                                                  • Instruction ID: 59973373eca4dea7f3b02cb4b04290ee2b93c9a945b66a55126d418ec8031c36
                                                                  • Opcode Fuzzy Hash: 7f0fb1c261bc18011f4cffbc940c87181d0ec2ef76144eb024790562188bb7c6
                                                                  • Instruction Fuzzy Hash: A011C030280205AFEB05DBA5CD46F9AB7EEEB0A705F5240A5F500DB2E1DB79DE048715
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040CD4C, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CE0C,?,?), ref: 0040CD7E
                                                                  • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CE0C,?,?), ref: 0040CD87
                                                                    • Part of subcall function 0040CBFC: FindFirstFileW.KERNEL32(00000000,?,00000000,0040CC5A,?,?), ref: 0040CC2F
                                                                    • Part of subcall function 0040CBFC: FindClose.KERNEL32(00000000,00000000,?,00000000,0040CC5A,?,?), ref: 0040CC3F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                  • String ID:
                                                                  • API String ID: 3216391948-0
                                                                  • Opcode ID: cff3a771b4cd9330fe69c64e8ee45a113bd77ee1a77b8c2479f5eb231e02d6b2
                                                                  • Instruction ID: 1e6bc69c0a1381f92b9e69733a46d54d0aa19dc84cca161867292b39dd9e4508
                                                                  • Opcode Fuzzy Hash: cff3a771b4cd9330fe69c64e8ee45a113bd77ee1a77b8c2479f5eb231e02d6b2
                                                                  • Instruction Fuzzy Hash: 96116670A00209DBDB00EBA6D992AAEB7B8EF48304F50457FB504B73D2DB785E05C669
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EA2D0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,005EA333,?,?,?,00000000), ref: 005EA30D
                                                                  • GetLastError.KERNEL32(00000000,?,00000000,005EA333,?,?,?,00000000), ref: 005EA315
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileFindFirstLast
                                                                  • String ID:
                                                                  • API String ID: 873889042-0
                                                                  • Opcode ID: 168c9b4c41c4ea0f718ce1a08fd9118add8ccedfb744e079e93659115c092f05
                                                                  • Instruction ID: 1b7011bc577df47943cd785a29aa03cc57531b971ab48fc9295898d1574b298f
                                                                  • Opcode Fuzzy Hash: 168c9b4c41c4ea0f718ce1a08fd9118add8ccedfb744e079e93659115c092f05
                                                                  • Instruction Fuzzy Hash: 9DF02D71A04244AB8B15DFBB9C0149DFBACFB897207114AB7F964D3341EA755E008195
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040CBFC, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,0040CC5A,?,?), ref: 0040CC2F
                                                                  • FindClose.KERNEL32(00000000,00000000,?,00000000,0040CC5A,?,?), ref: 0040CC3F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID:
                                                                  • API String ID: 2295610775-0
                                                                  • Opcode ID: bfe9fc320dad8258fdd0243a276f2572e5741aaab784a45e850e39ab4e0d93b5
                                                                  • Instruction ID: 3a670b773e27689e6367c7af3837c4a9af7244e7933b1c0da2c77d0df124bc1d
                                                                  • Opcode Fuzzy Hash: bfe9fc320dad8258fdd0243a276f2572e5741aaab784a45e850e39ab4e0d93b5
                                                                  • Instruction Fuzzy Hash: 3CF05471514604EED711EBB9CE9395DB7ACEB4471576006B6F404F32D2EA385F00A558
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040C820, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CA45,?,?), ref: 0040C859
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040CA45,?,?), ref: 0040C8A2
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040CA45,?,?), ref: 0040C8C4
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040C8E2
                                                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C900
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C91E
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C93C
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040CA28,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040CA45), ref: 0040C97C
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040CA28,?,80000001), ref: 0040C9A7
                                                                  • RegCloseKey.ADVAPI32(?,0040CA2F,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040CA28,?,80000001,Software\Embarcadero\Locales), ref: 0040CA22
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Open$QueryValue$CloseFileModuleName
                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                  • API String ID: 2701450724-3496071916
                                                                  • Opcode ID: d26a71a092777d7a7a404293e07efc613cec9f1592485332ec8d766ca02a3516
                                                                  • Instruction ID: 0710d48149da5ae319f413f3ef24fbf4f5cead902eccefb92f2df938dc6c631d
                                                                  • Opcode Fuzzy Hash: d26a71a092777d7a7a404293e07efc613cec9f1592485332ec8d766ca02a3516
                                                                  • Instruction Fuzzy Hash: 0A510276B4024CFEEB10EB95CC82FEE77ACDB08704F50417ABA04F62C1D6789A448A59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040F038, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 84 40f038-40f0d2 call 40f4e8 call 40f4f8 call 40f508 call 40f518 * 3 97 40f0d4-40f0f7 RaiseException 84->97 98 40f0fc-40f109 84->98 99 40f30c-40f312 97->99 100 40f10b 98->100 101 40f10e-40f12e 98->101 100->101 102 40f130-40f13f call 40f528 101->102 103 40f141-40f149 101->103 105 40f14c-40f155 102->105 103->105 107 40f157-40f167 105->107 108 40f16e-40f170 105->108 107->108 120 40f169 107->120 109 40f232-40f23c 108->109 110 40f176-40f17d 108->110 111 40f24c-40f24e 109->111 112 40f23e-40f24a 109->112 114 40f18d-40f18f 110->114 115 40f17f-40f18b 110->115 118 40f250-40f254 111->118 119 40f29b-40f29d 111->119 112->111 116 40f191-40f19a LoadLibraryA 114->116 117 40f19c-40f19e 114->117 115->114 116->117 124 40f1a0-40f1af GetLastError 117->124 125 40f1eb-40f1f7 call 40e9c0 117->125 127 40f256-40f25a 118->127 128 40f28f-40f299 GetProcAddress 118->128 121 40f2e5-40f2e8 119->121 122 40f29f-40f2ae GetLastError 119->122 129 40f2ea-40f2f1 120->129 121->129 130 40f2b0-40f2bc 122->130 131 40f2be-40f2c0 122->131 132 40f1b1-40f1bd 124->132 133 40f1bf-40f1c1 124->133 145 40f1f9-40f1fd 125->145 146 40f22c-40f22d FreeLibrary 125->146 127->128 136 40f25c-40f267 127->136 128->119 134 40f2f3-40f302 129->134 135 40f30a 129->135 130->131 131->121 138 40f2c2-40f2e2 RaiseException 131->138 132->133 133->125 139 40f1c3-40f1e6 RaiseException 133->139 134->135 135->99 136->128 140 40f269-40f26f 136->140 138->121 139->99 140->128 144 40f271-40f27e 140->144 144->128 147 40f280-40f28b 144->147 145->109 148 40f1ff-40f20d LocalAlloc 145->148 146->109 147->128 150 40f28d 147->150 148->109 149 40f20f-40f22a 148->149 149->109 150->121
                                                                  APIs
                                                                  • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040F0F0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionRaise
                                                                  • String ID: Hd$hd
                                                                  • API String ID: 3997070919-182934829
                                                                  • Opcode ID: f2eeacb3e0568c73eb068e16edc0a4c9dc4e1b9b1425a1587247ce4a7dca9fce
                                                                  • Instruction ID: 3d03e640e9451f27271753da566eb13b755240155575789a24bd73c550c96270
                                                                  • Opcode Fuzzy Hash: f2eeacb3e0568c73eb068e16edc0a4c9dc4e1b9b1425a1587247ce4a7dca9fce
                                                                  • Instruction Fuzzy Hash: B8A19075A003099FDB20DFA9D881BAEB7B5BB48300F10457EE905BB7C0DB74A949CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00635C18, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • CoTaskMemFree.OLE32(?,00635E53,?,00000000,00000000,?,00641232,00000006,?,00000000,006417E8,?,00000000,006418A7), ref: 00635E46
                                                                  • CoTaskMemFree.OLE32(?,00635EA6,?,00000000,00000000,?,00641232,00000006,?,00000000,006417E8,?,00000000,006418A7), ref: 00635E99
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FreeTask
                                                                  • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                  • API String ID: 734271698-544719455
                                                                  • Opcode ID: c958c7089735f1724c50af40be95fa69ae9d156e1aba0c7c0931f2b24b60491f
                                                                  • Instruction ID: 268899ea4d3385b8e361fee9a0b8828566ed26b2d48ee26bf01146bf0efcf262
                                                                  • Opcode Fuzzy Hash: c958c7089735f1724c50af40be95fa69ae9d156e1aba0c7c0931f2b24b60491f
                                                                  • Instruction Fuzzy Hash: 9171D1307006049BDB10EFE4D947A9E7BB7EB88305F50553AF841A7391CB38AD059FA6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060C480, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 005A3B4C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A3B5F
                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,0060C630,00000000, /s ",0065A16C,regsvr32.exe",?,0060C630), ref: 0060C59E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseDirectoryHandleSystem
                                                                  • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                  • API String ID: 2051275411-1862435767
                                                                  • Opcode ID: 1bbe0057a343199247573c37af4d4ff0c662c2baa35965c77758843558a420bb
                                                                  • Instruction ID: 279bcd7635ff1aefc0996df8e2b67d7a0723741da229aafdca0a884a1ab81807
                                                                  • Opcode Fuzzy Hash: 1bbe0057a343199247573c37af4d4ff0c662c2baa35965c77758843558a420bb
                                                                  • Instruction Fuzzy Hash: FE415370A503489BDB14EFE5D882BDEBBBABF48314F50417EA504A7282DB74AE05CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040430C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 293 40430c-40431b 294 404321-404325 293->294 295 404404-404407 293->295 298 404327-40432e 294->298 299 404388-404391 294->299 296 4044f4-4044f8 295->296 297 40440d-404417 295->297 304 403d98-403dbd call 403ce8 296->304 305 4044fe-404503 296->305 302 4043c8-4043d5 297->302 303 404419-404425 297->303 300 404330-40433b 298->300 301 40435c-40435e 298->301 299->298 306 404393-40439c 299->306 308 404344-404359 300->308 309 40433d-404342 300->309 312 404360-404371 301->312 313 404373 301->313 302->303 315 4043d7-4043e0 302->315 310 404427-40442a 303->310 311 40445c-40446a 303->311 322 403dd9-403de0 304->322 323 403dbf-403dce VirtualFree 304->323 306->299 314 40439e-4043b2 Sleep 306->314 317 40442e-404432 310->317 311->317 319 40446c-404471 call 403b60 311->319 312->313 318 404376-404383 312->318 313->318 314->298 320 4043b8-4043c3 Sleep 314->320 315->302 321 4043e2-4043f6 Sleep 315->321 324 404474-404481 317->324 325 404434-40443a 317->325 318->297 319->317 320->299 321->303 327 4043f8-4043ff Sleep 321->327 332 403de2-403dfe VirtualQuery VirtualFree 322->332 328 403dd0-403dd2 323->328 329 403dd4-403dd7 323->329 324->325 334 404483-40448a call 403b60 324->334 330 40448c-404496 325->330 331 40443c-40445a call 403ba0 325->331 327->302 337 403e13-403e15 328->337 329->337 335 4044c4-4044f1 call 403c00 330->335 336 404498-4044c0 VirtualFree 330->336 339 403e00-403e03 332->339 340 403e05-403e0b 332->340 334->325 345 403e17-403e27 337->345 346 403e2a-403e3a 337->346 339->337 340->337 344 403e0d-403e11 340->344 344->332 345->346
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,?,?,00000000,0040D848,0040D8AE,?,00000000,?,?,0040DBD1,00000000,?,00000000,0040E0D2,00000000), ref: 004043A2
                                                                  • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040D848,0040D8AE,?,00000000,?,?,0040DBD1,00000000,?,00000000,0040E0D2), ref: 004043BC
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 1016a958b786f1fdd381e3269713c88165e87144ef6066025b2b75cb69c11a4f
                                                                  • Instruction ID: 1aecba4b52118cb35790b111e3d5a1c67d58f87a9ec508f8fd78de97f3545b00
                                                                  • Opcode Fuzzy Hash: 1016a958b786f1fdd381e3269713c88165e87144ef6066025b2b75cb69c11a4f
                                                                  • Instruction Fuzzy Hash: 8F71E2716043004BE715DF69C984B16BBE8AF8531AF14C2BFE944AB3D2D7789941CB89
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404504, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 349 404504-40450e 350 404514-40451f 349->350 351 40459c-40459f 349->351 352 404521-40452a 350->352 353 404558-404571 call 403f88 350->353 354 4045a5-4045b7 351->354 355 40480c-404811 351->355 356 404530-40453b call 403f88 352->356 357 40452c-40452e 352->357 378 404573-404579 353->378 379 404597-40459a 353->379 360 4046cc-4046d1 354->360 361 4045bd-4045c2 354->361 358 404817-404819 355->358 359 403e3c-403e5a 355->359 385 404553-404555 356->385 386 40453d-404551 call 403b44 call 40430c 356->386 369 403e60-403e69 359->369 370 403f3f-403f43 359->370 364 4047c4-4047e3 call 403f88 360->364 365 4046d7-4046df 360->365 366 4045c4-4045c8 361->366 367 4045cc-4045d2 361->367 401 4047e5-4047eb 364->401 402 4047b6-4047ba 364->402 365->364 374 4046e5-4046ec 365->374 376 4045d4-4045da 367->376 377 4045e9-404604 367->377 380 403e6b-403e6d 369->380 381 403e6f 369->381 371 403f45-403f4d 370->371 372 403f4f-403f5a call 403f88 370->372 383 403f7e-403f87 371->383 372->383 424 403f5c-403f62 372->424 387 404749-40474e 374->387 388 4046ee-4046fb 374->388 390 4045e0-4045e7 376->390 391 4046a4-4046af call 403f88 376->391 392 404606-404613 377->392 393 40464c-404659 377->393 394 40457b 378->394 395 40457e-404595 call 40430c 378->395 382 403e71-403e97 VirtualQuery 380->382 381->382 396 403f07-403f12 call 403f88 382->396 397 403e99-403eab 382->397 386->385 407 404750-40475a call 403b60 387->407 408 40475b-40477f 387->408 405 404730-40473d 388->405 406 4046fd-404706 388->406 390->366 390->377 439 4046b1-4046c5 call 403b44 call 40430c 391->439 440 4046c7-4046cb 391->440 409 404644-404649 392->409 410 404615-40461e 392->410 398 404664-404673 393->398 399 40465b-404661 393->399 394->395 395->379 396->383 450 403f14-403f1a 396->450 397->396 413 403ead-403ec2 397->413 416 40467a-40468a 398->416 417 404675 call 403b60 398->417 399->416 420 4047f0-40480a call 403b14 call 40430c 401->420 421 4047ed 401->421 426 4047bd 405->426 427 40473f-404747 405->427 406->388 425 404708-404720 Sleep 406->425 407->408 414 404781-404788 408->414 415 40478c-40479f 408->415 409->393 410->392 412 404620-404636 Sleep 410->412 412->409 429 404638-404641 Sleep 412->429 430 403ec4 413->430 431 403ec6-403eda VirtualAlloc 413->431 432 4047a8-4047b4 414->432 415->432 433 4047a1-4047a3 call 403ba0 415->433 436 404696-4046a3 416->436 437 40468c-404691 call 403ba0 416->437 417->416 421->420 443 403f64-403f69 424->443 444 403f6c-403f79 call 403b44 call 40430c 424->444 425->405 445 404722-40472d Sleep 425->445 426->364 427->387 427->426 429->392 430->431 431->396 446 403edc-403ef0 VirtualAlloc 431->446 432->402 433->432 437->436 439->440 443->444 444->383 445->388 446->396 455 403ef2-403f05 446->455 456 403f24-403f3d call 403b14 call 40430c 450->456 457 403f1c-403f21 450->457 455->383 456->383 457->456
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7dbb70c63f31cca4f9a8b326dc56b5315640ae4b8e3a9a2db1f81c0fb80e5d1
                                                                  • Instruction ID: 96354403c0afaaaaef82191ea09d5ee4f443f903325a7ca456b9162af8377ae8
                                                                  • Opcode Fuzzy Hash: a7dbb70c63f31cca4f9a8b326dc56b5315640ae4b8e3a9a2db1f81c0fb80e5d1
                                                                  • Instruction Fuzzy Hash: ABC125A2B102010BD714AEBDDC8476EB69A8BC5316F18827FF214EB3D6DA7CCD458348
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005ECD00, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,005ECF30,005ECF30,?,005ECF30,00000000), ref: 005ECEB5
                                                                  • CloseHandle.KERNEL32(006414CB,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,005ECF30,005ECF30,?,005ECF30), ref: 005ECEC2
                                                                    • Part of subcall function 005ECC6C: WaitForInputIdle.USER32 ref: 005ECC98
                                                                    • Part of subcall function 005ECC6C: MsgWaitForMultipleObjects.USER32 ref: 005ECCBA
                                                                    • Part of subcall function 005ECC6C: GetExitCodeProcess.KERNEL32 ref: 005ECCCB
                                                                    • Part of subcall function 005ECC6C: CloseHandle.KERNEL32(00000001,005ECCF8,005ECCF1,?,?,?,00000001,?,?,005ED09A,?,00000000,005ED0B0,?,?,?), ref: 005ECCEB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                  • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                  • API String ID: 854858120-615399546
                                                                  • Opcode ID: ef2b210935d3ad268bd512456b4df20c4070c29aaa0d707713e32749370b408a
                                                                  • Instruction ID: 0b7c01194dcd5915e6048f3552e9a0c6d9dceeac1f337f18381b92e2394d53a0
                                                                  • Opcode Fuzzy Hash: ef2b210935d3ad268bd512456b4df20c4070c29aaa0d707713e32749370b408a
                                                                  • Instruction Fuzzy Hash: 3B514330A0028D9BCF15EFA6C982ADEBFB9BF45704F50403AB454A7286D774DE06DB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005962FC, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 533 5962fc-596317 PeekMessageW 534 59631d-596321 533->534 535 596405-59640c 533->535 536 596331 534->536 537 596323-59632b IsWindowUnicode 534->537 539 596333-59633c 536->539 537->536 538 59632d-59632f 537->538 538->539 540 59633e-596352 PeekMessageW 539->540 541 596354-596367 PeekMessageA 539->541 542 596368-59636a 540->542 541->542 542->535 543 596370-596376 542->543 544 59637c-596388 543->544 545 5963fe 543->545 546 59639a-5963a5 call 598074 544->546 547 59638a-59638e 544->547 545->535 546->535 550 5963a7-5963b2 call 596194 546->550 547->546 550->535 553 5963b4-5963b8 550->553 553->535 554 5963ba-5963c5 call 59604c 553->554 554->535 557 5963c7-5963d2 call 59609c 554->557 557->535 560 5963d4-5963df call 596004 557->560 560->535 563 5963e1-5963ec TranslateMessage 560->563 564 5963ee-5963f4 DispatchMessageW 563->564 565 5963f6-5963fc DispatchMessageA 563->565 564->535 565->535
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                                  • String ID:
                                                                  • API String ID: 2190272339-0
                                                                  • Opcode ID: b505dac5081caec79563f99069b5c2410f2126aafcfc4f2e5144c69dda22b2cb
                                                                  • Instruction ID: b3dcd82f525f2ccfe4c8ec4e97d82f02c620822d9fe4adc89b046b09657a812e
                                                                  • Opcode Fuzzy Hash: b505dac5081caec79563f99069b5c2410f2126aafcfc4f2e5144c69dda22b2cb
                                                                  • Instruction Fuzzy Hash: 8A21073034435026FF356E290E86BBEAE95EFD2708F144819F585D7183DB99984F421A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A59B8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetActiveWindow.USER32 ref: 005A59E7
                                                                  • GetFocus.USER32 ref: 005A59EF
                                                                  • RegisterClassW.USER32 ref: 005A5A10
                                                                  • ShowWindow.USER32(00000000,00000008,00000000,?,00000000,41178000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005A5AA8
                                                                  • SetFocus.USER32(00000000,00000000,005A5ACA,?,?,00000000,00000001,00000000,?,0060C783,0065A16C,?,00000000,00642AEE,?,00000001), ref: 005A5AAF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FocusWindow$ActiveClassRegisterShow
                                                                  • String ID: TWindowDisabler-Window
                                                                  • API String ID: 495420250-1824977358
                                                                  • Opcode ID: 2fb9b116738596a1e0afb903f50ba267de6d1b1f75f886a1ed0846ab53d7e5dd
                                                                  • Instruction ID: d9b2cc6840da12512848ad8eedaef7fd359135de9f53516b34ed03f793c6e221
                                                                  • Opcode Fuzzy Hash: 2fb9b116738596a1e0afb903f50ba267de6d1b1f75f886a1ed0846ab53d7e5dd
                                                                  • Instruction Fuzzy Hash: EF21EF71B40B01AFD310EB79CD42F2E7AA5FB41B01F114629B900EB2C1E6B4AC50C7D8
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0064D4A0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 0040EFEC: GetModuleHandleW.KERNEL32(00000000,?,0064D4B3), ref: 0040EFF8
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0064D4C3
                                                                  • SetWindowLongW.USER32 ref: 0064D4DF
                                                                  • SetErrorMode.KERNEL32(00000001,00000000,0064D524,?,?,000000EC,00000000), ref: 0064D4F4
                                                                    • Part of subcall function 00642EA0: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0064D4FE,00000001,00000000,0064D524,?,?,000000EC,00000000), ref: 00642EAA
                                                                    • Part of subcall function 0059644C: SendMessageW.USER32(?,0000B020,00000000,?), ref: 00596471
                                                                    • Part of subcall function 00595F5C: SetWindowTextW.USER32(?,00000000), ref: 00595F8D
                                                                  • ShowWindow.USER32(?,00000005,00000000,0064D524,?,?,000000EC,00000000), ref: 0064D55E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                                  • String ID: Setup$pc
                                                                  • API String ID: 1533765661-3660760854
                                                                  • Opcode ID: 8453979f9757b2b6af1ffdad24c6b83727ccd520adb1f43a5464695c07890d8e
                                                                  • Instruction ID: 99239e9ace0432ff927885b241a0afe2423aa3233f3e49fe6913a1ef7ffd3993
                                                                  • Opcode Fuzzy Hash: 8453979f9757b2b6af1ffdad24c6b83727ccd520adb1f43a5464695c07890d8e
                                                                  • Instruction Fuzzy Hash: 722190B4604700BFCB01EF6DDCA2D567BEAEB4E720B515164F514C77B1CA34A980CB59
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403F88, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 655 403f88-403f9a 656 403fa0-403fb0 655->656 657 4041e8-4041ed 655->657 660 403fb2-403fbf 656->660 661 404008-404011 656->661 658 404300-404303 657->658 659 4041f3-404204 657->659 665 403d34-403d5d VirtualAlloc 658->665 666 404309-40430b 658->666 663 404206-404222 659->663 664 4041ac-4041b9 659->664 667 403fc1-403fce 660->667 668 403fd8-403fe4 660->668 661->660 662 404013-40401f 661->662 662->660 674 404021-40402d 662->674 675 404230-40423f 663->675 676 404224-40422c 663->676 664->663 671 4041bb-4041c4 664->671 677 403d8f-403d95 665->677 678 403d5f-403d8c call 403ce8 665->678 669 403fd0-403fd4 667->669 670 403ff8-404005 667->670 672 403fe6-403ff4 668->672 673 40405c-404065 668->673 671->664 679 4041c6-4041da Sleep 671->679 685 4040a0-4040aa 673->685 686 404067-404074 673->686 674->660 680 40402f-40403b 674->680 683 404241-404255 675->683 684 404258-404260 675->684 681 40428c-4042a2 676->681 678->677 679->663 691 4041dc-4041e3 Sleep 679->691 680->661 692 40403d-40404d Sleep 680->692 689 4042a4-4042b2 681->689 690 4042bb-4042c7 681->690 683->681 694 404262-40427a 684->694 695 40427c-40427e call 403c6c 684->695 687 40411c-404128 685->687 688 4040ac-4040d7 685->688 686->685 696 404076-40407f 686->696 702 404150-40415f call 403c6c 687->702 703 40412a-40413c 687->703 697 4040f0-4040fe 688->697 698 4040d9-4040e7 688->698 689->690 699 4042b4 689->699 700 4042e8 690->700 701 4042c9-4042dc 690->701 691->664 692->660 704 404053-40405a Sleep 692->704 705 404283-40428b 694->705 695->705 696->686 706 404081-404095 Sleep 696->706 709 404100-40411a call 403ba0 697->709 710 40416c 697->710 698->697 708 4040e9 698->708 699->690 711 4042ed-4042ff 700->711 701->711 712 4042de-4042e3 call 403ba0 701->712 717 404171-4041aa 702->717 723 404161-40416b 702->723 713 404140-40414e 703->713 714 40413e 703->714 704->661 706->685 716 404097-40409e Sleep 706->716 708->697 709->717 710->717 712->711 713->717 714->713 716->686
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000,000000FF,00404828,00000000,0040D8EF,00000000,0040DDFD,00000000,0040E0BF,00000000,0040E0F5), ref: 0040403F
                                                                  • Sleep.KERNEL32(0000000A,00000000,000000FF,00404828,00000000,0040D8EF,00000000,0040DDFD,00000000,0040E0BF,00000000,0040E0F5), ref: 00404055
                                                                  • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404828,00000000,0040D8EF,00000000,0040DDFD,00000000,0040E0BF,00000000,0040E0F5), ref: 00404083
                                                                  • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404828,00000000,0040D8EF,00000000,0040DDFD,00000000,0040E0BF,00000000,0040E0F5), ref: 00404099
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 42b5e056f29d9ccb3932ac196e389176de7fdaf8f1a050f8a078efe818cff194
                                                                  • Instruction ID: 5a8b6537e3358d37646745b0bf3f1f0b51b6ff246b5f24ce9b798a5f4f8b74ba
                                                                  • Opcode Fuzzy Hash: 42b5e056f29d9ccb3932ac196e389176de7fdaf8f1a050f8a078efe818cff194
                                                                  • Instruction Fuzzy Hash: CEC145B26013018BD715CF69E884316BBE5ABC531AF0882FFE514AB3D5CB789991C798
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00636254, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006363A6,?,?,00000005,00000000,00000000,?,00642955,00000000,00642B08,?,00000000,00642B6C), ref: 006362DF
                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,006363A6,?,?,00000005,00000000,00000000,?,00642955,00000000,00642B08,?,00000000,00642B6C), ref: 006362E8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectoryErrorLast
                                                                  • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                  • API String ID: 1375471231-2952887711
                                                                  • Opcode ID: c7eee5d2907e7c8cba69f56ec260abd86d1687ac3d1b65c7476fc71c717453f3
                                                                  • Instruction ID: dce086d454b6534baab4b2c011f4e8eb466f83b1850ff865cfb80c436dd11fcb
                                                                  • Opcode Fuzzy Hash: c7eee5d2907e7c8cba69f56ec260abd86d1687ac3d1b65c7476fc71c717453f3
                                                                  • Instruction Fuzzy Hash: 7B411774A00109ABDB05EF94D852ADEB7F6FF84304F108136F501A7392DB74AE05CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060C37C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 770 60c37c-60c390 771 60c393-60c3b6 call 596410 MsgWaitForMultipleObjects 770->771 774 60c3b8-60c3bb 771->774 775 60c3c7-60c3d8 GetExitCodeProcess 774->775 776 60c3bd-60c3c2 call 5eae9c 774->776 778 60c3e4-60c3fc CloseHandle 775->778 779 60c3da-60c3df call 5eae9c 775->779 776->775 779->778
                                                                  APIs
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 0060C3AE
                                                                  • GetExitCodeProcess.KERNEL32 ref: 0060C3D1
                                                                  • CloseHandle.KERNEL32(?,0060C404,00000001,00000000,000000FF,000004FF,00000000,0060C3FD), ref: 0060C3F7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                  • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                  • API String ID: 2573145106-3235461205
                                                                  • Opcode ID: 1a1322422304221fa77464f1f7d2f7fe3e7df35ba99eedd62361553e6201c2eb
                                                                  • Instruction ID: 14e2a31ffdb85c1c148fb64c1c9ccbc96deb50cbe69c01d5250a41a6b6c41cd3
                                                                  • Opcode Fuzzy Hash: 1a1322422304221fa77464f1f7d2f7fe3e7df35ba99eedd62361553e6201c2eb
                                                                  • Instruction Fuzzy Hash: 0801DF70680200AFDF18EBA88992EAE37E9EB89730F104671FA10D73D1DA30AD40C655
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004210CC, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNEL32(00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210DC
                                                                  • GetLastError.KERNEL32(00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210EB
                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000,00000000), ref: 004210F3
                                                                  • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000), ref: 0042110E
                                                                  • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000), ref: 0042111C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                                  • String ID:
                                                                  • API String ID: 2814369299-0
                                                                  • Opcode ID: 32c18cb4492a194a751d1bbd231639dfd7ac9a5177e6c0dd3f130e539c258946
                                                                  • Instruction ID: 56de61ba13cc10ac5a03dba103e106efa26abbfc9da42fd87a77cee8a775e7f8
                                                                  • Opcode Fuzzy Hash: 32c18cb4492a194a751d1bbd231639dfd7ac9a5177e6c0dd3f130e539c258946
                                                                  • Instruction Fuzzy Hash: E5F0EC6134022859DA2435BE2DC2ABF515CC94676DB50073FFB50D31A3C97D4C66416D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040843C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040846C
                                                                  • FreeLibrary.KERNEL32(00400000,?,?,?,00408576,0040559F,004055E6,?,?,004055FF,?,?,?,?,004A0E5A,00000000), ref: 00408514
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,00408576,0040559F,004055E6,?,?,004055FF,?,?,?,?,004A0E5A,00000000), ref: 0040854D
                                                                    • Part of subcall function 004083A4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?,00408576,0040559F,004055E6,?,?,004055FF), ref: 004083DD
                                                                    • Part of subcall function 004083A4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?,00408576,0040559F,004055E6,?,?), ref: 004083E3
                                                                    • Part of subcall function 004083A4: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?), ref: 004083FE
                                                                    • Part of subcall function 004083A4: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?), ref: 00408404
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                  • String ID: MZP
                                                                  • API String ID: 3490077880-2889622443
                                                                  • Opcode ID: 78d86fb2bf2bf2e21ccd9c06c2f1e221edbbdf5316c32f4d18dde5cd064fff3e
                                                                  • Instruction ID: 78054232ab430f224924438cf7dbfd6367a6ce4b95e7ecb1a6dc1622063fce84
                                                                  • Opcode Fuzzy Hash: 78d86fb2bf2bf2e21ccd9c06c2f1e221edbbdf5316c32f4d18dde5cd064fff3e
                                                                  • Instruction Fuzzy Hash: 4E317E60A007429ADB30AF698A8871B7AE5AB55319F15053FA485A32D2DF7CD8C8C719
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00408434, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040846C
                                                                  • FreeLibrary.KERNEL32(00400000,?,?,?,00408576,0040559F,004055E6,?,?,004055FF,?,?,?,?,004A0E5A,00000000), ref: 00408514
                                                                  • ExitProcess.KERNEL32(00000000,?,?,?,00408576,0040559F,004055E6,?,?,004055FF,?,?,?,?,004A0E5A,00000000), ref: 0040854D
                                                                    • Part of subcall function 004083A4: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?,00408576,0040559F,004055E6,?,?,004055FF), ref: 004083DD
                                                                    • Part of subcall function 004083A4: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?,00408576,0040559F,004055E6,?,?), ref: 004083E3
                                                                    • Part of subcall function 004083A4: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?), ref: 004083FE
                                                                    • Part of subcall function 004083A4: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?), ref: 00408404
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                  • String ID: MZP
                                                                  • API String ID: 3490077880-2889622443
                                                                  • Opcode ID: afed891bfa8eb145adbec0aa145b961b180110e163f2f92655622ef4fecb354b
                                                                  • Instruction ID: afdb55dbc8c585736216f1129d15da0812888cb93493e4522a4028f6bb944287
                                                                  • Opcode Fuzzy Hash: afed891bfa8eb145adbec0aa145b961b180110e163f2f92655622ef4fecb354b
                                                                  • Instruction Fuzzy Hash: 6931BE609003829ADB31AF758A887167BE16B05319F15087FE4C5A32D2DF7CD8C8C71D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0046DA00, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                  • String ID:
                                                                  • API String ID: 4025006896-0
                                                                  • Opcode ID: 7f8d2d9db8c633b85baf19444e1c83360650e184f40f9c470917a88f6d291241
                                                                  • Instruction ID: eaf16334c5f0c60b372357798d38c4b1ddccb815e9754486c70d5869802b7d78
                                                                  • Opcode Fuzzy Hash: 7f8d2d9db8c633b85baf19444e1c83360650e184f40f9c470917a88f6d291241
                                                                  • Instruction Fuzzy Hash: 7401A171B08300AFDB00FB9DDD81F9A779AEB48315F105216B904D7391E675DD60C799
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005ECC6C, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForInputIdle.USER32 ref: 005ECC98
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 005ECCBA
                                                                  • GetExitCodeProcess.KERNEL32 ref: 005ECCCB
                                                                  • CloseHandle.KERNEL32(00000001,005ECCF8,005ECCF1,?,?,?,00000001,?,?,005ED09A,?,00000000,005ED0B0,?,?,?), ref: 005ECCEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                  • String ID:
                                                                  • API String ID: 4071923889-0
                                                                  • Opcode ID: b8fdf0fd8d60cb0cb54c15dfa599adb1d444e4a12e07a2f3d94d66ed70c54a5d
                                                                  • Instruction ID: 0b1ea4fae32b673ec28d52ca53679023a97ccef2bb0f5596a062c9fe025a027a
                                                                  • Opcode Fuzzy Hash: b8fdf0fd8d60cb0cb54c15dfa599adb1d444e4a12e07a2f3d94d66ed70c54a5d
                                                                  • Instruction Fuzzy Hash: 9501F570A402487EEB1897AA8D06EAE7FACEB09760F700122F62CD32D1C6B4DD41C665
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00636440, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CountSleepTick
                                                                  • String ID:
                                                                  • API String ID: 2227064392-0
                                                                  • Opcode ID: ef050c5fc241401a9c8fb7b637c22a61dd5afb65b30f956bc3e270f13bd38745
                                                                  • Instruction ID: e25aaaa3a608eb0764e34d3907372fffaa84d46f21896ce1c423577bf7bea796
                                                                  • Opcode Fuzzy Hash: ef050c5fc241401a9c8fb7b637c22a61dd5afb65b30f956bc3e270f13bd38745
                                                                  • Instruction Fuzzy Hash: 66E02B32B0C14028862AB5FE58854BD49D6DEC2354F25C57FF1D4C2113C445484582E7
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EB53C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,005EB631,?,0065A16C,?,00000003,00000000,00000000,?,0063627B,00000000,006363A6), ref: 005EB584
                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,005EB631,?,0065A16C,?,00000003,00000000,00000000,?,0063627B,00000000,006363A6), ref: 005EB58D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectoryErrorLast
                                                                  • String ID: .tmp
                                                                  • API String ID: 1375471231-2986845003
                                                                  • Opcode ID: d967bb4ce6cf3e4b37adf2e0dd0cf36d62edfd95e7d1731cdc90b49cb0c47c70
                                                                  • Instruction ID: 71fd6045300f4134a5b39da9a16414624d12d965e2f298467dc9364522841c4c
                                                                  • Opcode Fuzzy Hash: d967bb4ce6cf3e4b37adf2e0dd0cf36d62edfd95e7d1731cdc90b49cb0c47c70
                                                                  • Instruction Fuzzy Hash: 6D217675A002499FEB05EBA5CC52ADFB7F9FB88304F10407AF541A3341DB74AE018AA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00635B5C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00635EF4,00000000,00635F0F,?,00000000,00000000,?,00641232,00000006), ref: 00635BBE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID: RegisteredOrganization$RegisteredOwner
                                                                  • API String ID: 3535843008-1113070880
                                                                  • Opcode ID: 856b1eb7acc896687f60f2b69f406da64681ba9463f674849e5bf3f247e95f6e
                                                                  • Instruction ID: fe621046acbe2d505b568ef2ebb7d6073792f3e187ed3d1f27f626681cff0ee7
                                                                  • Opcode Fuzzy Hash: 856b1eb7acc896687f60f2b69f406da64681ba9463f674849e5bf3f247e95f6e
                                                                  • Instruction Fuzzy Hash: 96F0BB30708204ABD700DBE4AD96B5FBB5BE786301F641065F3025B3D1C7B4AD00D754
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005E9A3C, Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(00000000,?,?,?,?), ref: 005E9A5C
                                                                  • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,005E9AD3,?,00000000,?,?,?,?), ref: 005E9A89
                                                                  • VerQueryValueW.VERSION(?,005E9AFC,?,?,00000000,?,00000000,?,00000000,005E9AD3,?,00000000,?,?,?,?), ref: 005E9AA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileInfoVersion$QuerySizeValue
                                                                  • String ID:
                                                                  • API String ID: 2179348866-0
                                                                  • Opcode ID: cdcdfe8f14c20e31e9a23780454d16b1fff429fc28bde454a9e3df50ab498a09
                                                                  • Instruction ID: 1fb48db7ed0a76e7de24ade95d8deeb899b8659ae3da3e008543392c24114c66
                                                                  • Opcode Fuzzy Hash: cdcdfe8f14c20e31e9a23780454d16b1fff429fc28bde454a9e3df50ab498a09
                                                                  • Instruction Fuzzy Hash: 71218471A04249AEDB05DAAA88429FFBBFDEF45714F4504BAF840E3241D6749E00C765
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405374, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNEL32(00654ADC,00000000,00008000), ref: 00405392
                                                                  • VirtualFree.KERNEL32(00656B80,00000000,00008000), ref: 0040540E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FreeVirtual
                                                                  • String ID: |Ke
                                                                  • API String ID: 1263568516-2365541183
                                                                  • Opcode ID: 3e5cc1c5cd4f9b1858885007e7deee85219b4d1650f755776562d4be453dec0f
                                                                  • Instruction ID: 51411e9e4f174b8b2d195e3858588647e18d209aceb78b56fdaf3462b05fefee
                                                                  • Opcode Fuzzy Hash: 3e5cc1c5cd4f9b1858885007e7deee85219b4d1650f755776562d4be453dec0f
                                                                  • Instruction Fuzzy Hash: ED1182B16016009FD7649F199840B17BAE5F784715F2580BEE509EF781DA78DC41CB98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0042C4C8, Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 0079886b865d86db1cd4d693cad395fef10c1b9889dfda0c4f47f23f4114a024
                                                                  • Instruction ID: 1a0f9d8ec5a3a8483739c3d5c48b11641bbd6c986e937cecbfe1c1bfd2489453
                                                                  • Opcode Fuzzy Hash: 0079886b865d86db1cd4d693cad395fef10c1b9889dfda0c4f47f23f4114a024
                                                                  • Instruction Fuzzy Hash: 98019260710130AA8B207B39F9C557E23985F443847E0507BB4079B246CB7CEC8AC3AF
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00637D50, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendNotifyMessageW.USER32(000D0256,00000496,00002711,-00000001), ref: 00637F78
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageNotifySend
                                                                  • String ID: MS PGothic
                                                                  • API String ID: 3556456075-3532686627
                                                                  • Opcode ID: e5749daa967823459fdeaefec4be1a6f65d77a60ac0ff4438c33e858d093da55
                                                                  • Instruction ID: 6f65c066beb337809f18ef5189d5c66f0ff8a1cbcc623e9be8b007d16ca78b78
                                                                  • Opcode Fuzzy Hash: e5749daa967823459fdeaefec4be1a6f65d77a60ac0ff4438c33e858d093da55
                                                                  • Instruction Fuzzy Hash: AF51A3F0314205CFCB10EF65E985A5A77A3FB89306F54927AA8049F3A6DA34DC42CBC5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00636494, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • Failed to remove temporary directory: , xrefs: 006364FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick
                                                                  • String ID: Failed to remove temporary directory:
                                                                  • API String ID: 536389180-3544197614
                                                                  • Opcode ID: 0180d6ccb14a4ed4752ec0429b6bc5050152c6e6749881499f4f3fe23e9b1eb9
                                                                  • Instruction ID: 6bf5f438c58430aa21d9d39cf3193b030e73b1f05efc44fa574aab31c3e1015d
                                                                  • Opcode Fuzzy Hash: 0180d6ccb14a4ed4752ec0429b6bc5050152c6e6749881499f4f3fe23e9b1eb9
                                                                  • Instruction Fuzzy Hash: 3101BC30650304BAEB12EFB1DC0BB9A3BE7EB48B10F618975F500932D2DAB99D00D655
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00412E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID: TWindowDisabler-Window
                                                                  • API String ID: 716092398-1824977358
                                                                  • Opcode ID: 6c7facdfd0e66ee599a1159b40424e0c067c3ede558cbe5f898d13db70d6f81c
                                                                  • Instruction ID: bb8e3ddeb58cf41b6c5bd30de7c2c2887b00180dd447bf5933bbb47be1ef0363
                                                                  • Opcode Fuzzy Hash: 6c7facdfd0e66ee599a1159b40424e0c067c3ede558cbe5f898d13db70d6f81c
                                                                  • Instruction Fuzzy Hash: 89F07FB2600118AF8B80DE9DDC81EDB77ECEB4D2A4B05412ABA08E3201D634ED118BA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00635AAC, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005A4104: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A47DE,?,00000000,?,005A477E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE), ref: 005A4120
                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006417E8,?,00635D0A,00000000,00635F0F,?,00000000,00000000), ref: 00635AF1
                                                                  Strings
                                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 00635AC3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen
                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                  • API String ID: 47109696-1019749484
                                                                  • Opcode ID: 19edadb77260ad24aa013ce3b31d79cb03f428e450c0cdbd72eb253455b1f3a5
                                                                  • Instruction ID: 8f1b02018f3084e878ea990e92e44accb1c6db1a79b33ac038877bf5a8479c7b
                                                                  • Opcode Fuzzy Hash: 19edadb77260ad24aa013ce3b31d79cb03f428e450c0cdbd72eb253455b1f3a5
                                                                  • Instruction Fuzzy Hash: E0F02731300104A7E600A1DE5D86BAEA3CE9BC5314F20013FF605D7342DAE09D0153A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040809C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(00000000,004080EA,?,0064E000,00656B9C,?,?,004084ED,?,?,?,00408576,0040559F,004055E6,?,?), ref: 004080DA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID: 81d
                                                                  • API String ID: 2492992576-1505480649
                                                                  • Opcode ID: 10960fbbd0f37afa25b4c65a54ae7077b3beb19aff8004b15f209721f71424d0
                                                                  • Instruction ID: a55552c9480317e4c83efdacc74819adb46042ac165774ef662aa2933abb4353
                                                                  • Opcode Fuzzy Hash: 10960fbbd0f37afa25b4c65a54ae7077b3beb19aff8004b15f209721f71424d0
                                                                  • Instruction Fuzzy Hash: 58F090312057059FE7318F4AEA90A13BB9CFB587607A7403FE844A77A1DE759814C968
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4104, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A47DE,?,00000000,?,005A477E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE), ref: 005A4120
                                                                  Strings
                                                                  • Control Panel\Desktop\ResourceLocale, xrefs: 005A411E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID: Control Panel\Desktop\ResourceLocale
                                                                  • API String ID: 71445658-1109908249
                                                                  • Opcode ID: ce076c2cb336e14aab7b89f6995de6a7853b6a319f08c762a578886beb655afa
                                                                  • Instruction ID: e5251958779dbe226deca3b4eeefb2c80cd5fd3e52e87ec8dbe830b67a0152ec
                                                                  • Opcode Fuzzy Hash: ce076c2cb336e14aab7b89f6995de6a7853b6a319f08c762a578886beb655afa
                                                                  • Instruction Fuzzy Hash: 65D0C9729102287BAB00AB8DDC42DFB779DEB5A760F44801AFE0497100C2B4EC91CBF4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EBCD0, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindNextFileW.KERNEL32(000000FF,?,00000000,005EBEFA,?,00000000,005EBF6E,?,?,?,006364F1,00000000,00636440,00000000,00000000,00000001), ref: 005EBED6
                                                                  • FindClose.KERNEL32(000000FF,005EBF01,005EBEFA,?,00000000,005EBF6E,?,?,?,006364F1,00000000,00636440,00000000,00000000,00000001,00000001), ref: 005EBEF4
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileNext
                                                                  • String ID:
                                                                  • API String ID: 2066263336-0
                                                                  • Opcode ID: b6298125c9b28060a31d5c83e8c1a9bbcb833d174a67668110a27a35cc62285f
                                                                  • Instruction ID: e80dd1214523b732a391fd103c8b24b3e146d2fc262259e3d85170488ea8701e
                                                                  • Opcode Fuzzy Hash: b6298125c9b28060a31d5c83e8c1a9bbcb833d174a67668110a27a35cc62285f
                                                                  • Instruction Fuzzy Hash: F4816E30D042899AEF29DFA6C9857EEBFB5BF45301F1441A9E89463292C7349F44CF91
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A3EE4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005A401A,?,00637FA8,00000000,00000000), ref: 005A3F20
                                                                  • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005A401A,?,00637FA8), ref: 005A3F8E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue
                                                                  • String ID:
                                                                  • API String ID: 3660427363-0
                                                                  • Opcode ID: a7c7cc38be8137b7d10ace986e42629bcbcf8e15e0f03f6daa65d76ab3994185
                                                                  • Instruction ID: db0b1c5050519b113e59c6d9795ff41349f93559cc3f6bbe9154ec7cb37e6f8b
                                                                  • Opcode Fuzzy Hash: a7c7cc38be8137b7d10ace986e42629bcbcf8e15e0f03f6daa65d76ab3994185
                                                                  • Instruction Fuzzy Hash: F4414971E10119AFDB10DF95C981ABEBBB8FB46704F60446AF900FB280D778AF449B95
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005AE8B0, Relevance: 3.1, APIs: 2, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005AC0A0: GetDC.USER32(00000000), ref: 005AC0B1
                                                                    • Part of subcall function 005AC0A0: SelectObject.GDI32($O`,00000000), ref: 005AC0D3
                                                                    • Part of subcall function 005AC0A0: GetTextExtentPointW.GDI32($O`,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005AC0E7
                                                                    • Part of subcall function 005AC0A0: GetTextMetricsW.GDI32($O`,?,00000000,005AC12C,?,00000000,?,?,00604F24), ref: 005AC109
                                                                    • Part of subcall function 005AC0A0: ReleaseDC.USER32 ref: 005AC126
                                                                  • MulDiv.KERNEL32(00605913,00000006,00000006), ref: 005AE97D
                                                                  • MulDiv.KERNEL32(?,?,0000000D), ref: 005AE994
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                                  • String ID:
                                                                  • API String ID: 844173074-0
                                                                  • Opcode ID: 7e5a83ed530688603f6e9a6d7196652cdb4df65cb2f162841748f007a13763a4
                                                                  • Instruction ID: a19cc55b1f41b30519d97d3c89c469f431b82b3e027b6e21c972cb51c7691b0d
                                                                  • Opcode Fuzzy Hash: 7e5a83ed530688603f6e9a6d7196652cdb4df65cb2f162841748f007a13763a4
                                                                  • Instruction Fuzzy Hash: B541E535A00208EFCB01DBA8D986EADBBF9FB49300F2541A5F904EB361D771AE009B50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040F318, Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 0040F3E7
                                                                  • LocalFree.KERNEL32(00000000,00000000), ref: 0040F401
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Free$LibraryLocal
                                                                  • String ID:
                                                                  • API String ID: 3007483513-0
                                                                  • Opcode ID: 27ccbf90c6c32dd6ce6f45082bfecf4cdf76ad0f3b6258c746885aa8a493c144
                                                                  • Instruction ID: 87edba83d4e9cceb9fa441504d47457c7bd9041f1947dfeea52ad5706f964a28
                                                                  • Opcode Fuzzy Hash: 27ccbf90c6c32dd6ce6f45082bfecf4cdf76ad0f3b6258c746885aa8a493c144
                                                                  • Instruction Fuzzy Hash: 4131A872900115ABC724DF95D8C196F73B8AF98314B14403EFD04B7781DB38DD458B98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040CE18, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserDefaultUILanguage.KERNEL32(00000000,0040CF2F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CFB6,00000000,?,00000105), ref: 0040CEC3
                                                                  • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CF2F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CFB6,00000000,?,00000105), ref: 0040CEEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DefaultLanguage$SystemUser
                                                                  • String ID:
                                                                  • API String ID: 384301227-0
                                                                  • Opcode ID: 93680eb6051e83e1ef61b31bac7d2ed8329ee173ada7549af2e24ac3e119f4f5
                                                                  • Instruction ID: 596729fc8fd017cb2975136f5f86cc996c07360807243d60c5c52b7907f77100
                                                                  • Opcode Fuzzy Hash: 93680eb6051e83e1ef61b31bac7d2ed8329ee173ada7549af2e24ac3e119f4f5
                                                                  • Instruction Fuzzy Hash: DC312F70A14209DFDB10EB99C9C1AAEB7B5EB44704F60467BE400B73D1DB78AD41CB99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EA058, Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNEL32 ref: 005EA0AC
                                                                  • GetLastError.KERNEL32(00000000,00000000,0065A16C,?,?,0060C630,00000000,0060C614,?,00000000,00000000,005EA0D2,?,?,00000000,00000001), ref: 005EA0B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 2919029540-0
                                                                  • Opcode ID: d57bf6ffc9c3c317eefde2e176bccfe949134880f7c9821ff6f4fd5ce8d7f45e
                                                                  • Instruction ID: 2dfb14339bafda70a1707157cdb5763b07a5ccb654acc33a6885253e306b3c14
                                                                  • Opcode Fuzzy Hash: d57bf6ffc9c3c317eefde2e176bccfe949134880f7c9821ff6f4fd5ce8d7f45e
                                                                  • Instruction Fuzzy Hash: C21139B2600248AF8B55DEAEDC45DDABBECEB8D310B118566FA18D3201D634AD109B65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4044, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.ADVAPI32(00652F8C,0000001B,00000000,00000000,00000000,00000000), ref: 005A4059
                                                                  • RegEnumValueW.ADVAPI32(00652F8C,00000000,0000001B,0000001B,00000000,00000000,00000000,00000000,00652F8C,0000001B,00000000,00000000,00000000), ref: 005A409B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Value$EnumQuery
                                                                  • String ID:
                                                                  • API String ID: 1576479698-0
                                                                  • Opcode ID: bcd46820c478d20fc0be18caa650104cb86f97914b7329240ce9dcd7627366f4
                                                                  • Instruction ID: 718cb5cdd1179ae80937b1a809c8d8ce687fa288785382107336c19694f062a4
                                                                  • Opcode Fuzzy Hash: bcd46820c478d20fc0be18caa650104cb86f97914b7329240ce9dcd7627366f4
                                                                  • Instruction Fuzzy Hash: 2E01FC3278531069F63055D55C0AF6FA9CCFBC3B60F24022AFB449F1C0E7D45C44A6A6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00412174, Relevance: 3.1, APIs: 2, Instructions: 57libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004121D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc
                                                                  • String ID:
                                                                  • API String ID: 190572456-0
                                                                  • Opcode ID: b505409bb2b6c5c1b3c8618489fb579310ea6e957dc175e5bfb36aa969615ef3
                                                                  • Instruction ID: c235e8af4864aa2492a3e9253a8948da1b1d6369952aa228640533ef2e312267
                                                                  • Opcode Fuzzy Hash: b505409bb2b6c5c1b3c8618489fb579310ea6e957dc175e5bfb36aa969615ef3
                                                                  • Instruction Fuzzy Hash: 8211E570614608BFD701DF61CE529DEB7ACEB4A714BA144BBF804E3281DB785E14A668
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040CF3C, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CFF6,?,?,00000000), ref: 0040CF78
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CFF6,?,?,00000000), ref: 0040CFC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileLibraryLoadModuleName
                                                                  • String ID:
                                                                  • API String ID: 1159719554-0
                                                                  • Opcode ID: 1f4e2380d52d609bd7b274542df80a10bff1a013fbbefc9b33ec8f5fc500ad21
                                                                  • Instruction ID: bcd7cfb62d12acf44e760b2cc37d5a9a6c3f2f2744d4c9653b1ef10c08e20f9b
                                                                  • Opcode Fuzzy Hash: 1f4e2380d52d609bd7b274542df80a10bff1a013fbbefc9b33ec8f5fc500ad21
                                                                  • Instruction Fuzzy Hash: 6311BF71A4020CEBDB20EF60CC86BDEB3B9DB44704F5145BAB408B32C1DA785F80CA99
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005898F4, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00589946
                                                                  • EnumThreadWindows.USER32(00000000,005898A4,00000000), ref: 0058994C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$CurrentEnumWindows
                                                                  • String ID:
                                                                  • API String ID: 2396873506-0
                                                                  • Opcode ID: 70b67c61e2d9797481d48fa6b9cfe1aa86131bc99be7548f98dbdfb440c890bb
                                                                  • Instruction ID: bf1bffc172f51048d728f669e4ff64b48adfa7dc15251b4088cf312f0de0688e
                                                                  • Opcode Fuzzy Hash: 70b67c61e2d9797481d48fa6b9cfe1aa86131bc99be7548f98dbdfb440c890bb
                                                                  • Instruction Fuzzy Hash: 8F11C0B1604349AFD711CF29FC61A16BFE9F74E710F61956AE800E3760E7355800CB11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EA178, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNEL32(00000000,00000000,005EA1D5,?,?,?), ref: 005EA1AF
                                                                  • GetLastError.KERNEL32(00000000,00000000,005EA1D5,?,?,?), ref: 005EA1B7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 2018770650-0
                                                                  • Opcode ID: 0ca3686aa5f47bacd65e1abf2717fa98b424e4207ba78bc3f4b31bf05844f1c1
                                                                  • Instruction ID: 14af580e2d9197b718eba8ec73c2250dce9b66594b916b78ca97468f66734773
                                                                  • Opcode Fuzzy Hash: 0ca3686aa5f47bacd65e1abf2717fa98b424e4207ba78bc3f4b31bf05844f1c1
                                                                  • Instruction Fuzzy Hash: 39F022B1A04288AFCB0ADFB6AC0149DBBE8EB49320B114AB6F804D3201E7746E10C195
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EA684, Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RemoveDirectoryW.KERNEL32(00000000,00000000,005EA6E1,?,?,00000000), ref: 005EA6BB
                                                                  • GetLastError.KERNEL32(00000000,00000000,005EA6E1,?,?,00000000), ref: 005EA6C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryErrorLastRemove
                                                                  • String ID:
                                                                  • API String ID: 377330604-0
                                                                  • Opcode ID: 186d67372999a7063286bdd75d713dad02ff7e2c20033f03e43dbd22ba81b929
                                                                  • Instruction ID: 7e77f2cd7d9247c25ab572e24d68071e658bdae7ffa3348f23d016acd0160352
                                                                  • Opcode Fuzzy Hash: 186d67372999a7063286bdd75d713dad02ff7e2c20033f03e43dbd22ba81b929
                                                                  • Instruction Fuzzy Hash: EAF04671E04348AFDF05DFBA9C4149EBBE8FB8A31471049B6F814E3302E6746E109295
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EA350, Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,005EA3AF,?,?), ref: 005EA389
                                                                  • GetLastError.KERNEL32(00000000,00000000,005EA3AF,?,?), ref: 005EA391
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 1799206407-0
                                                                  • Opcode ID: d27441ec99a319985680aba78b973d5884628455f3b1d19fe64b0074347f859a
                                                                  • Instruction ID: 226e6276c73bf1f8e9c960027c18aab1b0e834b5afba3a628c7175e0935b1519
                                                                  • Opcode Fuzzy Hash: d27441ec99a319985680aba78b973d5884628455f3b1d19fe64b0074347f859a
                                                                  • Instruction Fuzzy Hash: A8F02871A04348AB8B05DFB69C0149DB7A8FB497207104AB6F850D3381E7746E108195
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00428574, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00008000,00000000), ref: 0042857E
                                                                  • LoadLibraryW.KERNEL32(00000000,00000000,004285C8,?,00000000,004285E6,?,00008000,00000000), ref: 004285AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLibraryLoadMode
                                                                  • String ID:
                                                                  • API String ID: 2987862817-0
                                                                  • Opcode ID: 7d5e0b096f67028b0afde0de809f338d0dc3b19ddd235e3a899963c7483a3564
                                                                  • Instruction ID: ba6c2c3bca7b28f84dca392f2503051b26451b7b25f23774df3a0d956cb4e674
                                                                  • Opcode Fuzzy Hash: 7d5e0b096f67028b0afde0de809f338d0dc3b19ddd235e3a899963c7483a3564
                                                                  • Instruction Fuzzy Hash: DEF08970614704BFDB115F769C5245E7AECDB49B047524879F810E2591E67C5910C568
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00595F5C, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00595F8D
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00595FA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: TextWindow
                                                                  • String ID:
                                                                  • API String ID: 530164218-0
                                                                  • Opcode ID: 91fcede389bec4c82ffd9f93201fd90124bb394032c227f2cb655a0a43e605eb
                                                                  • Instruction ID: ff3558f5c15b281acb91eceba176fa97a976ed26f3677dd23ea8bb63aa7fafa2
                                                                  • Opcode Fuzzy Hash: 91fcede389bec4c82ffd9f93201fd90124bb394032c227f2cb655a0a43e605eb
                                                                  • Instruction Fuzzy Hash: 67F0A7A13005006ADF16AA19C984BDA2A98AF85724F0800BBFD08DF287EBBC5D518366
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0046DAB4, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(00000000,000000FC), ref: 0046DABB
                                                                  • DestroyWindow.USER32(00000000,00000000,000000FC,?,?,005F320A,0064239B,?,?,?,?,00642E6B), ref: 0046DAC3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyLong
                                                                  • String ID:
                                                                  • API String ID: 2871862000-0
                                                                  • Opcode ID: d35388e099483fd212475e2ff9fa282c380b9acbf4dccf8539caaba4eac98094
                                                                  • Instruction ID: 506e97b04170959aeed06591a09ecd12f6433f5518fe485dd5721082e8543055
                                                                  • Opcode Fuzzy Hash: d35388e099483fd212475e2ff9fa282c380b9acbf4dccf8539caaba4eac98094
                                                                  • Instruction Fuzzy Hash: 2EC01211B0523016552831AD2CC18EF0188CC053A93100337B911D7153DA8D0E90429E
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00458704, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceW.KERNEL32(00000000,00000000,0000000A,?,108B0065,00000000,0045A04F,?,00459F70,00000000,00459F88,?,0000FFA2,00000000,00000000), ref: 00458726
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FindResource
                                                                  • String ID:
                                                                  • API String ID: 1635176832-0
                                                                  • Opcode ID: 1183acad94fdf719573623a63ffe0335358e2b050e4974e49b94f60d7f29cbbc
                                                                  • Instruction ID: 985e3b26b8f4e7e320ae804b6e21d69bf7d2d1ac193ac384b9e879e60976bf14
                                                                  • Opcode Fuzzy Hash: 1183acad94fdf719573623a63ffe0335358e2b050e4974e49b94f60d7f29cbbc
                                                                  • Instruction Fuzzy Hash: 4801F771304300ABE700EF2ADC8292AB7EDDB89715721007EF900D7352DE799C09D668
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00420E80, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,0043EB1C,0045EFF5,00000000,0045F0E0,?,?,0043EB1C), ref: 00420EC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 89121db5780ed45d0dcc9a7b9d266e729e2152ebb9b609dda6a1fb6a819284ca
                                                                  • Instruction ID: bc36b6a2379a1f6e9adf1cf495550284c8e9474e14a8f90c49f5360281058299
                                                                  • Opcode Fuzzy Hash: 89121db5780ed45d0dcc9a7b9d266e729e2152ebb9b609dda6a1fb6a819284ca
                                                                  • Instruction Fuzzy Hash: 7AE048E3B1152427F72065DD9C81FA751499741775F0A0135FB50DB3D1C155DC4182E4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4C6C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005A9B46,00000000,005A9B97,?,005A9D78), ref: 005A4C8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FormatMessage
                                                                  • String ID:
                                                                  • API String ID: 1306739567-0
                                                                  • Opcode ID: 1b23fc62eb9b4c0e085a39c0aeb01f6c3d8d61c8010127502ca9fede061f65e1
                                                                  • Instruction ID: 80131ff79e9f8e2c3db0ebbe4f64c9c41965386072eae7c777c286382d92210f
                                                                  • Opcode Fuzzy Hash: 1b23fc62eb9b4c0e085a39c0aeb01f6c3d8d61c8010127502ca9fede061f65e1
                                                                  • Instruction Fuzzy Hash: 1DE026717A430132F32421944C23B7E160AA7C5B20FE4C83977C4DD2D6EAF99C5586AA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A2EF8, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,005A2F3E,?,00000000,00000000,?,005A2F8E,00000000,005EA295,00000000,005EA2B6,?,00000000,00000000,00000000), ref: 005A2F21
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 3d4ad4ec8b009e5dacdda780b431404ee7ced92860228d49c6c364ac3e135e1d
                                                                  • Instruction ID: 8c1eca4c0e02f6108c6d1fe153df7d3888180d0dffd47cc92d7232446bf6e83b
                                                                  • Opcode Fuzzy Hash: 3d4ad4ec8b009e5dacdda780b431404ee7ced92860228d49c6c364ac3e135e1d
                                                                  • Instruction Fuzzy Hash: EBE09231304308AFD701EAB5CD5395DB7ADEB8AB00F910475F600E3652D6B86E008418
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040BCB0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040BCCE
                                                                    • Part of subcall function 0040CF3C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CFF6,?,?,00000000), ref: 0040CF78
                                                                    • Part of subcall function 0040CF3C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CFF6,?,?,00000000), ref: 0040CFC9
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileModuleName$LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 4113206344-0
                                                                  • Opcode ID: fb461025cbe681df2a143f1f7a0c40bf3d41b7aceca76d0f144364663fdcf8d6
                                                                  • Instruction ID: 1f5600aeeeef4e32b1f9c7225543f83e9437731e2d57e16c847b264f9fd5aaae
                                                                  • Opcode Fuzzy Hash: fb461025cbe681df2a143f1f7a0c40bf3d41b7aceca76d0f144364663fdcf8d6
                                                                  • Instruction Fuzzy Hash: 29E039B1A003109BDB10DF58C8C1A5737D8AB08714F004A6AAC24EF386D374CD1087D9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00635E53, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoTaskMemFree.OLE32(?,00635EA6,?,00000000,00000000,?,00641232,00000006,?,00000000,006417E8,?,00000000,006418A7), ref: 00635E99
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FreeTask
                                                                  • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                  • API String ID: 734271698-544719455
                                                                  • Opcode ID: d6cc94357e9b4d482e3f780e28921c765618eee60dc83b54c62dd7b943fc5ee4
                                                                  • Instruction ID: 7ffc6370bda443bc92fef2a0e313934ca25d4b777612dd4e68e9b9fc68387764
                                                                  • Opcode Fuzzy Hash: d6cc94357e9b4d482e3f780e28921c765618eee60dc83b54c62dd7b943fc5ee4
                                                                  • Instruction Fuzzy Hash: B9E09230704B04BFE7118BB19C12E1A77A9E789B00F624475F901D3580D6389E109654
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A2F94, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(00000000,?,005EA4C9,00000000,005EA4E2,?,?,00000000), ref: 005A2F9F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 8a255e7084c1d4bb7472271fde96402857c95202b276e2acd4e4a9190e598e65
                                                                  • Instruction ID: fc3c4eed84c30f19a1c441d424a5b67955dd1178da1cbcafa755cc6f6b03dff3
                                                                  • Opcode Fuzzy Hash: 8a255e7084c1d4bb7472271fde96402857c95202b276e2acd4e4a9190e598e65
                                                                  • Instruction Fuzzy Hash: 48D080F12112001FEE14A6BD1DC735D45946B97335F144B66F665E21E3D7399CD35024
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A2F4C, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(00000000,?,005AB367,00000000), ref: 005A2F57
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: c6d2500b30dae5ad6f7b9d4b152e32b5648cd6802b3bbbaa350e25554f80be30
                                                                  • Instruction ID: 8eea6359f5587f00b947eba6570d919262773cccbea40a920b8d3036fa88f985
                                                                  • Opcode Fuzzy Hash: c6d2500b30dae5ad6f7b9d4b152e32b5648cd6802b3bbbaa350e25554f80be30
                                                                  • Instruction Fuzzy Hash: 83C08CB13212001AAE28A5BD1DC724D0288D90A6387244A6AF028E21D3D239D8622024
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004216CC, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetCurrentDirectoryW.KERNEL32(00000000,?,006420A6,00000000,006422B3,?,?,00000005,00000000,006422EC,?,?,00000000), ref: 004216D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory
                                                                  • String ID:
                                                                  • API String ID: 1611563598-0
                                                                  • Opcode ID: b0d6698c2dcac5c5f0ae111c9658734ca8c85f2357247c35c1432fb6bd6b82a1
                                                                  • Instruction ID: 564d134ef7185f85f8d01be3fce57125d53e0ced79d182862342ca5686891228
                                                                  • Opcode Fuzzy Hash: b0d6698c2dcac5c5f0ae111c9658734ca8c85f2357247c35c1432fb6bd6b82a1
                                                                  • Instruction Fuzzy Hash: ADB012F37302408ADE0079FE0CC1A0D00CC950D60E7100C3FB415D3103D47EC8540118
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004285CF, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(?,004285ED), ref: 004285E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode
                                                                  • String ID:
                                                                  • API String ID: 2340568224-0
                                                                  • Opcode ID: 694ce845132877454baa2e6b3012364acd93b9efc57970288032cec8c680be07
                                                                  • Instruction ID: 568c60eda5aa1572bc2e1142576596c1e9a0f01cb60d8405de23d4eee8032556
                                                                  • Opcode Fuzzy Hash: 694ce845132877454baa2e6b3012364acd93b9efc57970288032cec8c680be07
                                                                  • Instruction Fuzzy Hash: 61B09B7670C2047DEB05D6E5791156C63D4D7C47103E1487BF414C2540D97CA450C618
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00636878, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,00642378,00000000,00642387,?,?,?,?,?,00642E6B), ref: 0063688E
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: f32a72f60d711907929f94d09a49bc4b41de752ae0866165be8e13c42a4fe9b3
                                                                  • Instruction ID: c016c28d6e174527514e8dcd2413324d0cd3dc8fe68db40f6dac7c3ea7217bf6
                                                                  • Opcode Fuzzy Hash: f32a72f60d711907929f94d09a49bc4b41de752ae0866165be8e13c42a4fe9b3
                                                                  • Instruction Fuzzy Hash: 4FC002B0910B00AEC7E4EB79EC687A137E6B70830AF107829B104C3260EB749480EB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040E8C4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem
                                                                  • String ID:
                                                                  • API String ID: 31276548-0
                                                                  • Opcode ID: 3c697633d840bb24647ac05e8ba59606fced48aa54a110b736518492aea7a936
                                                                  • Instruction ID: 47ab257af6e364695ea890f9b43c82e37ccfc4e8ddd737aab863078b62403aa0
                                                                  • Opcode Fuzzy Hash: 3c697633d840bb24647ac05e8ba59606fced48aa54a110b736518492aea7a936
                                                                  • Instruction Fuzzy Hash: 0DA012108084001AC404BB194C4340F39C45941514FC40264745CB56C2E61A866403DB
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0046D864, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?,004F335B,004F58DC,?,?,?,00000000,?,0058A9BB), ref: 0046D882
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 8b061f331fd42d607532db1b467d7515908698bc866769bdc05ba9cd2a7e7e49
                                                                  • Instruction ID: bfd231d992f2bcfde4f8b5cc6a270b98dceb088bb630ada5516c6f1a4b212f3e
                                                                  • Opcode Fuzzy Hash: 8b061f331fd42d607532db1b467d7515908698bc866769bdc05ba9cd2a7e7e49
                                                                  • Instruction Fuzzy Hash: E7111874A403059BD710EF19C881B82FBE5EF98350F14C53AE9688B386E374E915CBA9
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403C6C, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00404283,000000FF,00404828,00000000,0040D8EF,00000000,0040DDFD,00000000,0040E0BF,00000000), ref: 00403C83
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: f76ec2e496c5b49282b10548a05cc944a81f0939acac8f67f311ffb2ad1ec239
                                                                  • Instruction ID: 197183dc905841a21b02d7182249454c67855fd1ed42545ff938eb58c327bd08
                                                                  • Opcode Fuzzy Hash: f76ec2e496c5b49282b10548a05cc944a81f0939acac8f67f311ffb2ad1ec239
                                                                  • Instruction Fuzzy Hash: 82F0AFF2B453115FE754DF78AD407027BE6E70435AF1141BEE909EB798DBB098418788
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00403D96, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403DC7
                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403DEA
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403DF7
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Free$Query
                                                                  • String ID:
                                                                  • API String ID: 778034434-0
                                                                  • Opcode ID: b48625b04a30269c8bd2381e3b4f1caa0b4a0741f9720b80a4ba476a4a625d95
                                                                  • Instruction ID: cf8164d50a14be05f525a7af5cbcda19bea832217c526eb92671fea8f23d1867
                                                                  • Opcode Fuzzy Hash: b48625b04a30269c8bd2381e3b4f1caa0b4a0741f9720b80a4ba476a4a625d95
                                                                  • Instruction Fuzzy Hash: F0F04B353046009FD310DE1AC844A17BBE9EFC9711F15C26AE888973A1D635DD018B96
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 0060D02C, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 0060D094
                                                                  • QueryPerformanceCounter.KERNEL32(00000000,00000000,0060D327,?,?,00000000,00000000,?,0060DD26,?,00000000,00000000), ref: 0060D09D
                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0060D0A7
                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,0060D327,?,?,00000000,00000000,?,0060DD26,?,00000000,00000000), ref: 0060D0B0
                                                                  • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0060D126
                                                                  • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0060D134
                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00652F64,00000003,00000000,00000000,00000000,0060D2E3,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 0060D17C
                                                                  • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0060D2D2,?,00000000,C0000000,00000000,00652F64,00000003,00000000,00000000,00000000,0060D2E3), ref: 0060D1B5
                                                                    • Part of subcall function 005A3B4C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A3B5F
                                                                  • CreateProcessW.KERNEL32 ref: 0060D25E
                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0060D294
                                                                  • CloseHandle.KERNEL32(000000FF,0060D2D9,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0060D2CC
                                                                    • Part of subcall function 005EAE9C: GetLastError.KERNEL32(00000000,005EBBB2,00000005,00000000,005EBBDA,?,?,0065A16C,?,00000000,00000000,00000000,?,006427AF,00000000,006427CA), ref: 005EAE9F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                  • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                  • API String ID: 770386003-3271284199
                                                                  • Opcode ID: b42669f58aa1e77a83a38a0b5abb963bb301b6882ca883bccd369f0bbcb36932
                                                                  • Instruction ID: b2bc1b4cfb105523b6febe2a5c2bb6cdffe5ec4bcfb11564dc467e890829e451
                                                                  • Opcode Fuzzy Hash: b42669f58aa1e77a83a38a0b5abb963bb301b6882ca883bccd369f0bbcb36932
                                                                  • Instruction Fuzzy Hash: A8714170A403449EEB15EFB9CC45B9EBBB9AF09704F1045A9F508EB282D7749940CB65
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062FC50, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062FA6C: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0062FA98
                                                                    • Part of subcall function 0062FA6C: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062FAB1
                                                                    • Part of subcall function 0062FA6C: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062FADB
                                                                    • Part of subcall function 0062FA6C: CloseHandle.KERNEL32(00000000), ref: 0062FAF9
                                                                    • Part of subcall function 0062FB7C: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,0062FC0D,?,00000097,?,?,0062FC87,00000000,0062FD9F,?,?,00000001), ref: 0062FBAB
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0062FCD7
                                                                  • GetLastError.KERNEL32(0000003C,00000000,0062FD9F,?,?,00000001), ref: 0062FCE0
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 0062FD2D
                                                                  • GetExitCodeProcess.KERNEL32 ref: 0062FD53
                                                                  • CloseHandle.KERNEL32(00000000,0062FD84,00000000,00000000,000000FF,000004FF,00000000,0062FD7D,?,0000003C,00000000,0062FD9F,?,?,00000001), ref: 0062FD77
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                                  • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                  • API String ID: 254331816-221126205
                                                                  • Opcode ID: 60f72d7503e9a08be9b42448fa36c8e119e69aafcc77632fbd1396184d5183f2
                                                                  • Instruction ID: 0b403eb0ef8cc9205116744ff4da66d86d777c4ea0c346c4558032144fd31bdd
                                                                  • Opcode Fuzzy Hash: 60f72d7503e9a08be9b42448fa36c8e119e69aafcc77632fbd1396184d5183f2
                                                                  • Instruction Fuzzy Hash: 1E319070A00A19AFDF10EFF5E882A9DBAB9EF48314F50093AF514E7281D77499408F55
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040C630, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,0041AE20,?,?), ref: 0040C64D
                                                                  • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C65E
                                                                  • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041AE20,?,?), ref: 0040C75E
                                                                  • FindClose.KERNEL32(?,?,?,kernel32.dll,0041AE20,?,?), ref: 0040C770
                                                                  • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041AE20,?,?), ref: 0040C77C
                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041AE20,?,?), ref: 0040C7C1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                  • String ID: GetLongPathNameW$\$kernel32.dll
                                                                  • API String ID: 1930782624-3908791685
                                                                  • Opcode ID: 4773db546d1690116369375d742ab2497b584d83e0c4ddfbfa3afb5929d1cbd5
                                                                  • Instruction ID: 39d58d8c64e7cc71e6dd469938ce122afd0884a6e0bc7c1439aad5226bf35ab4
                                                                  • Opcode Fuzzy Hash: 4773db546d1690116369375d742ab2497b584d83e0c4ddfbfa3afb5929d1cbd5
                                                                  • Instruction Fuzzy Hash: 98418172A00619DBCB10EBA4C8C5ADEB3B9AB44314F1486BAE505F72C1E7789E45CE49
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00630418, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsIconic.USER32(?), ref: 0063046D
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0063048A
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 006304AF
                                                                    • Part of subcall function 005899B4: IsWindow.USER32(?), ref: 005899C2
                                                                    • Part of subcall function 005899B4: EnableWindow.USER32(?,000000FF), ref: 005899D1
                                                                  • GetActiveWindow.USER32 ref: 0063057B
                                                                  • SetActiveWindow.USER32(00000005,006305E3,006305F9,?,?,000000EC,?,000000F0,00000000,?,00000000), ref: 006305CC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveLong$EnableIconic
                                                                  • String ID: (^R$`
                                                                  • API String ID: 4222481217-3475214697
                                                                  • Opcode ID: d6ce6e83afc5c20cce439eba08a63f8cd8a93f9faca1daa21346161357407ef8
                                                                  • Instruction ID: b313e5acbe8b388c5dbcfe40345229c2ecffaaf30a1e3738cb61cf76762f81f7
                                                                  • Opcode Fuzzy Hash: d6ce6e83afc5c20cce439eba08a63f8cd8a93f9faca1daa21346161357407ef8
                                                                  • Instruction Fuzzy Hash: 75515674A00349AFEB00DFA9D994ADEBBF5FB49310F15416AE804EB352D7349A45CF90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005ED36C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 005ED37C
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005ED382
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 005ED39B
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 005ED3C2
                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 005ED3C7
                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 005ED3D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                  • String ID: SeShutdownPrivilege
                                                                  • API String ID: 107509674-3733053543
                                                                  • Opcode ID: 8e6f6d31be450e79406add97cb0369e5f722a79e16e2cc6878969e3b8d5dd894
                                                                  • Instruction ID: b04b89c09f7ddeef72ec2ec8f60e22db0734ab55fc4febef560a69b91557df66
                                                                  • Opcode Fuzzy Hash: 8e6f6d31be450e79406add97cb0369e5f722a79e16e2cc6878969e3b8d5dd894
                                                                  • Instruction Fuzzy Hash: 15F096706443817AE614AA768D47FAB6598BB48B09F500C19FA81D90C2D7E9C5444337
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00642484, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,006425C1,?,0065A16C,?,?,00642776,00000000,006427CA,?,00000000,00000000,00000000), ref: 006424D5
                                                                  • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 00642558
                                                                  • FindNextFileW.KERNEL32(000000FF,?,00000000,00642594,?,00000000,?,00000000,006425C1,?,0065A16C,?,?,00642776,00000000,006427CA), ref: 00642570
                                                                  • FindClose.KERNEL32(000000FF,0064259B,00642594,?,00000000,?,00000000,006425C1,?,0065A16C,?,?,00642776,00000000,006427CA), ref: 0064258E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirstNext
                                                                  • String ID: isRS-$isRS-???.tmp
                                                                  • API String ID: 134685335-3422211394
                                                                  • Opcode ID: 677e7355441c427ad013d458ee980ddfbbb9ca5b2420ce7fbb0391cd75ba1f40
                                                                  • Instruction ID: 0e370502df9114c3f3335e4e6ae3f483510ce7cd5b383a1c8210de74ee0ad061
                                                                  • Opcode Fuzzy Hash: 677e7355441c427ad013d458ee980ddfbbb9ca5b2420ce7fbb0391cd75ba1f40
                                                                  • Instruction Fuzzy Hash: 0531D670A0061D9EDB14DF65CCA56DEB7F9DB88304F6145FAB804E3291EA389E408E18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A57A4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsIconic.USER32(?), ref: 005A57E9
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 005A5806
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 005A582B
                                                                  • GetActiveWindow.USER32 ref: 005A5839
                                                                  • MessageBoxW.USER32(00000000,00000000,?,-0000002D), ref: 005A5866
                                                                  • SetActiveWindow.USER32(?,005A5894,-0000002D,00000000,005A588D,?,?,000000EC,?,000000F0,?,00000000,005A58CA,?,?,00000000), ref: 005A5887
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveLong$IconicMessage
                                                                  • String ID:
                                                                  • API String ID: 1633107849-0
                                                                  • Opcode ID: 54feb3ad70b066b216c2defb355d89d5df0c87f386d8783efc889e4468b28595
                                                                  • Instruction ID: a60e4e042af9b303bbe8633358de159b1346189e86fd6f513409704253803ce5
                                                                  • Opcode Fuzzy Hash: 54feb3ad70b066b216c2defb355d89d5df0c87f386d8783efc889e4468b28595
                                                                  • Instruction Fuzzy Hash: FA319074A04705AFDB01EF68C945EAD7BE9FB4A750F2144A5F400E7361EA389E40DB14
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A522C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005A5239
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005A5249
                                                                    • Part of subcall function 00411FE4: CreateMutexW.KERNEL32(?,00000001,00000000,?,00642877,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00642B9B,?,?,00000000), ref: 00411FFA
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                  • String ID:
                                                                  • API String ID: 3525989157-0
                                                                  • Opcode ID: 8c3d589bd92bbdaaef68a3204c8d355b91f5d829a6f7955c3bc01fe7065f516e
                                                                  • Instruction ID: dc41c1bf403f01e50fcf204102a3f95e2db8d65bb8f23d2a9785caaf8e82bb17
                                                                  • Opcode Fuzzy Hash: 8c3d589bd92bbdaaef68a3204c8d355b91f5d829a6f7955c3bc01fe7065f516e
                                                                  • Instruction Fuzzy Hash: 9AE065B16443006FE600DFB58C82F8B73DC9B44714F10492EB764D71D1E778D549879A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00610778, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,00610A3A,?,?,?,?,00000005,00000000,00000000,?,?,00611E15,00000000,00000000,?,00000000), ref: 006108EE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                  • API String ID: 1452528299-3112430753
                                                                  • Opcode ID: 224b6186b195647d8e95b26b39badc0f594e7ebb1837c5b8687d2c1ef4448b2a
                                                                  • Instruction ID: e6cd71c5a8f7bcaddfe72b3acef8a69568e07205ef0f7ae028da9a62bf90c54a
                                                                  • Opcode Fuzzy Hash: 224b6186b195647d8e95b26b39badc0f594e7ebb1837c5b8687d2c1ef4448b2a
                                                                  • Instruction Fuzzy Hash: B671B630B043495BEF05EF68C8567EE7BA6AF89700F184429F501EB382DAB4DDC587A5
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 006427D8, Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(?,00000005,00000000,00642B9B,?,?,00000000,?,00000000,00000000,?,0064307E,00000000,00643088,?,00000000), ref: 0064285F
                                                                  • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00642B9B,?,?,00000000,?,00000000,00000000), ref: 00642885
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 006428A6
                                                                  • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00642B9B,?,?,00000000,?,00000000), ref: 006428BB
                                                                    • Part of subcall function 005A36A0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005A3735,?,?,?,00000001,?,005EE002,00000000,005EE06D), ref: 005A36D5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                                  • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                  • API String ID: 66301061-3672972446
                                                                  • Opcode ID: f517ec1162ec26333913c1cabb777df9b02bbc79d5542418ff42704f66a97153
                                                                  • Instruction ID: 110cf92351643aaa4ed423b98191ca0c91b0a181f731d74a9568e570e5a22ada
                                                                  • Opcode Fuzzy Hash: f517ec1162ec26333913c1cabb777df9b02bbc79d5542418ff42704f66a97153
                                                                  • Instruction Fuzzy Hash: B791E530A042069FDB11EFA4C8A6BEEBBF6FB49304FA14465F900A7791DB749D41CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EC4DC, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005A4104: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A47DE,?,00000000,?,005A477E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE), ref: 005A4120
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,005EC77A,?,?,00000003,00000000,00000000,005EC7BE), ref: 005EC5F9
                                                                    • Part of subcall function 005A4C6C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005A9B46,00000000,005A9B97,?,005A9D78), ref: 005A4C8B
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,005EC6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 005EC67A
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,005EC6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 005EC6A1
                                                                  Strings
                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 005EC552
                                                                  • RegOpenKeyEx, xrefs: 005EC575
                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 005EC519
                                                                  • , xrefs: 005EC56C
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$FormatMessageOpen
                                                                  • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                  • API String ID: 2812809588-1577016196
                                                                  • Opcode ID: 099d765d392f7cff908746d0733352d7513b1e7a66f1502ae05dc46f0b49564f
                                                                  • Instruction ID: db115f0f08ccc932d76a1897e8643d661f73b45f3d1e9fb90d8d7ef6fbe39c1c
                                                                  • Opcode Fuzzy Hash: 099d765d392f7cff908746d0733352d7513b1e7a66f1502ae05dc46f0b49564f
                                                                  • Instruction Fuzzy Hash: CE916371E042499FDB14DBA9C892BEEBFB9FB48304F10042AF540E7241D774A946CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060E978, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0060EB81,?,0060E678,?,00000000,00000000,00000000,?,?,0060EDEC,00000000), ref: 0060EA25
                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0060EB81,?,0060E678,?,00000000,00000000,00000000,?,?,0060EDEC,00000000), ref: 0060EA8F
                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,0060EB81,?,0060E678,?,00000000,00000000,00000000,?), ref: 0060EAF6
                                                                  Strings
                                                                  • .NET Framework not found, xrefs: 0060EB42
                                                                  • v1.1.4322, xrefs: 0060EAE8
                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0060EAAC
                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 0060E9DB
                                                                  • .NET Framework version %s not found, xrefs: 0060EB2E
                                                                  • v2.0.50727, xrefs: 0060EA81
                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0060EA45
                                                                  • v4.0.30319, xrefs: 0060EA17
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Close
                                                                  • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                  • API String ID: 3535843008-446240816
                                                                  • Opcode ID: a869a31f800a24d8a8986831e74108c03b87b0821badc64a39c7e334c2655af5
                                                                  • Instruction ID: 39e331217aeb24eabde49a6d874fa1452d3dc7d56d65f24c81d343316d547005
                                                                  • Opcode Fuzzy Hash: a869a31f800a24d8a8986831e74108c03b87b0821badc64a39c7e334c2655af5
                                                                  • Instruction Fuzzy Hash: C9512930B441655BDF08DBA8C861BFE7BB7EF89301F14096AE541A73D1C77A9A05CB21
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060D5EC, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(?), ref: 0060D623
                                                                  • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0060D63F
                                                                  • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 0060D64D
                                                                  • GetExitCodeProcess.KERNEL32 ref: 0060D65E
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0060D6A5
                                                                  • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0060D6C1
                                                                  Strings
                                                                  • Helper process exited., xrefs: 0060D66D
                                                                  • Stopping 64-bit helper process. (PID: %u), xrefs: 0060D615
                                                                  • Helper isn't responding; killing it., xrefs: 0060D62F
                                                                  • Helper process exited with failure code: 0x%x, xrefs: 0060D68B
                                                                  • Helper process exited, but failed to get exit code., xrefs: 0060D697
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                  • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                  • API String ID: 3355656108-1243109208
                                                                  • Opcode ID: 7ca98ad23bff8fa9bb68958feaed14191a391db50cafc6c48cbc6d318534f85f
                                                                  • Instruction ID: 454b6500e2c9d163297ce36385c005d39dba8bff4028d83027d05e9be869f4a4
                                                                  • Opcode Fuzzy Hash: 7ca98ad23bff8fa9bb68958feaed14191a391db50cafc6c48cbc6d318534f85f
                                                                  • Instruction Fuzzy Hash: 6B2180706547015BD724EBBDC44979BBBE69F48344F008D2DB68EC7291D779E8808B16
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00640AD8, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005EB3C0: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EB4FB), ref: 005EB4AB
                                                                    • Part of subcall function 005EB3C0: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EB4FB), ref: 005EB4BB
                                                                  • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,00640CC6), ref: 00640B5B
                                                                  • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,00640CC6), ref: 00640B82
                                                                  • SetWindowLongW.USER32 ref: 00640BBC
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00640C8F,?,?,000000FC,006401D4,00000000,?,00000000), ref: 00640BF1
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 00640C65
                                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00640C8F,?,?,000000FC,006401D4,00000000), ref: 00640C73
                                                                    • Part of subcall function 005EB8B8: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EB99E
                                                                  • DestroyWindow.USER32(?,00640C96,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00640C8F,?,?,000000FC,006401D4,00000000,?), ref: 00640C89
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                  • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                  • API String ID: 1779715363-2312673372
                                                                  • Opcode ID: e7c0a3158080f08e412c6a025787e5d8f332e08b6d5e4f44b35497bd71173ac9
                                                                  • Instruction ID: d5e2afc5af2165a232b2dde078bf647205854a6f10d5337c80bb9168f0ebd674
                                                                  • Opcode Fuzzy Hash: e7c0a3158080f08e412c6a025787e5d8f332e08b6d5e4f44b35497bd71173ac9
                                                                  • Instruction Fuzzy Hash: 5F415F70A00218EFEB00EFB5CD92ADEBBF9EB09714F114569F600E7291D7759A008B64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005968D8, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00597E58: GetActiveWindow.USER32 ref: 00597E7F
                                                                    • Part of subcall function 00597E58: GetLastActivePopup.USER32(?), ref: 00597E94
                                                                  • MonitorFromWindow.USER32(00000000,00000002), ref: 00596911
                                                                  • MonitorFromWindow.USER32(?,00000002), ref: 00596925
                                                                  • GetMonitorInfoW.USER32 ref: 00596944
                                                                  • GetWindowRect.USER32 ref: 00596957
                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?,00000000,00000028,?,00000002,?,?,00000000), ref: 00596992
                                                                  • MessageBoxW.USER32(00000000,00000000,?,?), ref: 005969D1
                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00596A4A,?,00000002,?,?,00000000), ref: 00596A24
                                                                    • Part of subcall function 005899B4: IsWindow.USER32(?), ref: 005899C2
                                                                    • Part of subcall function 005899B4: EnableWindow.USER32(?,000000FF), ref: 005899D1
                                                                  • SetActiveWindow.USER32(00000000,00596A4A,?,00000002,?,?,00000000), ref: 00596A35
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveMonitor$From$EnableInfoLastMessagePopupRect
                                                                  • String ID: (
                                                                  • API String ID: 2800294577-3887548279
                                                                  • Opcode ID: 93439f5cc7ba727cc7d97b424d465ef9b60ac03c4973447e8edcbb0b2ad04a1c
                                                                  • Instruction ID: 4dd609e7ed9c10f2a39831ec99a0677e2ecea9c4a8af3539202c6e4dd4599a2a
                                                                  • Opcode Fuzzy Hash: 93439f5cc7ba727cc7d97b424d465ef9b60ac03c4973447e8edcbb0b2ad04a1c
                                                                  • Instruction Fuzzy Hash: AB41F975E00209AFDF04DBA9CD96FEEBBB9FB48304F548469F500AB381DA746D408B54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060D89C, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,0060DA7F,?,00000000,0060DADA,?,?,00000000,00000000), ref: 0060D8F9
                                                                  • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0060DA14,?,00000000,000000FF,00000000,00000000,00000000,0060DA7F), ref: 0060D956
                                                                  • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0060DA14,?,00000000,000000FF,00000000,00000000,00000000,0060DA7F), ref: 0060D963
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 0060D9AF
                                                                  • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,0060D9ED,00000000,00000000), ref: 0060D9D9
                                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF,0060D9ED,00000000,00000000), ref: 0060D9E0
                                                                    • Part of subcall function 005EAE9C: GetLastError.KERNEL32(00000000,005EBBB2,00000005,00000000,005EBBDA,?,?,0065A16C,?,00000000,00000000,00000000,?,006427AF,00000000,006427CA), ref: 005EAE9F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                  • String ID: CreateEvent$TransactNamedPipe
                                                                  • API String ID: 2182916169-3012584893
                                                                  • Opcode ID: 587abc3039294ab8be615838be7e2b3339d4a2d9f7e7a7c65fe5873f3d42b28e
                                                                  • Instruction ID: cc40f01ca4d4471f174cde47d1b1fd116972b229995c538558590d9fa653ab81
                                                                  • Opcode Fuzzy Hash: 587abc3039294ab8be615838be7e2b3339d4a2d9f7e7a7c65fe5873f3d42b28e
                                                                  • Instruction Fuzzy Hash: 74417B74A40208AFDB15DFD9CD81F9EBBB9FB09310F1142A5FA00E72D1D6749A40CB64
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040C4EC, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(00656C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F,?,?,00000000,00000000,00000000), ref: 0040C50A
                                                                  • LeaveCriticalSection.KERNEL32(00656C14,00656C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F,?,?,00000000,00000000), ref: 0040C52E
                                                                  • LeaveCriticalSection.KERNEL32(00656C14,00656C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F,?,?,00000000,00000000), ref: 0040C53D
                                                                  • IsValidLocale.KERNEL32(00000000,00000002,00656C14,00656C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F), ref: 0040C54F
                                                                  • EnterCriticalSection.KERNEL32(00656C14,00000000,00000002,00656C14,00656C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F), ref: 0040C5AC
                                                                  • LeaveCriticalSection.KERNEL32(00656C14,00656C14,00000000,00000002,00656C14,00656C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F), ref: 0040C5D5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                  • String ID: en-US,en,
                                                                  • API String ID: 975949045-3579323720
                                                                  • Opcode ID: 46dfa2c390dfd9fcddc3d7a3d519c078bf4b27f4af89702944140c56ae647f6d
                                                                  • Instruction ID: d7439257cb545fff3ac83513a8b3620a4b66b1634b2132e293977f8023978c7a
                                                                  • Opcode Fuzzy Hash: 46dfa2c390dfd9fcddc3d7a3d519c078bf4b27f4af89702944140c56ae647f6d
                                                                  • Instruction Fuzzy Hash: 8D215AA4340210F6D711BB7A8C4261E359ADB89705F90867FB480B76C2DA7C9D45C7AF
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060BFDC, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0060C0F6,?,?,?,00000000,00000000,00000000,00000000,00000000,?,006110ED,00000000,00611101), ref: 0060C002
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0060C046
                                                                    • Part of subcall function 005EAE9C: GetLastError.KERNEL32(00000000,005EBBB2,00000005,00000000,005EBBDA,?,?,0065A16C,?,00000000,00000000,00000000,?,006427AF,00000000,006427CA), ref: 005EAE9F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                  • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                  • API String ID: 1914119943-2711329623
                                                                  • Opcode ID: 9f5fe79e6db05353f538a1eebee7ab1e996da728d0d1e3da66a18af11cc71638
                                                                  • Instruction ID: c2cb6c9ee0fbc8b90987324f6613d756fd54a5fa1b02bc5094d3a695c3bf0470
                                                                  • Opcode Fuzzy Hash: 9f5fe79e6db05353f538a1eebee7ab1e996da728d0d1e3da66a18af11cc71638
                                                                  • Instruction Fuzzy Hash: B32171B1640105AFDB18EFAACC46D6B77FEEB8975070146A5F500D7392EA75EC01C760
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A46E4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE,?,00000000), ref: 005A470B
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE,?,00000000), ref: 005A475E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressCloseHandleModuleProc
                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                  • API String ID: 4190037839-2401316094
                                                                  • Opcode ID: 25371b4c0fe1b66999a72bd38134ac3adf5b4d14e7ed5a47f353e7cf480ea5dd
                                                                  • Instruction ID: ffaeb6297c0d62a825f7238d28ed2e408fbbe1f37f8c66c39d9c2991aa99af75
                                                                  • Opcode Fuzzy Hash: 25371b4c0fe1b66999a72bd38134ac3adf5b4d14e7ed5a47f353e7cf480ea5dd
                                                                  • Instruction Fuzzy Hash: F8214134A00249ABDB00EAF5DD46A9E7BE9FBC7704F604875E500E7281EBF89A41DF54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005AC0A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 005AC0B1
                                                                    • Part of subcall function 004D0750: EnterCriticalSection.KERNEL32(?,00000000,004D09BF,?,?), ref: 004D0798
                                                                  • SelectObject.GDI32($O`,00000000), ref: 005AC0D3
                                                                  • GetTextExtentPointW.GDI32($O`,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005AC0E7
                                                                  • GetTextMetricsW.GDI32($O`,?,00000000,005AC12C,?,00000000,?,?,00604F24), ref: 005AC109
                                                                  • ReleaseDC.USER32 ref: 005AC126
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                                  • String ID: $O`$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                  • API String ID: 1334710084-237595332
                                                                  • Opcode ID: b5b916d27d189161da9767cd2e8e3459c7015de9901a2091dbfd2c8bb4b70af7
                                                                  • Instruction ID: 5271e8d48229fc8d9a74cc6a0505171e73ae7c4dc914b397dac824714bb3a41d
                                                                  • Opcode Fuzzy Hash: b5b916d27d189161da9767cd2e8e3459c7015de9901a2091dbfd2c8bb4b70af7
                                                                  • Instruction Fuzzy Hash: 86018476B04204AFDB04DBE9CD51F9EBBECEB49704F500466B604D7381D6B4AE118764
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004083A4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?,00408576,0040559F,004055E6,?,?,004055FF), ref: 004083DD
                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?,00408576,0040559F,004055E6,?,?), ref: 004083E3
                                                                  • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?,?), ref: 004083FE
                                                                  • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,0040845C,?,?), ref: 00408404
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite
                                                                  • String ID: DCe$Error$Runtime error at 00000000
                                                                  • API String ID: 3320372497-3118018461
                                                                  • Opcode ID: 13ce4a5f80a4d2b30842d409f903e3885f5d800d9945ef1b546b75d07238ec8f
                                                                  • Instruction ID: db3e682c4185ed60903732901cf8b317f543b65e566f1b916b3a1051628e4cb0
                                                                  • Opcode Fuzzy Hash: 13ce4a5f80a4d2b30842d409f903e3885f5d800d9945ef1b546b75d07238ec8f
                                                                  • Instruction Fuzzy Hash: 28F022A064430079E720FB525C0BF6A361DA340F2BF10457FB1A0795E2DEFA08C4836D
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060FD64, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,0060FEEA,?,00000000,?), ref: 0060FE2C
                                                                    • Part of subcall function 005EBFB4: FindClose.KERNEL32(000000FF,005EC0A9), ref: 005EC098
                                                                  Strings
                                                                  • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0060FEA3
                                                                  • Failed to delete directory (%d)., xrefs: 0060FEC4
                                                                  • Stripped read-only attribute., xrefs: 0060FDEE
                                                                  • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0060FE06
                                                                  • Failed to delete directory (%d). Will retry later., xrefs: 0060FE45
                                                                  • Failed to strip read-only attribute., xrefs: 0060FDFA
                                                                  • Deleting directory: %s, xrefs: 0060FDB3
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseErrorFindLast
                                                                  • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                  • API String ID: 754982922-1448842058
                                                                  • Opcode ID: a9dbab9d7d0d30767d976fac3b18f0a047109a8a7aaba924b0daa3f36c4556ae
                                                                  • Instruction ID: fb8e7fb15c6259bd85cfdc6f3f4ee4436f7004990c8006c962aed4e647bcc0ca
                                                                  • Opcode Fuzzy Hash: a9dbab9d7d0d30767d976fac3b18f0a047109a8a7aaba924b0daa3f36c4556ae
                                                                  • Instruction Fuzzy Hash: 2E410730A442099BDB28EBBDC4093EF7AEBAF85300F14443AA501D77D2DBB88E458752
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0059609C, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCapture.USER32 ref: 005960C2
                                                                  • IsWindowUnicode.USER32(00000000), ref: 00596105
                                                                  • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 00596120
                                                                  • SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0059613F
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0059614E
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0059615F
                                                                  • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 0059617F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                                  • String ID:
                                                                  • API String ID: 1994056952-0
                                                                  • Opcode ID: c10e80a72f9d52bee0ab2555683b472fe3131ac3e8c75ed7ac3a3d19b049d557
                                                                  • Instruction ID: 5f5bd9c4091a327d56c65b1fe878910f549193f4020e2e24993031529c009cf6
                                                                  • Opcode Fuzzy Hash: c10e80a72f9d52bee0ab2555683b472fe3131ac3e8c75ed7ac3a3d19b049d557
                                                                  • Instruction Fuzzy Hash: AE214171204609AFDA60EA5ACD81FA777DCFF18318B14842AF959C3243EB58FC54DB68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EB8B8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EB99E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringWrite
                                                                  • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                  • API String ID: 390214022-3304407042
                                                                  • Opcode ID: 4a3958e5bff3f11c0fd0539fab9c9feccb063bd630ce35d041a99da382b6eee7
                                                                  • Instruction ID: 7f4a6f7e4573ed635b396a7e01143dcc677d4100ffdb6c41e2386841c72ade6b
                                                                  • Opcode Fuzzy Hash: 4a3958e5bff3f11c0fd0539fab9c9feccb063bd630ce35d041a99da382b6eee7
                                                                  • Instruction Fuzzy Hash: 6D813C70A0024A9FEF04EBA6C982BDEBBB5FF49305F504065F480B7295DB75AE45CB50
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040735C, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0040781C: GetCurrentThreadId.KERNEL32 ref: 0040781F
                                                                  • GetTickCount.KERNEL32 ref: 00407393
                                                                  • GetTickCount.KERNEL32 ref: 004073AB
                                                                  • GetCurrentThreadId.KERNEL32 ref: 004073DA
                                                                  • GetTickCount.KERNEL32 ref: 00407405
                                                                  • GetTickCount.KERNEL32 ref: 0040743C
                                                                  • GetTickCount.KERNEL32 ref: 00407466
                                                                  • GetCurrentThreadId.KERNEL32 ref: 004074D6
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$CurrentThread
                                                                  • String ID:
                                                                  • API String ID: 3968769311-0
                                                                  • Opcode ID: c99536c8705a737af2acdd4a711a8f26efed1dc49d6131b915a76b8dc6e0d103
                                                                  • Instruction ID: 1834807f07eadc8e353512e6642721c09b58563245594fb87cb0de0cdd56de04
                                                                  • Opcode Fuzzy Hash: c99536c8705a737af2acdd4a711a8f26efed1dc49d6131b915a76b8dc6e0d103
                                                                  • Instruction Fuzzy Hash: 6C416E71A0C3419ED321AE78C98431FBED5AB80354F14893EE8D8973C1EA7CA8859757
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0045EF90, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,0045F0E0,?,?,0043EB1C,00000001), ref: 0045F01E
                                                                    • Part of subcall function 00420E28: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,0043EB1C,0045F060,00000000,0045F0E0,?,?,0043EB1C), ref: 00420E77
                                                                    • Part of subcall function 0042127C: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,0043EB1C,0045F07B,00000000,0045F0E0,?,?,0043EB1C,00000001), ref: 0042129F
                                                                  • GetLastError.KERNEL32(00000000,0045F0E0,?,?,0043EB1C,00000001), ref: 0045F085
                                                                    • Part of subcall function 00425310: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043EB1C,00000000,?,0045F094,00000000,0045F0E0), ref: 00425334
                                                                    • Part of subcall function 00425310: LocalFree.KERNEL32(00000001,0042538D,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043EB1C,00000000,?,0045F094,00000000,0045F0E0), ref: 00425380
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                                  • String ID: 6A$(6A$HuC$Sac$ac
                                                                  • API String ID: 503893064-15412982
                                                                  • Opcode ID: 6a9fc178c5d0b79332a7eb5402c717825a51536e1ea42ec534b33d2ea8f82db4
                                                                  • Instruction ID: 07193d8dd532f789e5e103a749cea6d8697d4147bc1074b0383b1fef8d5c28ac
                                                                  • Opcode Fuzzy Hash: 6a9fc178c5d0b79332a7eb5402c717825a51536e1ea42ec534b33d2ea8f82db4
                                                                  • Instruction Fuzzy Hash: 4641D770E002198FDB10EFB5C8815EEB7E1AF48314F45857AE904A7383DB795A058BAA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062FA6C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0062FA98
                                                                  • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062FAB1
                                                                  • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062FADB
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0062FAF9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandle$AttributesCloseCreateModule
                                                                  • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                                  • API String ID: 791737717-340263132
                                                                  • Opcode ID: 287e5d1f34b60e32f258ff0dc285f6c2afb871d986eb2fdeb7732dacaa9a6ce8
                                                                  • Instruction ID: 209979249f802be144ef12b73ecce6d297ad84e693ecff43869703900e4b4c5b
                                                                  • Opcode Fuzzy Hash: 287e5d1f34b60e32f258ff0dc285f6c2afb871d986eb2fdeb7732dacaa9a6ce8
                                                                  • Instruction Fuzzy Hash: E111E960740B2536F520736EBC87FBB205E8B417A9F140136B608DB3D3EAA99C414569
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004070F8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040710D
                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407113
                                                                  • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040712F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressErrorHandleLastModuleProc
                                                                  • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                  • API String ID: 4275029093-79381301
                                                                  • Opcode ID: 853332416af2778c5bcc47278f3b3b8c9cbb13ce77f830fa8c852dff70c1a778
                                                                  • Instruction ID: b32848a7681182275f687d561da14b36461a078c67b786b57a386ce806aebad7
                                                                  • Opcode Fuzzy Hash: 853332416af2778c5bcc47278f3b3b8c9cbb13ce77f830fa8c852dff70c1a778
                                                                  • Instruction Fuzzy Hash: B1116371D08204BEEB10EFA5D845B5EBBF8DB40705F1481BBE814B77C1D67CAA40CA5A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00638030, Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0063804C
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,00640F89,00000000,006418A7), ref: 0063807B
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00638090
                                                                  • SetWindowLongW.USER32 ref: 006380B7
                                                                  • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006380D0
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006380F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$Show
                                                                  • String ID:
                                                                  • API String ID: 3609083571-0
                                                                  • Opcode ID: 6dabd14f2d6b00543f17795517a371d9025c5b6deba07e2b6be9034b718c6715
                                                                  • Instruction ID: b0011e1ff4ae4fcfa0ec413d3ae5abc9a3a47f2e253fa650548b4e2c8616a965
                                                                  • Opcode Fuzzy Hash: 6dabd14f2d6b00543f17795517a371d9025c5b6deba07e2b6be9034b718c6715
                                                                  • Instruction Fuzzy Hash: 5D114CB5704710BFDB10EB68DD91FD233E9AB0E751F045190F614DB3A2CB24A984DB48
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00404850, Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00404872
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00404878
                                                                  • GetStdHandle.KERNEL32(000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00404897
                                                                  • WriteFile.KERNEL32(00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040489D
                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 004048B4
                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 004048BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandleWrite
                                                                  • String ID:
                                                                  • API String ID: 3320372497-0
                                                                  • Opcode ID: 3c38a6900c6ae0a677f329c7a59347ab790708e3948bf16bbacba9ec7f3ff32e
                                                                  • Instruction ID: 7b55a0251aee8433f9b781807e181b785e45fa9a929db5067d5de1b812f83fde
                                                                  • Opcode Fuzzy Hash: 3c38a6900c6ae0a677f329c7a59347ab790708e3948bf16bbacba9ec7f3ff32e
                                                                  • Instruction Fuzzy Hash: 4101F9922492103EF210F7AA9D86F5B2ACCCB4476AF10863B7228F31C2C9385D449779
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005F3530, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005F35AD
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005F35D4
                                                                  • SetForegroundWindow.USER32(?,00000000,005F38AC,?,00000000,005F38EA), ref: 005F35E5
                                                                  • DefWindowProcW.USER32(00000000,?,?,?,00000000,005F38AC,?,00000000,005F38EA), ref: 005F3897
                                                                  Strings
                                                                  • Cannot evaluate variable because [Code] isn't running yet, xrefs: 005F371F
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostWindow$ForegroundProc
                                                                  • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                  • API String ID: 602442252-3182603685
                                                                  • Opcode ID: 5eb61988e0b2a687765216bd5fc9c612a24f1ac2ebafa5dd1c5d537897d6ba24
                                                                  • Instruction ID: bce8259d755fc746d12e9127d346aabb9785a172cfecc655c3334fd5ba4cf73f
                                                                  • Opcode Fuzzy Hash: 5eb61988e0b2a687765216bd5fc9c612a24f1ac2ebafa5dd1c5d537897d6ba24
                                                                  • Instruction Fuzzy Hash: 3E91E234604208AFE715DF69DD51F69BBF6FB89700F1184A9FA049B7A1CB38AE40CB10
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00596FD4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103timethreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00596F48: GetCursorPos.USER32 ref: 00596F4F
                                                                  • SetTimer.USER32(00000000,00000000,00000000,00000000), ref: 005970BF
                                                                  • GetCurrentThreadId.KERNEL32 ref: 005970F9
                                                                  • WaitMessage.USER32(00000000,0059713D,?,?,?,00000000), ref: 0059711D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentCursorMessageThreadTimerWait
                                                                  • String ID: D@e$DdY
                                                                  • API String ID: 3909455694-944187075
                                                                  • Opcode ID: 582c6504b806dd8def35d89b041f389fa1f92155a0287ec2098a34ecb6afa868
                                                                  • Instruction ID: affdd4d1fc9358369649ba66229e32985035048600835e3122386b778b2aa322
                                                                  • Opcode Fuzzy Hash: 582c6504b806dd8def35d89b041f389fa1f92155a0287ec2098a34ecb6afa868
                                                                  • Instruction Fuzzy Hash: 97418B30A28308EFDF11DBA4C98ABADBBF6FB09304F1144AAE40497291D774AE44DF11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00642038, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00595F5C: SetWindowTextW.USER32(?,00000000), ref: 00595F8D
                                                                  • ShowWindow.USER32(?,00000005,00000000,006422EC,?,?,00000000), ref: 0064207E
                                                                    • Part of subcall function 005A3B4C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A3B5F
                                                                    • Part of subcall function 004216CC: SetCurrentDirectoryW.KERNEL32(00000000,?,006420A6,00000000,006422B3,?,?,00000005,00000000,006422EC,?,?,00000000), ref: 004216D7
                                                                    • Part of subcall function 005A36A0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005A3735,?,?,?,00000001,?,005EE002,00000000,005EE06D), ref: 005A36D5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                  • String ID: .dat$.msg$IMsg$Uninstall
                                                                  • API String ID: 3312786188-1660910688
                                                                  • Opcode ID: d312e3c85ea88b55687881db8613f61c0899f7ff77010ceb5e1377c2188460ee
                                                                  • Instruction ID: 2f7f9b1931b20fc7fdcf27a7e003db6513de1f0c52ce319b7ba31160c5c47d5f
                                                                  • Opcode Fuzzy Hash: d312e3c85ea88b55687881db8613f61c0899f7ff77010ceb5e1377c2188460ee
                                                                  • Instruction Fuzzy Hash: 27418374A00606AFCB01EF68DD6699FBBB6FB89700F609465F500A7761DB34AE01CB90
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00405634, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 0040566B
                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405671
                                                                  • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 00405680
                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405691
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory
                                                                  • String ID: :
                                                                  • API String ID: 1611563598-336475711
                                                                  • Opcode ID: 07451cd3840e142b4bbe21be877f75ec33b3997126205fcf31e678c3acf2bcb7
                                                                  • Instruction ID: 235d6df361bd0d32668981a988864fb0fb722a42ac84d823f2286f0eede1056f
                                                                  • Opcode Fuzzy Hash: 07451cd3840e142b4bbe21be877f75ec33b3997126205fcf31e678c3acf2bcb7
                                                                  • Instruction Fuzzy Hash: 0FF0F061140B447AD320EB65C852AEB72DCDF44305F40883F7AC8D73D2E67E8948976A
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00579B0C, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ccc169780782e56d7d00c5f6711246fd6b559e13815ceaf143d1922ddb669337
                                                                  • Instruction ID: a11511dbe52bbd7c49f88581702cb08e114547a3c93dec4041a8d86bc4f002f2
                                                                  • Opcode Fuzzy Hash: ccc169780782e56d7d00c5f6711246fd6b559e13815ceaf143d1922ddb669337
                                                                  • Instruction Fuzzy Hash: 5511A56170C2598ADB34AE7A7D05B9A2FD8FF81748F148419BC0CDB256CA68CC45A2B0
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00594028, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • UnhookWindowsHookEx.USER32(00000000), ref: 0059403A
                                                                  • SetEvent.KERNEL32(00000000), ref: 00594066
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0059406B
                                                                  • MsgWaitForMultipleObjects.USER32 ref: 00594094
                                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 005940A1
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                                  • String ID:
                                                                  • API String ID: 2132507429-0
                                                                  • Opcode ID: 4a33cb34fb55e24b465aab2880c9c23fddd536ab397f58cf9b7d1dc421f038a5
                                                                  • Instruction ID: 66ee4399d35240a83b59ece6f4096d6fe0d5991273ad28ab74790b3d8ca4258d
                                                                  • Opcode Fuzzy Hash: 4a33cb34fb55e24b465aab2880c9c23fddd536ab397f58cf9b7d1dc421f038a5
                                                                  • Instruction Fuzzy Hash: D8014F702047019FDB21EBB4DD4AB5A3BE5BB44315F104B29B394CB191EB789881CB57
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EB3C0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EB4FB), ref: 005EB4AB
                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EB4FB), ref: 005EB4BB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateFileHandle
                                                                  • String ID: .tmp$_iu
                                                                  • API String ID: 3498533004-10593223
                                                                  • Opcode ID: 4a031a56fa3f8b2437e4f6f38ad6cb09ca78dcf24575cde59f15566b05ec8b9e
                                                                  • Instruction ID: 4916953790dd09546032e58934b6d798705771e5c4406dd0652061969f9ce21d
                                                                  • Opcode Fuzzy Hash: 4a031a56fa3f8b2437e4f6f38ad6cb09ca78dcf24575cde59f15566b05ec8b9e
                                                                  • Instruction Fuzzy Hash: 6031A230E00259AFEF15EBA6D942BDEBBB5BF45704F108069F580B72D2D7746E018B94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00642604, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,00642702,?,?,0065A16C,?,00642B32,00000000,00642B3C,?,00000000,00642B6C,?,?), ref: 00642674
                                                                  • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,00642702,?,?,0065A16C,?,00642B32,00000000,00642B3C,?,00000000,00642B6C), ref: 0064269D
                                                                  • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,00642702,?,?,0065A16C,?,00642B32,00000000,00642B3C,?,00000000), ref: 006426B6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: File$Attributes$Move
                                                                  • String ID: isRS-%.3u.tmp
                                                                  • API String ID: 3839737484-3657609586
                                                                  • Opcode ID: 4ad5140845b4a9e469bd01334157d436ce082054e9e69e16cbf708f44d336b05
                                                                  • Instruction ID: 26d872f2ca90b765898ef8e946f0cb0f3b399628d42aedf7d99cfaa02db8b1c0
                                                                  • Opcode Fuzzy Hash: 4ad5140845b4a9e469bd01334157d436ce082054e9e69e16cbf708f44d336b05
                                                                  • Instruction Fuzzy Hash: 9631B471E102099BDB00EFA9C991ADEB7B9AF44314F61017EF814F32D1DB785E40CA98
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005F3018, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000B06,00000000,00000000), ref: 005F3032
                                                                  • SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 005F30CF
                                                                  Strings
                                                                  • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 005F305E
                                                                  • Failed to create DebugClientWnd, xrefs: 005F3098
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                  • API String ID: 3850602802-3720027226
                                                                  • Opcode ID: 20d8301daefdcc1c930f92497dffa2579fa17c75702bdadb0966968b885a6229
                                                                  • Instruction ID: dd53f4ef3e6abbda90f0f8c57914ca1fbdbdba4d6128e838a348c3b15e66de6c
                                                                  • Opcode Fuzzy Hash: 20d8301daefdcc1c930f92497dffa2579fa17c75702bdadb0966968b885a6229
                                                                  • Instruction Fuzzy Hash: 6F11C4B06053506FF301EB69DC85B6A7F98AB49318F100029F6808B391D7795984C7A2
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060BEE4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005A2A98: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,0065A16C,00000000,005EB8FF,00000000,005EBBDA,?,?,0065A16C), ref: 005A2AC9
                                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0060BF27
                                                                  • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0060BF43
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Type$FullLoadNamePathRegister
                                                                  • String ID: LoadTypeLib$RegisterTypeLib
                                                                  • API String ID: 4170313675-2435364021
                                                                  • Opcode ID: aaf0d9d733847b39a2833b4a670fea7d6a6fa6472db18ab2e7c91547b7ab254c
                                                                  • Instruction ID: 3e3fd5eda55fc89f2729cabf13b48581482c001c5d8b98291c3a2ec055bbf16c
                                                                  • Opcode Fuzzy Hash: aaf0d9d733847b39a2833b4a670fea7d6a6fa6472db18ab2e7c91547b7ab254c
                                                                  • Instruction Fuzzy Hash: 6E0165706402096BD714FAB6CC43B5EB7AEDB45744F519476B500E72C2DB74AE058A18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EBAF1, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 005EBAFC
                                                                    • Part of subcall function 004210CC: DeleteFileW.KERNEL32(00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210DC
                                                                    • Part of subcall function 004210CC: GetLastError.KERNEL32(00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210EB
                                                                    • Part of subcall function 004210CC: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000,00000000), ref: 004210F3
                                                                    • Part of subcall function 004210CC: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0065A16C,?,00642B17,00000000,00642B6C,?,?,00000005,?,00000000,00000000), ref: 0042110E
                                                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 005EBB29
                                                                    • Part of subcall function 005EAE9C: GetLastError.KERNEL32(00000000,005EBBB2,00000005,00000000,005EBBDA,?,?,0065A16C,?,00000000,00000000,00000000,?,006427AF,00000000,006427CA), ref: 005EAE9F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                                  • String ID: DeleteFile$MoveFile
                                                                  • API String ID: 3947864702-139070271
                                                                  • Opcode ID: a4aba6e0d55b0d8c93a72f52b8f7c853958d9bbe197efb9613161f333e57f5fd
                                                                  • Instruction ID: dedb0731f5aca1909e004e570d1e8ca08e76d9df5ad34bdc3e53512e679024dd
                                                                  • Opcode Fuzzy Hash: a4aba6e0d55b0d8c93a72f52b8f7c853958d9bbe197efb9613161f333e57f5fd
                                                                  • Instruction Fuzzy Hash: E9F04971618245CFFB09FBB7D94265F77E8FB80304F60447AB444E3696DA3CAC014619
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0060E824, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005A4104: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A47DE,?,00000000,?,005A477E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE), ref: 005A4120
                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,0060E678,00000003,00000000,0060E9C7,00000000,0060EB81,?,0060E678,?,00000000,00000000), ref: 0060E871
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpen
                                                                  • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                  • API String ID: 47109696-2631785700
                                                                  • Opcode ID: 868f6e9d13a11c80cd9ef3bb5dd5b66b89a42b88cd0d3ab6dbbb6d4949754a3d
                                                                  • Instruction ID: 937cdb7b09f7b19c4fd13f6d8fa40e9f0d224251f8a686aacf26c8413afe7978
                                                                  • Opcode Fuzzy Hash: 868f6e9d13a11c80cd9ef3bb5dd5b66b89a42b88cd0d3ab6dbbb6d4949754a3d
                                                                  • Instruction Fuzzy Hash: F4F022707401245BD71CEB999C45B5B6BEAEFC1312F50963AFA84C72E1D672CC01CA12
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A412C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 005A4138
                                                                  • GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,?,00000000,005A431F,00000000,005A4337,?,?,?), ref: 005A4153
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteHandleModule
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 3550747403-4033151799
                                                                  • Opcode ID: 160e4b6544adcf4fdff70b7ddad2362e1d6ffef6edba04b7c940305ecc1f4e5d
                                                                  • Instruction ID: 24a19007187fa3e954bfb7c5f533a78f533840c9612a225fbfc0a1645700a09b
                                                                  • Opcode Fuzzy Hash: 160e4b6544adcf4fdff70b7ddad2362e1d6ffef6edba04b7c940305ecc1f4e5d
                                                                  • Instruction Fuzzy Hash: D9E065706403107AE324A7F5AC49B9B3F1EF7A6356F101626B201951A183E848C4CA94
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4DD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006529D4,005F30B6,005F3530,005F2FD4,?,00000B06,00000000,00000000), ref: 005A4DEA
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                    • Part of subcall function 005A4D34: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005A4E2A,?,00000004,006529D4,005F30B6,005F3530,005F2FD4,?,00000B06,00000000,00000000), ref: 005A4D4B
                                                                  • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006529D4,005F30B6,005F3530,005F2FD4,?,00000B06,00000000,00000000), ref: 005A4E1B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressChangeFilterMessageProcWindow
                                                                  • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                  • API String ID: 989041661-2676053874
                                                                  • Opcode ID: a468ff53dc36a167302635eed63fa72a5b8bfc61478f502a5103e181a43afb32
                                                                  • Instruction ID: b564a6e73f9ff7a8b8b0df1a95b73bedaad1537207e190879b2e2c60f79f6686
                                                                  • Opcode Fuzzy Hash: a468ff53dc36a167302635eed63fa72a5b8bfc61478f502a5103e181a43afb32
                                                                  • Instruction Fuzzy Hash: 71F0A070244710AFE725EBF8EC49B5A3BAAFBC6306F001729F10096290C3F81884CE97
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004D0750, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnterCriticalSection.KERNEL32(?,00000000,004D09BF,?,?), ref: 004D0798
                                                                  • LeaveCriticalSection.KERNEL32(005AC124,004D0996,?,00000000,004D09BF,?,?), ref: 004D0989
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave
                                                                  • String ID: $O`$Default
                                                                  • API String ID: 3168844106-2728598177
                                                                  • Opcode ID: b0de8cb36483c9711dcf09538528f7f5a70b48d8dbad3206fe63fb61e301f474
                                                                  • Instruction ID: ea35a01b074c7fef8f496ad166c102e94058d147a50752607aa3668a906d1aeb
                                                                  • Opcode Fuzzy Hash: b0de8cb36483c9711dcf09538528f7f5a70b48d8dbad3206fe63fb61e301f474
                                                                  • Instruction Fuzzy Hash: F6516C74A04348DFDB01DFA5C961BAEBBF5EF89304F6544ABE804A7392D7389944CB18
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0040C3D0, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C3E1
                                                                  • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C43F
                                                                  • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C49C
                                                                  • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C4CF
                                                                    • Part of subcall function 0040C38C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C44D), ref: 0040C3A3
                                                                    • Part of subcall function 0040C38C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C44D), ref: 0040C3C0
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$LanguagesPreferred$Language
                                                                  • String ID:
                                                                  • API String ID: 2255706666-0
                                                                  • Opcode ID: 4eac2356409ef147f6dd06d04f3d794953fa8967caf4c10e931bea6e4cba19e9
                                                                  • Instruction ID: e9f5d2c0856ccfa5dcf6400bd65efe5596845db7ae9ae7d0ee03afc8cd4be72f
                                                                  • Opcode Fuzzy Hash: 4eac2356409ef147f6dd06d04f3d794953fa8967caf4c10e931bea6e4cba19e9
                                                                  • Instruction Fuzzy Hash: FF315A70A1021ADBCB50DFA9C8C4AAEB3B9FF04315F40827AE851F7291DB789A04CB54
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005AC1A8, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MulDiv.KERNEL32(?,?,?), ref: 005AC1C1
                                                                  • MulDiv.KERNEL32(?,005AC2F3,?), ref: 005AC1D4
                                                                  • MulDiv.KERNEL32(?,?,?), ref: 005AC1EB
                                                                  • MulDiv.KERNEL32(?,005AC2F3,?), ref: 005AC209
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b200911543061bb55d9bcc65ecf45c0663e37d27368ed6f25b3f1809b6db924
                                                                  • Instruction ID: f4080f3cbef4ab9687ae981563ecd022299ff8e5117fe38d545c343aca7e9ea8
                                                                  • Opcode Fuzzy Hash: 9b200911543061bb55d9bcc65ecf45c0663e37d27368ed6f25b3f1809b6db924
                                                                  • Instruction Fuzzy Hash: EF112A76A04248AFCB44DEEDC8C4E9E7BEDAF09364B144496FD18DB242C674ED40C7A4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0059729C, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32 ref: 005972AF
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 005972F1
                                                                  • SetWindowLongW.USER32 ref: 0059730B
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005973C5,?,?,?,00000000), ref: 00597333
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$Visible
                                                                  • String ID:
                                                                  • API String ID: 2967648141-0
                                                                  • Opcode ID: d69bbce2f9881862767e88053f17f6db05904e6eee5b6bd92c90e8df37d6ec8c
                                                                  • Instruction ID: 3968c7cc5de43a5d2ca233551b98b94eda74dcdf96efc22b4dd3bcf3653c603e
                                                                  • Opcode Fuzzy Hash: d69bbce2f9881862767e88053f17f6db05904e6eee5b6bd92c90e8df37d6ec8c
                                                                  • Instruction Fuzzy Hash: 50118E30208244AFCB10DB28D888FAA7FE9EB0D311F549992F884CB362C634EEC0D750
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0045F8AC, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindResourceW.KERNEL32(?,?,?,0043F820,?,00000001,00000000,?,0045F7EE,00000000,00000000,?,0065A16C,?,?,00636218), ref: 0045F8C3
                                                                  • LoadResource.KERNEL32(?,0045F948,?,?,?,0043F820,?,00000001,00000000,?,0045F7EE,00000000,00000000,?,0065A16C,?), ref: 0045F8DD
                                                                  • SizeofResource.KERNEL32(?,0045F948,?,0045F948,?,?,?,0043F820,?,00000001,00000000,?,0045F7EE,00000000,00000000), ref: 0045F8F7
                                                                  • LockResource.KERNEL32(0045F194,00000000,?,0045F948,?,0045F948,?,?,?,0043F820,?,00000001,00000000,?,0045F7EE,00000000), ref: 0045F901
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                  • String ID:
                                                                  • API String ID: 3473537107-0
                                                                  • Opcode ID: 0d772e799b43ded5d388934828789886becdccb3a148720acbb231569ba4bc61
                                                                  • Instruction ID: fa0fe6dd828bfbb9f04905aa0b52ab9c5d73502f4efb7332ac635971d8a6ef69
                                                                  • Opcode Fuzzy Hash: 0d772e799b43ded5d388934828789886becdccb3a148720acbb231569ba4bc61
                                                                  • Instruction Fuzzy Hash: CBF06D726012046F4748FE6EA981D5B77DCEE88364320002FFE18C7202DB78DD158779
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005EDCD4, Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005A4104: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A47DE,?,00000000,?,005A477E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A47DE), ref: 005A4120
                                                                  • RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,00611B33), ref: 005EDD10
                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,00611B33), ref: 005EDD19
                                                                  • RemoveFontResourceW.GDI32(00000000), ref: 005EDD26
                                                                  • SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 005EDD3A
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                  • String ID:
                                                                  • API String ID: 4283692357-0
                                                                  • Opcode ID: 5e10d8f1c482f859efe22e634f9736547aab02cb1ef40c4c24364dad08329a0c
                                                                  • Instruction ID: a83e66db14ee3ef44903a8c6b8c1072e1cfb4bb01409331395507dad8069434f
                                                                  • Opcode Fuzzy Hash: 5e10d8f1c482f859efe22e634f9736547aab02cb1ef40c4c24364dad08329a0c
                                                                  • Instruction Fuzzy Hash: 14F0B4B270030166EA20F6B69D47F5F228C5F84744F14482AB600DB1D3D678DC418228
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004EC734, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 004EC741
                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005980A6,?,?,00000000,00000001,005963A3,?,00000000,00000000,00000000,00000001,?,00000000), ref: 004EC74A
                                                                  • GlobalFindAtomW.KERNEL32(00000000), ref: 004EC75F
                                                                  • GetPropW.USER32 ref: 004EC776
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                  • String ID:
                                                                  • API String ID: 2582817389-0
                                                                  • Opcode ID: 2c2a0732317d355b121923d2876d307d8dab455008391c21f93d8549ac122c27
                                                                  • Instruction ID: 4f03a5962e9ee281ac692fc879289425f8bafe068471be1685bddecbe315992d
                                                                  • Opcode Fuzzy Hash: 2c2a0732317d355b121923d2876d307d8dab455008391c21f93d8549ac122c27
                                                                  • Instruction Fuzzy Hash: 17F0A7B2210362668630B7F75DC18BB22CD8F047AB300053BFA00D3242C67C8C4297BD
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0062F8F0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000008), ref: 0062F8F9
                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 0062F8FF
                                                                  • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 0062F921
                                                                  • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 0062F932
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                  • String ID:
                                                                  • API String ID: 215268677-0
                                                                  • Opcode ID: b39466c9b63b973964fe0a1342c5e1dcfa881651e3a7fd1ebbbb8650fd33f34f
                                                                  • Instruction ID: 95db9f764c5e1960dd6f28da8fcbc1181ac7628f2c63f52efa86512f617db7b2
                                                                  • Opcode Fuzzy Hash: b39466c9b63b973964fe0a1342c5e1dcfa881651e3a7fd1ebbbb8650fd33f34f
                                                                  • Instruction Fuzzy Hash: 7AF039B56443007BD600EBA58C82FDB72ECAB48314F00493ABF98C7291DB79D8599766
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 004D7A44, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 004D7A4D
                                                                  • SelectObject.GDI32(00000000,058A00B4), ref: 004D7A5F
                                                                  • GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004D7A6A
                                                                  • ReleaseDC.USER32 ref: 004D7A7B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsObjectReleaseSelectText
                                                                  • String ID:
                                                                  • API String ID: 2013942131-0
                                                                  • Opcode ID: c3b52f8e2698c81a15e7f456db96d5918527498da2c22cbe8b17170079f42710
                                                                  • Instruction ID: cbc5d594e46955a59ad0a4a7ca13f04955124c1881b4fbe9347f16bee895defd
                                                                  • Opcode Fuzzy Hash: c3b52f8e2698c81a15e7f456db96d5918527498da2c22cbe8b17170079f42710
                                                                  • Instruction Fuzzy Hash: D4E0486164667122D511A2660D52BEF25488F023A6F081117FD44DA3D1E64DCA5083FA
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005ECFCC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 005ED068
                                                                  • GetLastError.KERNEL32(00000000,005ED0B0,?,?,?,00000001), ref: 005ED077
                                                                    • Part of subcall function 005A3B4C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A3B5F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryErrorExecuteLastShellSystem
                                                                  • String ID: <
                                                                  • API String ID: 893404051-4251816714
                                                                  • Opcode ID: 421f48ec5dbe7c48d11cfda0999c41f116d012a6745bb79e33a7f4cbb9a7d96e
                                                                  • Instruction ID: a29c265eefe6ad4771beee4b9b9f887feccdb47a8447e8857d9483cc50b5698c
                                                                  • Opcode Fuzzy Hash: 421f48ec5dbe7c48d11cfda0999c41f116d012a6745bb79e33a7f4cbb9a7d96e
                                                                  • Instruction Fuzzy Hash: 76215C70A00249DFDB14EFA6C88669E7BF9BF48744F14043AF844E3281E7749D41CBA4
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0064098E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006409CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Window
                                                                  • String ID: /INITPROCWND=$%x $@
                                                                  • API String ID: 2353593579-4169826103
                                                                  • Opcode ID: fd323495d9a1def65a311339e5eaf3d567e799b2ba22f802871307d8b5a9922b
                                                                  • Instruction ID: 16a5f4afe6c6fa2e56ac49bb5369910dc0eef07ef878cb0bd6c829c251f5b2ee
                                                                  • Opcode Fuzzy Hash: fd323495d9a1def65a311339e5eaf3d567e799b2ba22f802871307d8b5a9922b
                                                                  • Instruction Fuzzy Hash: 5321E730A043199FEB01DBA4D851BEE77F6EB49310F504479FA00D7392DB749944CB84
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 006400BC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNEL32 ref: 00640129
                                                                  • CloseHandle.KERNEL32(006401D4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00640190,?,00640180,00000000), ref: 00640146
                                                                    • Part of subcall function 00640014: GetLastError.KERNEL32(00000000,006400AF,?,?,?), ref: 00640037
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateErrorHandleLastProcess
                                                                  • String ID: D
                                                                  • API String ID: 3798668922-2746444292
                                                                  • Opcode ID: dc2ae9c730d977263de040bcaade46fc29444b2489cea2f595ee73c71db0f54f
                                                                  • Instruction ID: 0e956af7d171e19ceff54b48a651bf16522d52c2b4e92dc377d64474bdf90f28
                                                                  • Opcode Fuzzy Hash: dc2ae9c730d977263de040bcaade46fc29444b2489cea2f595ee73c71db0f54f
                                                                  • Instruction Fuzzy Hash: 691161B1604608AFEB00DBE5CC82FDE77ADEF08704F51007AF604E7291D6749E00CA68
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 006417EF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005ED36C: GetCurrentProcess.KERNEL32(00000028), ref: 005ED37C
                                                                    • Part of subcall function 005ED36C: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005ED382
                                                                  • SetForegroundWindow.USER32(?), ref: 00641828
                                                                  Strings
                                                                  • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0064185F
                                                                  • Restarting Windows., xrefs: 006417FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                  • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                  • API String ID: 3179053593-4147564754
                                                                  • Opcode ID: 7727875be35e82995dd444ca35356ba5d29f24a80d31f7de720067c18b3945ba
                                                                  • Instruction ID: 1e922679101b66e59528309f19ec5da7f9d56ddd2907a6e33e54734044c9099e
                                                                  • Opcode Fuzzy Hash: 7727875be35e82995dd444ca35356ba5d29f24a80d31f7de720067c18b3945ba
                                                                  • Instruction Fuzzy Hash: BD118274A10344DFE705EB65E945BD837E6EB49744F10007AF404EB3E2CA78AD81C718
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 0064234C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00636878: FreeLibrary.KERNEL32(?,00642378,00000000,00642387,?,?,?,?,?,00642E6B), ref: 0063688E
                                                                    • Part of subcall function 00636494: GetTickCount.KERNEL32 ref: 006364DC
                                                                    • Part of subcall function 005F31CC: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 005F31EB
                                                                  • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00642E6B), ref: 006423A1
                                                                  • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00642E6B), ref: 006423A7
                                                                  Strings
                                                                  • Detected restart. Removing temporary directory., xrefs: 0064235B
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                  • String ID: Detected restart. Removing temporary directory.
                                                                  • API String ID: 1717587489-3199836293
                                                                  • Opcode ID: 68b21257b845712c1b18aa5032c0c9349bc5c38faeee1df87224db7cb76b2ada
                                                                  • Instruction ID: f356c9cb3b5d26a10aa2bfc8fa014af753853a87c7a0b199b033368e70703c39
                                                                  • Opcode Fuzzy Hash: 68b21257b845712c1b18aa5032c0c9349bc5c38faeee1df87224db7cb76b2ada
                                                                  • Instruction Fuzzy Hash: 4DE02B712047457DE3237BB6EC2686A3FAFFB867A4B610879F100C2502C92D9820C178
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4E80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 005A4F10: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005A4E8E,?,?,?,00641499,0000000A,00000002,00000001,00000031,00000000,006416C7), ref: 005A4F1E
                                                                  • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,00641499,0000000A,00000002,00000001,00000031,00000000,006416C7,?,00000000,00641794), ref: 005A4E98
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule$AddressProc
                                                                  • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                  • API String ID: 1883125708-2866557904
                                                                  • Opcode ID: da55bcfe139e071712d581091486dfd1bd5b1648377e905e63a465497453c95d
                                                                  • Instruction ID: ec7b416f7652cbfbe4990c7aea9d13080f9ad9aa2dd4de1d6f47650ac232d0a9
                                                                  • Opcode Fuzzy Hash: da55bcfe139e071712d581091486dfd1bd5b1648377e905e63a465497453c95d
                                                                  • Instruction Fuzzy Hash: AAE0C2633501613A560171FE0C8186F08CCFDC3659310083AF210D2242DAE8CD0604AE
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A3B78, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,005EB680,00000000,005EB752,?,?,0065A16C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A3B92
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                  • API String ID: 1646373207-1816364905
                                                                  • Opcode ID: a30e71d80a09bc17dcd4f10f3704a9b7e9756e6d83aa594f8642d2a39c4ebf24
                                                                  • Instruction ID: a53c00a7aaf254811336937ee4fcbddcbf8d881f681fc338ff23a9efc9efc3ac
                                                                  • Opcode Fuzzy Hash: a30e71d80a09bc17dcd4f10f3704a9b7e9756e6d83aa594f8642d2a39c4ebf24
                                                                  • Instruction Fuzzy Hash: A9E0266074074123D72071BA4D83F5F158A6BCA718F14093E3A40D62D3EDFCCA4405B6
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4D34, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005A4E2A,?,00000004,006529D4,005F30B6,005F3530,005F2FD4,?,00000B06,00000000,00000000), ref: 005A4D4B
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: ChangeWindowMessageFilter$user32.dll
                                                                  • API String ID: 1646373207-2498399450
                                                                  • Opcode ID: c9b26ee343c20cc6d5ecd581e8732b26248926ee0a7d7efaee528e7c0cb9aad9
                                                                  • Instruction ID: b9be6d4b475f79c121acc82d51ed6bdfe3a936d00708f512d8426a92397d99dd
                                                                  • Opcode Fuzzy Hash: c9b26ee343c20cc6d5ecd581e8732b26248926ee0a7d7efaee528e7c0cb9aad9
                                                                  • Instruction Fuzzy Hash: 78E01270240700AFE721EBE49D45B9A3FA6EBC630AF101619B24496190C7F804C9CA92
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 005A4F10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005A4E8E,?,?,?,00641499,0000000A,00000002,00000001,00000031,00000000,006416C7), ref: 005A4F1E
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                  • API String ID: 1646373207-260599015
                                                                  • Opcode ID: 1a4bd3fb78c0a3d1b20c4f76baddccb3c874ab258f27c73a0179db981a2f585c
                                                                  • Instruction ID: 672006cb48ee980ec3503e0054daf2b031ccac02c4a6bb70ddbaf3d03a5296fc
                                                                  • Opcode Fuzzy Hash: 1a4bd3fb78c0a3d1b20c4f76baddccb3c874ab258f27c73a0179db981a2f585c
                                                                  • Instruction Fuzzy Hash: BDD0C7A27557522E2920A5F91CD19DF068C99D32953041176F710D2341DAD5DC521564
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00642EA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0064D4FE,00000001,00000000,0064D524,?,?,000000EC,00000000), ref: 00642EAA
                                                                    • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.359275104.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000003.00000002.359179213.0000000000400000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360062509.000000000064E000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360098861.0000000000659000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360118677.000000000065C000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360145443.000000000065E000.00000008.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360168016.0000000000660000.00000004.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360184327.0000000000661000.00000002.00020000.sdmp Download File
                                                                  • Associated: 00000003.00000002.360208920.0000000000663000.00000002.00020000.sdmp Download File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_400000_PhraseExpressSetup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleModuleProc
                                                                  • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                  • API String ID: 1646373207-834958232
                                                                  • Opcode ID: 07418e8369ef4c83ac46ccbbdd22f774364283728e43da7fbaf5f2d1119c3183
                                                                  • Instruction ID: 3ebf0ee889b8b13f2fbf5f6bef7060621464173630ebe2f5f9735cafe6cb5985
                                                                  • Opcode Fuzzy Hash: 07418e8369ef4c83ac46ccbbdd22f774364283728e43da7fbaf5f2d1119c3183
                                                                  • Instruction Fuzzy Hash: 0CB092A0780313305A14F2B20E2298B180A4C807087A204593A20D0182DEA885911069
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%