Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1659984
MD5:	7d41b083ab75ae56089f43076b4d4750
SHA1:	9b7c2adca9999488f9386ab3bf66587c83c19002
SHA256:	ce97912ff64a09437f2c37a836b8a9a7b3d53b7d4d6bc5779301c170a988b349
Infos:

Detection

Score:	1
Range:	0 - 100
Confidence:	80%

Signatures

PE file contains executable resources (Code or Archives)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

setup.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 7D41B083AB75AE56089F43076B4D4750)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: setup.exe

Static PE information: certificate valid

Source:

Binary string: c:\P4\NIInstallers\trunk\16.0\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.1276327822.00000000007E6000.00000040.00000001.01000000.00000003.sdmp

Source: setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4
Source: setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/byte-order-markformat-pretty-print
Source: setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: setup.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup.exe, 00000000.00000002.1276327822.00000000008E9000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartup
Source: setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartupSOFTWARE
Source: setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://digital.ni.com/express.nsf/bycode/exke86
Source: setup.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: setup.exe	String found in binary or memory: http://s.symcd.com0_
Source: setup.exe	String found in binary or memory: http://sw.symcb.com/sw.crl0f
Source: setup.exe	String found in binary or memory: http://sw.symcd.com0
Source: setup.exe	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: setup.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: setup.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: setup.exe	String found in binary or memory: https://d.symcb.com/rpa0)

Source: setup.exe	Static PE information: Resource name: RT_DIALOG type: COM executable for DOS
Source: setup.exe	Static PE information: Resource name: RT_GROUP_CURSOR type: DOS executable (COM)

Source: setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: clean1.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: setup.exe

Static PE information: certificate valid

Source: setup.exe

Static file information: File size 1471560 > 1048576

Source: setup.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x143a00

Source:

Binary string: c:\P4\NIInstallers\trunk\16.0\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.1276327822.00000000007E6000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\setup.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	0%	Virustotal		Browse
setup.exe	2%	ReversingLabs

Name	Source	Malicious	Reputation
http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI	setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	high
http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4	setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	setup.exe	false	high
http://apache.org/xml/features/dom/byte-order-markformat-pretty-print	setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	high
http://ocsp.thawte.com0	setup.exe	false	high
http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml	setup.exe, 00000000.00000002.1276327822.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1659984
Start date and time:	2025-04-08 21:24:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	CLEAN
Classification:	clean1.winEXE@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, ShellExperienceHost.exe, SgrmBroker.exe, svchost.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.907903047353753
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	setup.exe
File size:	1'471'560 bytes
MD5:	7d41b083ab75ae56089f43076b4d4750
SHA1:	9b7c2adca9999488f9386ab3bf66587c83c19002
SHA256:	ce97912ff64a09437f2c37a836b8a9a7b3d53b7d4d6bc5779301c170a988b349
SHA512:	5f9c3234a5c9bf9f63a11a4901d3a9b45d19ca5b7f66124213a7d57f099769dd28dd7d54080601ea51643f69dc5c271f01b3e26a4fed559846bd3fba69985bc7
SSDEEP:	24576:2uJYOwAqIRCQVIOZW3X5qFqxoLXtf++DQTKitrKeBEgLhJWHtbU4/R3gQS/LfzrU:ViA380E3nSA+DQ9rKeBNuNbF/RQQS/LM
TLSH:	0D653389DF14DAB2F6A5817F8457C6C59F71F88273E5CF8B6CA1AE4EB9F07026A01014
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(.pA(.pA(.pA-./A,.pA...A+.pA!..A..pA!..A..pA6..A+.pA.K.A..pA.K.A7.pA(.qA..pA!..A..pA!..A).pA6..A).pA!..A).pARich(.pA.......

File Icon


Icon Hash:	a6a7b4b4a4e5e563

Static PE Info

General

Entrypoint:	0x90a7c0
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x575745F4 [Tue Jun 7 22:08:52 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	ab8c7e344596e3e6d6c6a5375f98bde9

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/08/2015 20:00:00 30/08/2018 19:59:59
Subject Chain	CN=National Instruments Corporation, O=National Instruments Corporation, L=Austin, S=Texas, C=US, SERIALNUMBER=2398688, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	9C9D38965AAD7983928E390346E2AB1A
Thumbprint SHA-1:	D40EA2D10461CDCB7DBEA7534C73ECE315A5EAE9
Thumbprint SHA-256:	3FAB0D1BCA68CBE66AE47DC1522D44CDE49ADD376BEF0EBEABC5548EE010A7F7
Serial:	4447EEA22628B51A9983078B74068D9B

Entrypoint Preview

Instruction
pushad
mov esi, 007C7000h
lea edi, dword ptr [esi-003C6000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FD038F1C5D2h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FD038F1C5AFh
mov eax, 00000001h
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FD038F1C5CDh
jne 00007FD038F1C5EAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FD038F1C5E1h
dec eax
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FD038F1C596h
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FD038F1C614h
xor ecx, ecx
sub eax, 03h
jc 00007FD038F1C5D3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FD038F1C637h
sar eax, 1
mov ebp, eax
jmp 00007FD038F1C5CDh
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FD038F1C58Eh
inc ecx
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FD038F1C580h
add ebx, ebx
jne 00007FD038F1C5C9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FD038F1C5B1h
jne 00007FD038F1C5CBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FD038F1C5A6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Rich Headers

Programming Language:

[ C ] VS2003 (.NET) build 3077
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 build 21022
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x52c6f4	0x6c	.rsrc
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52c374	0x380	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50b000	0x21374	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x165600	0x1e48	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x50a96c	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x46c7e4	0xc0	UPX1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x3c6000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x3c7000	0x144000	0x143a00	ec374e30f7610c8cff7e3144a2ff2d64	False	0.9854696250965623	data	7.9264786499236735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50b000	0x22000	0x21800	39725c214c31ce71a23e6ae55b785196	False	0.8321332789179104	data	7.376805774734939	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4b0700	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b0834	0xb4	data	English	United States	1.0611111111111111
RT_CURSOR	0x4b08e8	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b0a1c	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b0b50	0x134	OpenPGP Secret Key	English	United States	1.0357142857142858
RT_CURSOR	0x4b0c84	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b0db8	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b0eec	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b1020	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b1154	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b1288	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b13bc	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b14f0	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b1624	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b1758	0x134	data	English	United States	1.0357142857142858
RT_CURSOR	0x4b188c	0x134	data	English	United States	1.0357142857142858
RT_BITMAP	0x4b19c0	0x3e8	data	English	United States	1.011
RT_BITMAP	0x4b1da8	0x3e8	data	English	United States	1.011
RT_BITMAP	0x4b2190	0x1328	data	English	United States	1.0
RT_BITMAP	0x4b34b8	0x1328	data	English	United States	0.9959216965742251
RT_BITMAP	0x4b47e0	0x3e8	data	English	United States	1.011
RT_BITMAP	0x4b4bc8	0x1328	data	English	United States	0.9959216965742251
RT_BITMAP	0x4b5ef0	0x1328	data	English	United States	0.9906199021207178
RT_BITMAP	0x4b7218	0x1328	data	English	United States	0.9914355628058727
RT_BITMAP	0x4b8540	0x1328	data	English	United States	0.9971451876019576
RT_BITMAP	0x4b9868	0x3e8	data	English	United States	1.011
RT_BITMAP	0x4b9c50	0xb8	data	English	United States	1.059782608695652
RT_BITMAP	0x4b9d08	0x144	data	English	United States	1.0339506172839505
RT_ICON	0x50e704	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6047297297297297
RT_ICON	0x50e830	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5404624277456648
RT_ICON	0x4ba4dc	0x8a8	data	English	United States	1.0049638989169676
RT_ICON	0x4bad84	0x568	data	English	United States	1.0079479768786128
RT_ICON	0x4bb2ec	0xca8	data	English	United States	1.003395061728395
RT_ICON	0x4bbf94	0x368	data	English	United States	1.0126146788990826
RT_ICON	0x4bc2fc	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bc4a4	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bc64c	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bc7f4	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bc99c	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bcb44	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bccec	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bce94	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bd03c	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bd1e4	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bd38c	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bd534	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bd6dc	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bd884	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bda2c	0x2e8	data	English	United States	1.0147849462365592
RT_ICON	0x4bdd14	0x128	data	English	United States	1.037162162162162
RT_ICON	0x4bde3c	0x568	data	English	United States	1.0079479768786128
RT_ICON	0x4be3a4	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4be54c	0x2e8	data	English	United States	1.0147849462365592
RT_ICON	0x4be834	0x128	data	English	United States	1.037162162162162
RT_ICON	0x4be95c	0x568	data	English	United States	1.0079479768786128
RT_ICON	0x4beec4	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bf06c	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4bf214	0x2e8	data	English	United States	1.0147849462365592
RT_ICON	0x4bf4fc	0x1ca8	data	English	United States	0.9941384950926936
RT_ICON	0x4c11a4	0xca8	data	English	United States	1.003395061728395
RT_ICON	0x4c1e4c	0x668	OpenPGP Public Key	English	United States	1.0067073170731706
RT_ICON	0x4c24b4	0x1ca8	data	English	United States	0.9946837513631407
RT_ICON	0x4c415c	0xca8	data	English	United States	1.003395061728395
RT_ICON	0x4c4e04	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4c546c	0x1ca8	data	English	United States	0.9934569247546347
RT_ICON	0x4c7114	0xca8	data	English	United States	0.9962962962962963
RT_ICON	0x4c7dbc	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4c8424	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4c8a8c	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4c90f4	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4c975c	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4c9dc4	0x668	data	English	United States	1.0067073170731706
RT_ICON	0x4ca42c	0xca8	OpenPGP Secret Key	English	United States	1.003395061728395
RT_ICON	0x4cb0d4	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4cb27c	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4cb424	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4cb5cc	0x1a8	data	English	United States	1.025943396226415
RT_ICON	0x4cb774	0x468	data	English	United States	1.0097517730496455
RT_ICON	0x4cbbdc	0xca8	data	English	United States	1.003395061728395
RT_ICON	0x50ed9c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5174731182795699
RT_ICON	0x50f088	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7608303249097473
RT_ICON	0x50f934	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.4024390243902439
RT_ICON	0x50ffa0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6071428571428571
RT_ICON	0x510e4c	0x54f3	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9929185634800203
RT_ICON	0x516344	0x9381	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9919758480972432
RT_ICON	0x51f6cc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5682624113475178
RT_ICON	0x51fb38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6181988742964353
RT_ICON	0x520be4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5099585062240664
RT_ICON	0x523190	0x88fb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9958935751561296
RT_DIALOG	0x4e9550	0x1e0	data	English	United States	1.0229166666666667
RT_DIALOG	0x4e9730	0xe8	data	English	United States	1.0474137931034482
RT_DIALOG	0x4e9818	0x64	data	English	United States	1.07
RT_DIALOG	0x4e987c	0x302	data	English	United States	1.0142857142857142
RT_DIALOG	0x4e9b80	0x20	data	English	United States	1.34375
RT_DIALOG	0x4e9ba0	0x18	data	English	United States	1.375
RT_DIALOG	0x4e9bb8	0x144	data	English	United States	1.0339506172839505
RT_DIALOG	0x4e9cfc	0x136	data	English	United States	1.0354838709677419
RT_DIALOG	0x4e9e34	0x32	data	English	United States	1.12
RT_DIALOG	0x4e9e68	0x1a4	data	English	United States	1.026190476190476
RT_DIALOG	0x4ea00c	0x296	data	English	United States	0.9954682779456193
RT_DIALOG	0x4ea2a4	0x220	data	English	United States	1.0202205882352942
RT_DIALOG	0x4ea4c4	0xc0	data	English	United States	1.0572916666666667
RT_DIALOG	0x4ea584	0x238	COM executable for DOS	English	United States	1.0193661971830985
RT_DIALOG	0x4ea7bc	0x17e	data	English	United States	1.0287958115183247
RT_DIALOG	0x4ea93c	0xe2	data	English	United States	1.0486725663716814
RT_DIALOG	0x4eaa20	0xd4	data	English	United States	1.0518867924528301
RT_DIALOG	0x4eaaf4	0xe2	data	English	United States	1.0353982300884956
RT_DIALOG	0x4eabd8	0x114	data	English	United States	1.039855072463768
RT_DIALOG	0x4eacec	0x8c	data	English	United States	1.0785714285714285
RT_DIALOG	0x4ead78	0xd8	data	English	United States	1.0509259259259258
RT_DIALOG	0x4eae50	0xca	data	English	United States	1.0544554455445545
RT_DIALOG	0x4eaf1c	0x49e	data	English	United States	1.0050761421319796
RT_DIALOG	0x4eb3bc	0x5f8	data	English	United States	0.9941099476439791
RT_DIALOG	0x4eb9b4	0xe8	data	English	United States	1.0474137931034482
RT_DIALOG	0x4eba9c	0x34	data	English	United States	1.1730769230769231
RT_STRING	0x4ebad0	0x5b4	data	English	United States	0.9815068493150685
RT_STRING	0x4ec084	0x974	data	English	United States	0.9768595041322314
RT_STRING	0x4ec9f8	0x86a	data	English	United States	0.968430826369545
RT_STRING	0x4ed264	0x358	data	English	United States	1.0128504672897196
RT_STRING	0x4ed5bc	0x616	data	English	United States	1.0070603337612323
RT_STRING	0x4edbd4	0x2ca	data	English	United States	1.015406162464986
RT_STRING	0x4edea0	0x446	data	English	United States	0.9990859232175503
RT_STRING	0x4ee2e8	0x44a	data	English	United States	0.9981785063752276
RT_STRING	0x4ee734	0x3e6	data	English	United States	1.0110220440881763
RT_STRING	0x4eeb1c	0x662	data	English	United States	0.9938800489596084
RT_STRING	0x4ef180	0x90e	data	English	United States	0.9754098360655737
RT_STRING	0x4efa90	0x67e	data	English	United States	0.9897713598074609
RT_STRING	0x4f0110	0x5da	SysEx File - ELKA	English	United States	0.9919893190921228
RT_STRING	0x4f06ec	0x7e6	data	English	United States	0.9915924826904056
RT_STRING	0x4f0ed4	0x79c	data	English	United States	1.0010266940451746
RT_STRING	0x4f1670	0x59e	data	English	United States	1.0076495132127956
RT_STRING	0x4f1c10	0x540	Novell LANalyzer capture file	English	United States	1.0081845238095237
RT_STRING	0x4f2150	0x580	data	English	United States	0.9879261363636364
RT_STRING	0x4f26d0	0xde	data	English	United States	1.0495495495495495
RT_STRING	0x4f27b0	0x2f2	data	English	United States	1.0145888594164456
RT_STRING	0x4f2aa4	0x4d2	data	English	United States	1.0089141004862237
RT_STRING	0x4f2f78	0x288	data	German	Germany	1.0169753086419753
RT_STRING	0x4f3200	0x20e	data	English	United States	1.020912547528517
RT_STRING	0x4f3410	0x252	data	French	France	1.0185185185185186
RT_STRING	0x4f3664	0x148	data	Japanese	Japan	1.0335365853658536
RT_STRING	0x4f37ac	0x14a	data	Korean	North Korea	1.0333333333333334
RT_STRING	0x4f37ac	0x14a	data	Korean	South Korea	1.0333333333333334
RT_STRING	0x4f38f8	0xe8	data	Chinese	China	1.0474137931034482
RT_STRING	0x4f39e0	0x438	data	German	Germany	1.010185185185185
RT_STRING	0x4f3e18	0x33a	data	English	United States	1.013317191283293
RT_STRING	0x4f4154	0x418	data	French	France	1.0104961832061068
RT_STRING	0x4f456c	0x22e	data	Japanese	Japan	1.0197132616487454
RT_STRING	0x4f479c	0x232	data	Korean	North Korea	1.019572953736655
RT_STRING	0x4f479c	0x232	data	Korean	South Korea	1.019572953736655
RT_STRING	0x4f49d0	0x172	data	Chinese	China	1.0297297297297296
RT_STRING	0x4f4b44	0x124	data	German	Germany	1.0376712328767124
RT_STRING	0x4f4c68	0xf0	data	English	United States	1.0333333333333334
RT_STRING	0x4f4d58	0x142	data	French	France	1.0341614906832297
RT_STRING	0x4f4e9c	0x9a	data	Japanese	Japan	1.0714285714285714
RT_STRING	0x4f4f38	0xb2	data	Korean	North Korea	1.0617977528089888
RT_STRING	0x4f4f38	0xb2	data	Korean	South Korea	1.0617977528089888
RT_STRING	0x4f4fec	0x6e	data	Chinese	China	1.1
RT_STRING	0x4f505c	0x166	data	German	Germany	1.0307262569832403
RT_STRING	0x4f51c4	0x10a	data	English	United States	1.0413533834586466
RT_STRING	0x4f52d0	0x14a	data	French	France	1.0333333333333334
RT_STRING	0x4f541c	0xb2	data	Japanese	Japan	1.050561797752809
RT_STRING	0x4f54d0	0xb4	data	Korean	North Korea	1.0611111111111111
RT_STRING	0x4f54d0	0xb4	data	Korean	South Korea	1.0611111111111111
RT_STRING	0x4f5584	0x6e	data	Chinese	China	1.1
RT_STRING	0x4f55f4	0x1a0	data	German	Germany	1.0264423076923077
RT_STRING	0x4f5794	0x16e	data	English	United States	1.030054644808743
RT_STRING	0x4f5904	0x1c6	data	French	France	1.024229074889868
RT_STRING	0x4f5acc	0xcc	data	Japanese	Japan	1.053921568627451
RT_STRING	0x4f5b98	0xd0	data	Korean	North Korea	1.0528846153846154
RT_STRING	0x4f5b98	0xd0	data	Korean	South Korea	1.0528846153846154
RT_STRING	0x4f5c68	0x78	data	Chinese	China	1.0916666666666666
RT_STRING	0x4f5ce0	0x37e	OpenPGP Secret Key	German	Germany	1.012304250559284
RT_STRING	0x4f6060	0x294	data	English	United States	1.0166666666666666
RT_STRING	0x4f62f4	0x35e	data	French	France	1.0127610208816706
RT_STRING	0x4f6654	0x184	data	Japanese	Japan	1.0283505154639174
RT_STRING	0x4f67d8	0x190	data	Korean	North Korea	1.0275
RT_STRING	0x4f67d8	0x190	data	Korean	South Korea	1.0275
RT_STRING	0x4f6968	0xdc	data	Chinese	China	1.05
RT_STRING	0x4f6a44	0x3b6	data	German	Germany	1.0115789473684211
RT_STRING	0x4f6dfc	0x33a	data	English	United States	1.013317191283293
RT_STRING	0x4f7138	0x428	data	French	France	1.0103383458646618
RT_STRING	0x4f7560	0x1ee	data	Japanese	Japan	1.0222672064777327
RT_STRING	0x4f7750	0x1ee	data	Korean	North Korea	1.0222672064777327
RT_STRING	0x4f7750	0x1ee	data	Korean	South Korea	1.0222672064777327
RT_STRING	0x4f7940	0x134	data	Chinese	China	0.9902597402597403
RT_STRING	0x4f7a74	0xb4	data	German	Germany	1.0444444444444445
RT_STRING	0x4f7b28	0x88	data	English	United States	1.0808823529411764
RT_STRING	0x4f7bb0	0xa0	data	French	France	1.06875
RT_STRING	0x4f7c50	0x4c	OpenPGP Secret Key	Japanese	Japan	1.144736842105263
RT_STRING	0x4f7c9c	0x54	data	Korean	North Korea	1.130952380952381
RT_STRING	0x4f7c9c	0x54	data	Korean	South Korea	1.130952380952381
RT_STRING	0x4f7cf0	0x3c	data	Chinese	China	1.1833333333333333
RT_STRING	0x4f7d2c	0x50	data	German	Germany	1.0875
RT_STRING	0x4f7d7c	0x48	data	English	United States	1.1527777777777777
RT_STRING	0x4f7dc4	0x50	data	French	France	1.1375
RT_STRING	0x4f7e14	0x3e	data	Japanese	Japan	1.1774193548387097
RT_STRING	0x4f7e54	0x46	data	Korean	North Korea	1.1571428571428573
RT_STRING	0x4f7e54	0x46	data	Korean	South Korea	1.1571428571428573
RT_STRING	0x4f7e9c	0x32	data	Chinese	China	1.1
RT_STRING	0x4f7ed0	0x47c	data	German	Germany	1.009581881533101
RT_STRING	0x4f834c	0x380	data	English	United States	1.0122767857142858
RT_STRING	0x4f86cc	0x4f2	data	French	France	1.0086887835703002
RT_STRING	0x4f8bc0	0x2b6	data	Japanese	Japan	0.9855907780979827
RT_STRING	0x4f8e78	0x2aa	data	Korean	North Korea	1.002932551319648
RT_STRING	0x4f8e78	0x2aa	data	Korean	South Korea	1.002932551319648
RT_STRING	0x4f9124	0x180	data	Chinese	China	1.0286458333333333
RT_STRING	0x4f92a4	0xa88	data	German	Germany	0.9855341246290801
RT_STRING	0x4f9d2c	0x98c	data	English	United States	0.9946808510638298
RT_STRING	0x4fa6b8	0xb36	data	French	France	0.997212543554007
RT_STRING	0x4fb1f0	0x524	data	Japanese	Japan	1.0083586626139818
RT_STRING	0x4fb714	0x5ee	data	Korean	North Korea	1.0072463768115942
RT_STRING	0x4fb714	0x5ee	data	Korean	South Korea	1.0072463768115942
RT_STRING	0x4fbd04	0x390	data	Chinese	China	1.0120614035087718
RT_STRING	0x4fc094	0x1dc	data	German	Germany	1.023109243697479
RT_STRING	0x4fc270	0x18c	data	English	United States	1.0277777777777777
RT_STRING	0x4fc3fc	0x202	data	French	France	1.0214007782101167
RT_STRING	0x4fc600	0xd8	data	Japanese	Japan	1.0509259259259258
RT_STRING	0x4fc6d8	0xc6	data	Korean	North Korea	1.0555555555555556
RT_STRING	0x4fc6d8	0xc6	data	Korean	South Korea	1.0555555555555556
RT_STRING	0x4fc7a0	0x80	data	Chinese	China	1.0859375
RT_STRING	0x4fc820	0xa6	data	German	Germany	1.0662650602409638
RT_STRING	0x4fc8c8	0x8c	data	English	United States	1.0785714285714285
RT_STRING	0x4fc954	0xa6	data	French	France	1.0662650602409638
RT_STRING	0x4fc9fc	0x6e	data	Japanese	Japan	1.1
RT_STRING	0x4fca6c	0x72	data	Korean	North Korea	1.0964912280701755
RT_STRING	0x4fca6c	0x72	data	Korean	South Korea	1.0964912280701755
RT_STRING	0x4fcae0	0x40	data	Chinese	China	1.171875
RT_STRING	0x4fcb20	0x136	data	German	Germany	1.0354838709677419
RT_STRING	0x4fcc58	0x11e	data	English	United States	1.0384615384615385
RT_STRING	0x4fcd78	0x11e	data	French	France	1.0384615384615385
RT_STRING	0x4fce98	0x11e	data	Japanese	Japan	1.0384615384615385
RT_STRING	0x4fcfb8	0xf4	data	Korean	North Korea	1.0450819672131149
RT_STRING	0x4fcfb8	0xf4	data	Korean	South Korea	1.0450819672131149
RT_STRING	0x4fd0ac	0x11e	data	Chinese	China	1.0384615384615385
RT_STRING	0x4fd1cc	0x5a	OpenPGP Public Key	German	Germany	1.1222222222222222
RT_STRING	0x4fd228	0x52	data	English	United States	1.1341463414634145
RT_STRING	0x4fd27c	0x52	data	French	France	1.1341463414634145
RT_STRING	0x4fd2d0	0x52	data	Japanese	Japan	1.1341463414634145
RT_STRING	0x4fd324	0x44	data	Korean	North Korea	1.161764705882353
RT_STRING	0x4fd324	0x44	data	Korean	South Korea	1.161764705882353
RT_STRING	0x4fd368	0x52	data	Chinese	China	1.1341463414634145
RT_STRING	0x4fd3bc	0x68	data	German	Germany	1.1057692307692308
RT_STRING	0x4fd424	0x6a	data	English	United States	1.1037735849056605
RT_STRING	0x4fd490	0x70	data	French	France	1.0982142857142858
RT_STRING	0x4fd500	0x48	data	Japanese	Japan	1.1527777777777777
RT_STRING	0x4fd548	0x4a	data	Korean	North Korea	1.1486486486486487
RT_STRING	0x4fd548	0x4a	data	Korean	South Korea	1.1486486486486487
RT_STRING	0x4fd594	0x38	data	Chinese	China	1.1964285714285714
RT_STRING	0x4fd5cc	0x21a	data	German	Germany	1.020446096654275
RT_STRING	0x4fd7e8	0x222	data	English	United States	1.02014652014652
RT_STRING	0x4fda0c	0x286	data	French	France	1.0170278637770898
RT_STRING	0x4fdc94	0x11c	data	Japanese	Japan	1.0387323943661972
RT_STRING	0x4fddb0	0x174	data	Korean	North Korea	1.0295698924731183
RT_STRING	0x4fddb0	0x174	data	Korean	South Korea	1.0295698924731183
RT_STRING	0x4fdf24	0xcc	data	Chinese	China	1.053921568627451
RT_STRING	0x4fdff0	0x2d6	data	German	Germany	1.0151515151515151
RT_STRING	0x4fe2c8	0x270	data	English	United States	1.017628205128205
RT_STRING	0x4fe538	0x2ce	data	French	France	1.0153203342618384
RT_STRING	0x4fe808	0x168	data	Japanese	Japan	1.0305555555555554
RT_STRING	0x4fe970	0x198	data	Korean	North Korea	1.0269607843137254
RT_STRING	0x4fe970	0x198	data	Korean	South Korea	1.0269607843137254
RT_STRING	0x4feb08	0xde	data	Chinese	China	1.0495495495495495
RT_STRING	0x4febe8	0x1e0	data	German	Germany	1.0229166666666667
RT_STRING	0x4fedc8	0x12a	data	English	United States	1.0369127516778522
RT_STRING	0x4feef4	0x17e	data	French	France	1.0287958115183247
RT_STRING	0x4ff074	0xec	data	Japanese	Japan	1.0466101694915255
RT_STRING	0x4ff160	0xe6	data	Korean	North Korea	1.0478260869565217
RT_STRING	0x4ff160	0xe6	data	Korean	South Korea	1.0478260869565217
RT_STRING	0x4ff248	0x98	data	Chinese	China	1.0723684210526316
RT_STRING	0x4ff2e0	0x96	data	German	Germany	1.0733333333333333
RT_STRING	0x4ff378	0x6c	data	English	United States	1.1018518518518519
RT_STRING	0x4ff3e4	0x80	data	French	France	1.0859375
RT_STRING	0x4ff464	0x4a	data	Japanese	Japan	1.1486486486486487
RT_STRING	0x4ff4b0	0x48	data	Korean	North Korea	1.1527777777777777
RT_STRING	0x4ff4b0	0x48	data	Korean	South Korea	1.1527777777777777
RT_STRING	0x4ff4f8	0x3a	data	Chinese	China	1.1896551724137931
RT_STRING	0x4ff534	0x1f2	data	German	Germany	1.0220883534136547
RT_STRING	0x4ff728	0x196	data	English	United States	1.0270935960591132
RT_STRING	0x4ff8c0	0x21a	data	French	France	1.020446096654275
RT_STRING	0x4ffadc	0x132	data	Japanese	Japan	1.0359477124183007
RT_STRING	0x4ffc10	0x11c	data	Korean	North Korea	1.0387323943661972
RT_STRING	0x4ffc10	0x11c	data	Korean	South Korea	1.0387323943661972
RT_STRING	0x4ffd2c	0xe2	OpenPGP Public Key	Chinese	China	1.0486725663716814
RT_STRING	0x4ffe10	0x50	data	German	Germany	1.1375
RT_STRING	0x4ffe60	0x44	data	English	United States	1.161764705882353
RT_STRING	0x4ffea4	0x42	data	French	France	1.1666666666666667
RT_STRING	0x4ffee8	0x2a	data	Japanese	Japan	1.2619047619047619
RT_STRING	0x4fff14	0x2e	data	Korean	North Korea	1.2391304347826086
RT_STRING	0x4fff14	0x2e	data	Korean	South Korea	1.2391304347826086
RT_STRING	0x4fff44	0x28	data	Chinese	China	1.275
RT_STRING	0x4fff6c	0x4ae	data	English	United States	1.0091819699499165
RT_STRING	0x50041c	0x3f0	data	English	United States	1.0109126984126984
RT_STRING	0x50080c	0x3e2	data	English	United States	1.011066398390342
RT_STRING	0x500bf0	0x6c	data	English	United States	1.1018518518518519
RT_STRING	0x500c5c	0xbe6	data	English	United States	0.9517399868680236
RT_STRING	0x501844	0x18a2	data	English	United States	0.9744687599111956
RT_STRING	0x5030e8	0x478	data	English	United States	1.0096153846153846
RT_STRING	0x503560	0x148	data	English	United States	1.0335365853658536
RT_STRING	0x5036a8	0x2e8	data	English	United States	1.0147849462365592
RT_STRING	0x503990	0x220	data	English	United States	1.0202205882352942
RT_STRING	0x503bb0	0x22a	data	English	United States	1.01985559566787
RT_STRING	0x503ddc	0x82	data	English	United States	1.0846153846153845
RT_STRING	0x503e60	0x2a	data	English	United States	1.2619047619047619
RT_STRING	0x503e8c	0x184	data	English	United States	1.0283505154639174
RT_STRING	0x504010	0x4e6	data	English	United States	1.0087719298245614
RT_STRING	0x5044f8	0x264	data	English	United States	1.0179738562091503
RT_STRING	0x50475c	0x2da	data	English	United States	1.015068493150685
RT_STRING	0x504a38	0x8a	PGP Secret Sub-key -	English	United States	1.0797101449275361
RT_STRING	0x504ac4	0xac	data	English	United States	1.063953488372093
RT_STRING	0x504b70	0xde	data	English	United States	1.0495495495495495
RT_STRING	0x504c50	0x4a8	data	English	United States	1.0092281879194631
RT_STRING	0x5050f8	0x228	data	English	United States	1.019927536231884
RT_STRING	0x505320	0x2c	data	English	United States	1.2045454545454546
RT_STRING	0x50534c	0x42	data	English	United States	1.1666666666666667
RT_ACCELERATOR	0x505390	0x10	compacted data	English	United States	1.5
RT_GROUP_CURSOR	0x5053a0	0x22	data	English	United States	1.2647058823529411
RT_GROUP_CURSOR	0x5053c4	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x5053d8	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x5053ec	0x14	Non-ISO extended-ASCII text, with no line terminators, with escape sequences	English	United States	1.45
RT_GROUP_CURSOR	0x505400	0x14	DOS executable (COM)	English	United States	1.4
RT_GROUP_CURSOR	0x505414	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x505428	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x50543c	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x505450	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x505464	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x505478	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x50548c	0x14	data	English	United States	1.4
RT_GROUP_CURSOR	0x5054a0	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x5054b4	0x14	data	English	United States	1.45
RT_GROUP_CURSOR	0x5054c8	0x14	OpenPGP Public Key	English	United States	1.45
RT_GROUP_ICON	0x52ba90	0xae	data	English	United States	0.6666666666666666
RT_GROUP_ICON	0x50558c	0x3e	data	English	United States	1.1774193548387097
RT_GROUP_ICON	0x5055cc	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x5055e0	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x5055f4	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x505608	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x50561c	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x505630	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x505644	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x505658	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x50566c	0x14	Non-ISO extended-ASCII text, with no line terminators	English	United States	1.45
RT_GROUP_ICON	0x505680	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x505694	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x5056a8	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x5056bc	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x5056d0	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x5056e4	0x30	data	English	United States	1.2291666666666667
RT_GROUP_ICON	0x505714	0x30	data	English	United States	1.2291666666666667
RT_GROUP_ICON	0x505744	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x505758	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x50576c	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x505780	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x505794	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x5057a8	0x22	data	English	United States	1.2647058823529411
RT_GROUP_ICON	0x5057cc	0x3e	data	English	United States	1.1451612903225807
RT_GROUP_ICON	0x50580c	0x22	data	English	United States	1.2352941176470589
RT_GROUP_ICON	0x505830	0x3e	data	English	United States	1.1774193548387097
RT_GROUP_ICON	0x505870	0x30	data	English	United States	1.2291666666666667
RT_GROUP_ICON	0x5058a0	0x14	Non-ISO extended-ASCII text, with no line terminators	English	United States	1.45
RT_GROUP_ICON	0x5058b4	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x5058c8	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x5058dc	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x5058f0	0x14	data	English	United States	1.4
RT_VERSION	0x52bb44	0x34c	data	English	United States	0.42890995260663506
RT_MANIFEST	0x52be94	0x4e0	ASCII text, with very long lines (799), with CRLF line terminators	English	United States	0.43669871794871795

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMDLG32.dll	GetFileTitleW
GDI32.dll	ArcTo
MPR.dll	WNetGetUserW
ole32.dll	CoInitialize
OLEAUT32.dll	SafeArrayPutElement
PSAPI.DLL	GetModuleFileNameExW
RPCRT4.dll	UuidCreate
SHELL32.dll	DragFinish
USER32.dll	GetDC
VERSION.dll	VerQueryValueW
WININET.dll	InternetCheckConnectionW
WINSPOOL.DRV	GetJobW
WS2_32.dll	closesocket
WTSAPI32.dll	WTSFreeMemory

Exports

Name	Ordinal	Address
NI_MetaToolbox_MetaOutput_GetSharedGlobalData	1	0x61e5f0

Version Infos

Description	Data
CompanyName	National Instruments
FileDescription	National Instruments Installer
FileVersion	16.0.0.171
InternalName	MetaInstaller
LegalCopyright	Copyright 2003-2016. All Rights Reserved.
OriginalFilename	Setup.exe
ProductName	National Instruments Installer
ProductVersion	16.0.0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
German	Germany
French	France
Japanese	Japan
Korean	North Korea
Korean	South Korea
Chinese	China

• setup.exe

Click to jump to process

Memory Usage

• setup.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	15:25:23
Start date:	08/04/2025
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x400000
File size:	1'471'560 bytes
MD5 hash:	7D41B083AB75AE56089F43076B4D4750
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: setup.exePID: 6312, Parent PID: 496

General

File Activities

File Opened

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Windows Analysis Report
setup.exe