Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ArbExpress_V3.6_en_0703_066146106.exe

Overview

General Information

Sample name:ArbExpress_V3.6_en_0703_066146106.exe
Analysis ID:1528662
MD5:e2e80e23d79df3609dcaee7c2d7c2e72
SHA1:5318eef048fc22d2a027a1715658089c34c1d41d
SHA256:5c9ab13b2956d8dfadde510ea37578d8a67a59aff8d40d7524c756e1b602db5f
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Installs new ROOT certificates
PE file has a writeable .text section
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ArbExpress_V3.6_en_0703_066146106.exe (PID: 2200 cmdline: "C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe" MD5: E2E80E23D79DF3609DCAEE7C2D7C2E72)
    • ISBEW64.exe (PID: 5880 cmdline: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A3681F74-C246-4C16-9456-61CA4AC85351} MD5: B83D2774CDAF5016CD8765A630FA1150)
    • dotnetinstaller.exe (PID: 3160 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dotnetinstaller.exe (PID: 2716 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dotnetinstaller.exe (PID: 5060 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 4752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dotnetinstaller.exe (PID: 5864 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dotnetinstaller.exe (PID: 2576 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dotnetinstaller.exe (PID: 2884 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dotnetinstaller.exe (PID: 7088 cmdline: "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll" MD5: 8F50951DC767385E6E9801ECACC621E3)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5388 cmdline: C:\Windows\SysWOW64\cmd.exe /c cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cacls.exe (PID: 1412 cmdline: cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F MD5: 00BAAE10C69DAD58F169A3ED638D6C59)
  • SrTasks.exe (PID: 2612 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: ArbExpress_V3.6_en_0703_066146106.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeWindow detected: &Next >Cancel< &BackRelease NotesThe InstallShield Wizard will install Tektronix ArbExpress Software on your system. This program is subject to the accompanying Tektronix Software License Agreement.Welcome to the InstallShield Wizard for Tektronix ArbExpress Software.Click Next to continue with the setup program.To know more about what's new in this version of ArbExpress software click 'Release Notes'.
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeWindow detected: &Next >Cancel< &BackRelease NotesThe InstallShield Wizard will install Tektronix ArbExpress Software on your system. This program is subject to the accompanying Tektronix Software License Agreement.Welcome to the InstallShield Wizard for Tektronix ArbExpress Software.Click Next to continue with the setup program.To know more about what's new in this version of ArbExpress software click 'Release Notes'.
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DotNetInstaller.exe.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 00000003.00000000.2387483013.0000000140010000.00000002.00000001.01000000.00000009.sdmp, ISBEW64.exe, 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E.PDBF source: ArbExpress_V3.6_en_0703_066146106.exe
Source: Binary string: C:\projects\Perforce\tcong_PC-bej4-5RNY5Y2_ArbExpress\ArbExpress\ArbExpress\bin\Release\ArbFile.pdb source: ArbF5357.rra.0.dr
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: unknownDNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 197.87.175.4.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global trafficDNS traffic detected: DNS query: 197.87.175.4.in-addr.arpa
Source: data1.hdr.0.drString found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: ArbExpress_V3.6_en_0703_066146106.exeString found in binary or memory: http://deviis4.installshield.com/NetNirvana/data2.cabDisk1
Source: dotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://fontawesome.ioWebfont
Source: dotnetinstaller.exe, 0000000A.00000002.2724965656.00000000005E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.veri
Source: 8f5b.rra.0.dr, setufd6.rra.0.dr, setup.ini1.0.dr, setup.ini.0.drString found in binary or memory: http://www.Tektronix.com
Source: 8f5b.rra.0.drString found in binary or memory: http://www.Tektronix.com/Measurement/cgi-bin/framed.pl?Document=/Measurement/signal_sources/home.htm
Source: ArbExpress_V3.6_en_0703_066146106.exe, data1.hdr.0.drString found in binary or memory: http://www.Tektronix.comID_STRING30ID_STRING35ID_STRING31ID_STRING32ID_STRING33ID_STRING34
Source: dotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.devcomponents.com/dotnetbar/order.html
Source: dotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.devcomponents.comAmailto:support
Source: dotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.devcomponents.comKSystem.Windows.Forms.ContextMenuStrip
Source: dotnetinstaller.exe, 0000000A.00000002.2725795677.0000000000835000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 0000000C.00000002.2752519143.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 0000000E.00000002.2767514032.0000000000445000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000010.00000002.2786766818.0000000000975000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000012.00000002.2807797854.0000000000995000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000014.00000002.2819852174.0000000000915000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000016.00000002.2832409663.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.flexerasoftware.com0
Source: ArbExpress_V3.6_en_0703_066146106.exe, setufd6.rra.0.dr, setup.ini1.0.dr, setup.ini.0.drString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: 8f5b.rra.0.drString found in binary or memory: http://www.tek.com
Source: ArbE549f.rra.0.dr, ArbE5441.rra.0.drString found in binary or memory: http://www.tek.com/contact)
Source: ArbExpress_V3.6_en_0703_066146106.exeString found in binary or memory: https://HuF.?AVfile_exception

System Summary

barindex
PE file has a writeable .text section
Source: ISSetup.dll.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt9045.rra.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee7e.rra.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140001A003_2_0000000140001A00
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140004D403_2_0000000140004D40
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_000000014000961C3_2_000000014000961C
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_000000014000DEA83_2_000000014000DEA8
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_00000001400043403_2_0000000140004340
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 12_2_0489525D12_2_0489525D
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 16_2_049A2B9116_2_049A2B91
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 16_2_049A68C316_2_049A68C3
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 20_2_0496496E20_2_0496496E
Source: isrt9045.rra.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _isu9094.rra.0.drStatic PE information: No import functions for PE file found
Source: ArbExpress_V3.6_en_0703_066146106.exe, 00000000.00000000.2029003323.00000000004B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallShield Setup.exeL vs ArbExpress_V3.6_en_0703_066146106.exe
Source: ArbExpress_V3.6_en_0703_066146106.exeBinary or memory string: OriginalFilenameInstallShield Setup.exeL vs ArbExpress_V3.6_en_0703_066146106.exe
Source: ArbExpress_V3.6_en_0703_066146106.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ISSetup.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt9045.rra.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee7e.rra.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt9045.rra.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee7e.rra.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: sus24.winEXE@31/292@2/0
Source: ArbE5441.rra.0.drInitial sample: http://www.tek.com/contact
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140003230 CoCreateInstance,3_2_0000000140003230
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140005870 LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,3_2_0000000140005870
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\Public\Desktop\ArbExpress Application.lnkJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeMutant created: \Sessions\1\BaseNamedObjects\5045756C-7552-4E48-B39F-C28A48E4EACD
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Jump to behavior
Source: ArbExpress_V3.6_en_0703_066146106.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile read: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.iniJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile read: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe "C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe"
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A3681F74-C246-4C16-9456-61CA4AC85351}
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll"
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A3681F74-C246-4C16-9456-61CA4AC85351}Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe "C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll"Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /c cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: lz32.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: riched32.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: srclient.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: spp.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: srclient.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: spp.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cacls.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: ArbExpress Installation Manual.lnk.0.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbExpress Installation Manual.pdf
Source: ArbExpress User Manual.lnk.0.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbExpress User Manual.pdf
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile written: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\0x0409.iniJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeAutomated click: I accept the terms of the license agreement
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeAutomated click: Next >
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeAutomated click: Next >
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeAutomated click: Next >
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeAutomated click: OK
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeWindow detected: &Next >Cancel< &BackRelease NotesThe InstallShield Wizard will install Tektronix ArbExpress Software on your system. This program is subject to the accompanying Tektronix Software License Agreement.Welcome to the InstallShield Wizard for Tektronix ArbExpress Software.Click Next to continue with the setup program.To know more about what's new in this version of ArbExpress software click 'Release Notes'.
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeWindow detected: &Next >Cancel< &BackRelease NotesThe InstallShield Wizard will install Tektronix ArbExpress Software on your system. This program is subject to the accompanying Tektronix Software License Agreement.Welcome to the InstallShield Wizard for Tektronix ArbExpress Software.Click Next to continue with the setup program.To know more about what's new in this version of ArbExpress software click 'Release Notes'.
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Source: ArbExpress_V3.6_en_0703_066146106.exeStatic file information: File size 45206398 > 1048576
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 00000003.00000000.2387483013.0000000140010000.00000002.00000001.01000000.00000009.sdmp, ISBEW64.exe, 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E.PDBF source: ArbExpress_V3.6_en_0703_066146106.exe
Source: Binary string: C:\projects\Perforce\tcong_PC-bej4-5RNY5Y2_ArbExpress\ArbExpress\ArbExpress\bin\Release\ArbFile.pdb source: ArbF5357.rra.0.dr
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_00000001400068B0 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,3_2_00000001400068B0
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
Source: ArbE502a.rra.0.drStatic PE information: section name: .textbss
Source: MakW53a5.rra.0.drStatic PE information: section name: _RDATA
Source: DevC1043.rra.0.drStatic PE information: section name: .datax
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 10_2_01EE000C push eax; iretd 10_2_01EE0055
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 10_2_01EE0744 push esi; iretd 10_2_01EE0745
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeCode function: 14_2_004E2A54 push esp; iretd 14_2_004E2A55
Source: ISSetup.dll.0.drStatic PE information: section name: .text entropy: 7.980557814009445
Source: isrt9045.rra.0.drStatic PE information: section name: .text entropy: 7.974556688094566
Source: ISSee7e.rra.0.drStatic PE information: section name: .text entropy: 7.980557814009445

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 BlobJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata504a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\Prev39a5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\ISSetup.dllJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbFile.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata50b7.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSee7e.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isr90a3.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSetup.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotn9017.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevC1043.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\Disp3196.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBE9026.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbL2be9.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setude2.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\matarb.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEqu.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbE502a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isuser_0x0409.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\matarb.mexw32 (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isu9094.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\MakW53a5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\MakWfm.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isres_0x0409.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE240a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt9045.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51a1.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\Scop3dbc.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbF5357.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbC1fa5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEther.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5163.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbEther.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotn9017.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBE9026.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt9045.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isu9094.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isr90a3.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbE502a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata504a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata50b7.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setude2.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSee7e.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5163.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51a1.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbF5357.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\MakW53a5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevC1043.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbC1fa5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE240a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbL2be9.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbE5441.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbE549f.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\Disp3196.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\Prev39a5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\Program Files (x86)\Tektronix\ArbExpress\System\Scop3dbc.rraJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DotNetInstaller.exe.logJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\SrTasks.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPPJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Documentation\Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Documentation\ArbExpress Installation Manual.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Documentation\ArbExpress User Manual.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\ArbExpress Application.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\ArbExpress Help.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Release Notes.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Samples\Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Samples\Waveforms.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Samples\Equations.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Tools\Jump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Tools\Matlab.lnkJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Uninstall ArbExpress.lnkJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 2020000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 2280000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 780000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 7E0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 540000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 25C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 20B0000 memory commit | memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 940000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 2680000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 4680000 memory commit | memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 660000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 25E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 1FB0000 memory commit | memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 2600000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 4600000 memory commit | memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 25A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 25A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: 45A0000 memory commit | memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata504a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\Prev39a5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\ISSetup.dllJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbFile.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata50b7.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSee7e.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isr90a3.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSetup.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevC1043.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\Disp3196.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbL2be9.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\matarb.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setude2.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEqu.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\matarb.mexw32 (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isuser_0x0409.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbE502a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isu9094.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\MakW53a5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\MakWfm.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isres_0x0409.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE240a.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt9045.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.exeJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51a1.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\Scop3dbc.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbF5357.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbC1fa5.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEther.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5163.rraJump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeDropped PE file which has not been started: C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbEther.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_3-6366
Source: C:\Windows\System32\SrTasks.exe TID: 5672Thread sleep time: -290000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 4088Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 2656Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 4984Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 6704Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 6824Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe TID: 3572Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile Volume queried: C:\Windows FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: SrTasks.exe, 00000008.00000003.2897968400.000001A9ACA13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000008.00000003.2892882833.000001A9ACA6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeAPI call chain: ExitProcess graph end nodegraph_3-6368
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_000000014000946C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000000014000946C
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_00000001400068B0 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,3_2_00000001400068B0
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_000000014000946C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000000014000946C
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140009CA8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0000000140009CA8
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140007200 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0000000140007200
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_0000000140009E28 SetUnhandledExceptionFilter,3_2_0000000140009E28
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
Source: ISSetup.dll.0.drBinary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: 8f5b.rra.0.drBinary or memory string: OPTYPE_PROGMAN
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: GetLocaleInfoA,3_2_000000014000E89C
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeQueries volume information: C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exeCode function: 3_2_000000014000A824 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,3_2_000000014000A824
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 BlobJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		2
Native API		2
Windows Service		2
Windows Service		12
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		12
Process Injection		11
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Services File Permissions Weakness		1
Registry Run Keys / Startup Folder		31
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
DLL Side-Loading		1
Services File Permissions Weakness		12
Process Injection		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		2
Obfuscated Files or Information		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Install Root Certificate		Cached Domain Credentials24
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Services File Permissions Weakness		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Software Packing		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528662 Sample: ArbExpress_V3.6_en_0703_066... Startdate: 08/10/2024 Architecture: WINDOWS Score: 24 48 206.23.85.13.in-addr.arpa 2->48 50 197.87.175.4.in-addr.arpa 2->50 52 PE file has a writeable .text section 2->52 8 ArbExpress_V3.6_en_0703_066146106.exe 46 219 2->8         started        11 SrTasks.exe 1 2->11         started        signatures3 process4 file5 40 C:\Users\user\...\dotnetinstaller.exe (copy), PE32 8->40 dropped 42 C:\Users\user\AppData\Local\...\isrt9045.rra, PE32 8->42 dropped 44 C:\Users\user\AppData\...\isrt.dll (copy), PE32 8->44 dropped 46 41 other files (none is malicious) 8->46 dropped 13 dotnetinstaller.exe 4 8->13         started        16 cmd.exe 8->16         started        18 dotnetinstaller.exe 3 8->18         started        22 6 other processes 8->22 20 conhost.exe 11->20         started        process6 signatures7 54 Installs new ROOT certificates 13->54 24 conhost.exe 13->24         started        26 conhost.exe 16->26         started        28 cacls.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 conhost.exe 22->36         started        38 2 other processes 22->38 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ArbExpress_V3.6_en_0703_066146106.exe2%ReversingLabs
ArbExpress_V3.6_en_0703_066146106.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSee7e.rra2%ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSee7e.rra0%VirustotalBrowse
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSetup.dll (copy)2%ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSetup.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setude2.rra0%ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setude2.rra0%VirustotalBrowse
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.exe (copy)0%ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.exe (copy)0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbC1fa5.rra0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll (copy)0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE240a.rra0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE240a.rra1%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5163.rra2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5163.rra0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51a1.rra2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51a1.rra1%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEqu.dll (copy)2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEqu.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEther.dll (copy)2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEther.dll (copy)1%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe (copy)0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe (copy)1%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbF5357.rra2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbF5357.rra0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbFile.dll (copy)2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbFile.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbL2be9.rra0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbL2be9.rra0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll (copy)0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\DevC1043.rra2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\DevC1043.rra0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll (copy)2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\Disp3196.rra0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\Disp3196.rra0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll (copy)0%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll (copy)0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\MakW53a5.rra2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\MakW53a5.rra0%VirustotalBrowse
C:\Program Files (x86)\Tektronix\ArbExpress\System\MakWfm.dll (copy)2%ReversingLabs
C:\Program Files (x86)\Tektronix\ArbExpress\System\MakWfm.dll (copy)0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
206.23.85.13.in-addr.arpa1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.Tektronix.com0%VirustotalBrowse
http://deviis4.installshield.com/NetNirvana/data2.cabDisk10%VirustotalBrowse
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d0%VirustotalBrowse
http://deviis4.installshield.com/NetNirvana/0%VirustotalBrowse
http://www.tek.com0%VirustotalBrowse
http://www.devcomponents.com/dotnetbar/order.html1%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
206.23.85.13.in-addr.arpa
unknown
unknownfalseunknown
197.87.175.4.in-addr.arpa
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://fontawesome.ioWebfontdotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpfalse
      		unknown
      http://deviis4.installshield.com/NetNirvana/data2.cabDisk1ArbExpress_V3.6_en_0703_066146106.exefalseunknown
      http://www.Tektronix.com8f5b.rra.0.dr, setufd6.rra.0.dr, setup.ini1.0.dr, setup.ini.0.drfalseunknown
      http://www.Tektronix.comID_STRING30ID_STRING35ID_STRING31ID_STRING32ID_STRING33ID_STRING34ArbExpress_V3.6_en_0703_066146106.exe, data1.hdr.0.drfalse
        		unknown
        http://deviis4.installshield.com/NetNirvana/data1.hdr.0.drfalseunknown
        http://www.tek.com/contact)ArbE549f.rra.0.dr, ArbE5441.rra.0.drfalse
          		unknown
          http://www.devcomponents.comAmailto:supportdotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpfalse
            		unknown
            http://ocsp.veridotnetinstaller.exe, 0000000A.00000002.2724965656.00000000005E7000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dArbExpress_V3.6_en_0703_066146106.exe, setufd6.rra.0.dr, setup.ini1.0.dr, setup.ini.0.drfalseunknown
              http://www.flexerasoftware.com0dotnetinstaller.exe, 0000000A.00000002.2725795677.0000000000835000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 0000000C.00000002.2752519143.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 0000000E.00000002.2767514032.0000000000445000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000010.00000002.2786766818.0000000000975000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000012.00000002.2807797854.0000000000995000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000014.00000002.2819852174.0000000000915000.00000004.00000020.00020000.00000000.sdmp, dotnetinstaller.exe, 00000016.00000002.2832409663.00000000004D5000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://www.tek.com8f5b.rra.0.drfalseunknown
                http://www.devcomponents.comKSystem.Windows.Forms.ContextMenuStripdotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpfalse
                  		unknown
                  http://www.Tektronix.com/Measurement/cgi-bin/framed.pl?Document=/Measurement/signal_sources/home.htm8f5b.rra.0.drfalse
                    		unknown
                    http://www.devcomponents.com/dotnetbar/order.htmldotnetinstaller.exe, 0000000A.00000002.2730293507.0000000004AB2000.00000002.00000001.01000000.0000000D.sdmpfalseunknown
                    https://HuF.?AVfile_exceptionArbExpress_V3.6_en_0703_066146106.exefalse
                      		unknown

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1528662
                      Start date and time:2024-10-08 08:32:57 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 9m 7s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:29
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:ArbExpress_V3.6_en_0703_066146106.exe
                      Detection:SUS
                      Classification:sus24.winEXE@31/292@2/0
                      EGA Information:
                      • Successful, ratio: 87.5%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 72
                      • Number of non-executed functions: 49
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target dotnetinstaller.exe, PID 5060 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadFile calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:34:54API Interceptor29x Sleep call for process: SrTasks.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\0x0409.ini (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                      Category:dropped
                      Size (bytes):22492
                      Entropy (8bit):3.484893836872466
                      Encrypted:false
                      SSDEEP:384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
                      MD5:BE345D0260AE12C5F2F337B17E07C217
                      SHA1:0976BA0982FE34F1C35A0974F6178E15C238ED7B
                      SHA-256:E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
                      SHA-512:77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
                      Malicious:false
                      Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\0x04ecc.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                      Category:dropped
                      Size (bytes):22492
                      Entropy (8bit):3.484893836872466
                      Encrypted:false
                      SSDEEP:384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
                      MD5:BE345D0260AE12C5F2F337B17E07C217
                      SHA1:0976BA0982FE34F1C35A0974F6178E15C238ED7B
                      SHA-256:E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
                      SHA-512:77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
                      Malicious:false
                      Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSee7e.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                      Category:dropped
                      Size (bytes):579584
                      Entropy (8bit):7.6477409990124645
                      Encrypted:false
                      SSDEEP:6144:/Fi43SaRsu0xho+Qvv0QhHxcul05EtXdosFRJrTy6kbdXLOvZ9sNSOVJEmY7ixzF:Lz0Y1d05EtXtFR9G6IcZZxsxzpKpHgT
                      MD5:B9D4678348F9D7FEF94C11DABD782960
                      SHA1:F2CA4A7B784F856ED7BDC9E9337544B35D69C9A3
                      SHA-256:1FAC3AA23390131843952C1E91AEBD0B6944EA65A2C271E36D288752890E9070
                      SHA-512:D0206DA19972504E9513639BF0BB2E14D155951ABDE07F579B34F1D2063010C765D44C0F343D673F42DC5C661B1234F096B29654B268CC2EC46756AFC6AE3CE6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....b...b...b.}.n...b...l...b.i.i...b.X.i...b.5.G...b...~...b...{...b...c...b.0.h...b.0.i...b...d...b...f...b.Rich..b.........PE..L...i=VL...........!.................X...............................................7..............................<T......|V.......`..4....................p.......................................................................................text....P..............PEC2MO...... ....rsrc........`...................... ....reloc.......p......................@...........................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\ISSetup.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                      Category:dropped
                      Size (bytes):579584
                      Entropy (8bit):7.6477409990124645
                      Encrypted:false
                      SSDEEP:6144:/Fi43SaRsu0xho+Qvv0QhHxcul05EtXdosFRJrTy6kbdXLOvZ9sNSOVJEmY7ixzF:Lz0Y1d05EtXtFR9G6IcZZxsxzpKpHgT
                      MD5:B9D4678348F9D7FEF94C11DABD782960
                      SHA1:F2CA4A7B784F856ED7BDC9E9337544B35D69C9A3
                      SHA-256:1FAC3AA23390131843952C1E91AEBD0B6944EA65A2C271E36D288752890E9070
                      SHA-512:D0206DA19972504E9513639BF0BB2E14D155951ABDE07F579B34F1D2063010C765D44C0F343D673F42DC5C661B1234F096B29654B268CC2EC46756AFC6AE3CE6
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....b...b...b.}.n...b...l...b.i.i...b.X.i...b.5.G...b...~...b...{...b...c...b.0.h...b.0.i...b...d...b...f...b.Rich..b.........PE..L...i=VL...........!.................X...............................................7..............................<T......|V.......`..4....................p.......................................................................................text....P..............PEC2MO...... ....rsrc........`...................... ....reloc.......p......................@...........................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\data1.cab (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:InstallShield CAB
                      Category:dropped
                      Size (bytes):530911
                      Entropy (8bit):7.9957712300000505
                      Encrypted:true
                      SSDEEP:12288:4lqL4JImTqN0rGADWWv1ia2UrYFGK9HZT5:UURm165Wv1iN9L
                      MD5:1026CFC15528C7E2D265B52AAD685B9D
                      SHA1:28972EBF5554F278AE5480AEF91A7A7F97C59D3D
                      SHA-256:51893753F8FD66A5ADD439B4AF1F5EA10E02FE37F163CEEDBA81D4FC2C182B9E
                      SHA-512:96B6C3E2A2EA2E3C20EC1A1E7D3CB9CBAD0482CCAF3E0ABC6742600C08A625B9594D450FCA2EC43E38D0BB12D94826E6A3C9CF33A96C597EF0EEFD31BF314B3D
                      Malicious:false
                      Preview:ISc(.........................................................................................................................................................................................................................................................................................................................................................................................luEPRuHN...H....................l.....L.E..OU..P......I..,0V...M.W...G..E...........................................................XQs.F.~^W.?L...Vi...[.%dsA......b$...2.e...{..Z.Jee`z.........$...E..'/.E.L.(..........O.Um+s.S.d..R.2.~..].DSU..k....T.~....O..A.nL{PeS.......}.G.0N.....M..b.E. z..$~H...R1_%Q.>.tu./...,..8.E*.h&.q4.. .R.....z.wB...?./v#,\...E~2...).coF[..U....._.E.$..,..4.S..f^... ..0|w.'.3.......l.......h...a[..>..i.....Y..>.'.p...N.-9A...:..+..Q.D.....!J..1....,\s.{:.)9.h..Q.$..3.>\....4...2<..Ad.?.M.3..Q..,k...ms.F..}'.fS...<3......(E.a...m.T.e.V....!XW..,..-/..lD^......S..

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\data1.hdr (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:InstallShield CAB
                      Category:dropped
                      Size (bytes):32419
                      Entropy (8bit):3.6015666237649064
                      Encrypted:false
                      SSDEEP:768:hbaIZIO6SaJvst5gp8XA/lNH2Z2yYNLp6:hxeW3Ss
                      MD5:C00BBD1327C6D7041A281BE5FB18CA1E
                      SHA1:C9C76C6BCC724C1531FB850167F0D65315673766
                      SHA-256:6E2E032966B8732E93996A96C12F579377648EA803FA065FED900F6655F1872F
                      SHA-512:DA26F7F26A0C4844523838A1626AF939178F5C77893EE039D4C40AC01A1B852DB6FFC863854320B8AA9D04439140D41839906539C48AE2129EBEA377B706ECA4
                      Malicious:false
                      Preview:ISc(............>?...~..........................................................................B~.........................................................................................................................................................................................................................................................................................luEPRuHN...H....................l.....L.E..OU..P......I..,0V...M.W...G..E....................................................................>?......e=..e=............................................b.......n.......z..................................................................................................................."...............:...F...R...............................................^.......j.......................v.......................................................................................................................................................................*...........6.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\datad74.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:InstallShield CAB
                      Category:dropped
                      Size (bytes):32419
                      Entropy (8bit):3.6015666237649064
                      Encrypted:false
                      SSDEEP:768:hbaIZIO6SaJvst5gp8XA/lNH2Z2yYNLp6:hxeW3Ss
                      MD5:C00BBD1327C6D7041A281BE5FB18CA1E
                      SHA1:C9C76C6BCC724C1531FB850167F0D65315673766
                      SHA-256:6E2E032966B8732E93996A96C12F579377648EA803FA065FED900F6655F1872F
                      SHA-512:DA26F7F26A0C4844523838A1626AF939178F5C77893EE039D4C40AC01A1B852DB6FFC863854320B8AA9D04439140D41839906539C48AE2129EBEA377B706ECA4
                      Malicious:false
                      Preview:ISc(............>?...~..........................................................................B~.........................................................................................................................................................................................................................................................................................luEPRuHN...H....................l.....L.E..OU..P......I..,0V...M.W...G..E....................................................................>?......e=..e=............................................b.......n.......z..................................................................................................................."...............:...F...R...............................................^.......j.......................v.......................................................................................................................................................................*...........6.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\datad94.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:InstallShield CAB
                      Category:dropped
                      Size (bytes):530911
                      Entropy (8bit):7.9957712300000505
                      Encrypted:true
                      SSDEEP:12288:4lqL4JImTqN0rGADWWv1ia2UrYFGK9HZT5:UURm165Wv1iN9L
                      MD5:1026CFC15528C7E2D265B52AAD685B9D
                      SHA1:28972EBF5554F278AE5480AEF91A7A7F97C59D3D
                      SHA-256:51893753F8FD66A5ADD439B4AF1F5EA10E02FE37F163CEEDBA81D4FC2C182B9E
                      SHA-512:96B6C3E2A2EA2E3C20EC1A1E7D3CB9CBAD0482CCAF3E0ABC6742600C08A625B9594D450FCA2EC43E38D0BB12D94826E6A3C9CF33A96C597EF0EEFD31BF314B3D
                      Malicious:false
                      Preview:ISc(.........................................................................................................................................................................................................................................................................................................................................................................................luEPRuHN...H....................l.....L.E..OU..P......I..,0V...M.W...G..E...........................................................XQs.F.~^W.?L...Vi...[.%dsA......b$...2.e...{..Z.Jee`z.........$...E..'/.E.L.(..........O.Um+s.S.d..R.2.~..].DSU..k....T.~....O..A.nL{PeS.......}.G.0N.....M..b.E. z..$~H...R1_%Q.>.tu./...,..8.E*.h&.q4.. .R.....z.wB...?./v#,\...E~2...).coF[..U....._.E.$..,..4.S..f^... ..0|w.'.3.......l.......h...a[..>..i.....Y..>.'.p...N.-9A...:..+..Q.D.....!J..1....,\s.{:.)9.h..Q.$..3.>\....4...2<..Ad.?.M.3..Q..,k...ms.F..}'.fS...<3......(E.a...m.T.e.V....!XW..,..-/..lD^......S..

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\layod65.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):606
                      Entropy (8bit):2.042463363702611
                      Encrypted:false
                      SSDEEP:6:UwRGUlfEnalMZF2CzJthelhCnanl8JDWLNglETl127n:U2zlfzla2w1aRlQyBE
                      MD5:85E08C293EF716E68706D1F6D8C060BE
                      SHA1:7F41B99FBC629C15E7DFA6DFE04895EE023707A3
                      SHA-256:9DBDE49A20CAC223A0680E6A88B6B33EDF0F35CF5CE4A15A0D7D419E6A2E722B
                      SHA-512:999F9A90575B299795BE6C19F13FB667668BB3D11542792EA0965E693C54D158E2477F4DDDD37C408008DB82F3373AAB5A05034795327E594FD44C13E1E56DA3
                      Malicious:false
                      Preview:c..S.@..^...........@....................................................................................................................................................................................................................................................... ...L...............x............................... ...4...H...............................................s.e.t.u.p...i.n.i.....s.e.t.u.p...e.x.e...S.e.t.u.p...b.m.p...s.e.t.u.p...i.n.x...s.e.t.u.p...i.s.n...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\layout.bin (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):606
                      Entropy (8bit):2.042463363702611
                      Encrypted:false
                      SSDEEP:6:UwRGUlfEnalMZF2CzJthelhCnanl8JDWLNglETl127n:U2zlfzla2w1aRlQyBE
                      MD5:85E08C293EF716E68706D1F6D8C060BE
                      SHA1:7F41B99FBC629C15E7DFA6DFE04895EE023707A3
                      SHA-256:9DBDE49A20CAC223A0680E6A88B6B33EDF0F35CF5CE4A15A0D7D419E6A2E722B
                      SHA-512:999F9A90575B299795BE6C19F13FB667668BB3D11542792EA0965E693C54D158E2477F4DDDD37C408008DB82F3373AAB5A05034795327E594FD44C13E1E56DA3
                      Malicious:false
                      Preview:c..S.@..^...........@....................................................................................................................................................................................................................................................... ...L...............x............................... ...4...H...............................................s.e.t.u.p...i.n.i.....s.e.t.u.p...e.x.e...S.e.t.u.p...b.m.p...s.e.t.u.p...i.n.x...s.e.t.u.p...i.s.n...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setude2.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):804352
                      Entropy (8bit):6.5947838380291275
                      Encrypted:false
                      SSDEEP:12288:f3QOlnoHw/BVWJ0kVrOSknpcfAA3dF3q4NP:f37noQ/BVcN6P2tQ4NP
                      MD5:F037C2B0C1EB809C474EECFCB820F997
                      SHA1:543B57630595D55BCF6C38BA5B11F7D0B770DF30
                      SHA-256:1C07774BA5D0543F9109D8D67B8AB991F32B8DFA440787DE57E339BBC2073816
                      SHA-512:CE86A018D827F4E63E150A19680EE2EE36C65A070B7EE700796BD5330B552C55FC9730416FDEB5B2F52BC906E7FC09E52CFE5441E33C8913816C14C0B69F38C8
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`&...H...H...H...D...H.U.F...H...C...H..'B._.H..y...H.."T...H..#m...H...I...H.,"Q...H..'C...H...N...H.Rich..H.........................PE..L....=VL.................P..........}........`....@..........................................................................$..........x............................................................................`...............................text...cN.......P.................. ..`.rdata..V....`.......T..............@..@.data...$....P.......8..............@....rsrc...x...........................@..@........................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setueeb.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Atari MSA archive data, -11636 sectors per track, starting track: 22332, ending track: 3470
                      Category:dropped
                      Size (bytes):259693
                      Entropy (8bit):6.692274993753087
                      Encrypted:false
                      SSDEEP:6144:qsIKmUhmFIr3hq5aKN+mpcSjP23O3yjlD3trv0:UaNU
                      MD5:5B26FDB5A5A3B6C06F591B358F970236
                      SHA1:8E817F8AA8CDB649C1566AB12F513A6E1404988D
                      SHA-256:9561957AC4300F51E48C55E907DAB6F94A5EA98A2AA221C055FBE463618DFE71
                      SHA-512:47519049B4048DC7AA2FF3898FF1CF06858F6310454969B6DD8192D4B0DC7C32A854A83C8BFD19DEA7EDB1623D6B296D8526B7352A17C680C78D148AD2129EA4
                      Malicious:false
                      Preview:.....W<.....%.*K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setuf68.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):246914
                      Entropy (8bit):7.384542988989865
                      Encrypted:false
                      SSDEEP:3072:jboSoC531QrAcXoLqmRemqmZNCGqgzADb2EZ01m+qM8fvXzq7vy51QiabTeUL+9U:jboNCpiYGGNCd+uC67CTeVHJE
                      MD5:9F8490DD84FDDECA54D6F14F25870974
                      SHA1:ED5998423E45E47D67E7ABFA9D304D81E1C5C164
                      SHA-256:2DEFD9BD3F762CE684820242B72605FF9D1C96EDE0B12932B5C3C970F5ADFF8F
                      SHA-512:CBC6575408171D438BA590F39B49A2551C9F2EF1F29B4222205D2934A32084137E59FED3A8EAE7C494BA021318AE76906365F89DA23C3E84F11F2B9C29FA4269
                      Malicious:false
                      Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a@!mQ.Y]A..M1%*)!.)........................................}...m..q]}.eMm.U=].E-M.5.=.%.-..............................U......q..8...X...iaaUi.@..MEE)M..wSk..g....._.c.33o/.......<...H..$....,.h......m..X........E]].E....wg.S[wSS.....K./C3W.$H`P(.......H.$.....u..a...0x$...5mAYY.A....ck.cc.k.W.g/......;.oX0 .T,.0,,...........\......q..Yq... ....1II.1....W.k[k.......#...d<$@<<......8... ,|$..`......1q.$.............!!!.)g.K.Ow.;_.....#.<4l.P....L.....|,...........Y..D..P......1II.1.......C..cW{.......?.TDl....0X......$...$....D...iu.1u.0.T...s.....)!.).C.K3.3S#k.C7[.....8.L<D.<.4.,(....q.....H..\.iaaMi........p%==.%c.C.G;{{0........XHP.h<@........,..(......X...A}y]a.sD.....5I=55)=s.._.....7GO...../OlT(.....X.................y.eqqey...]UU5]..w{...-%%.-O.G.[.....O.k.tH......4(L...............u..au...YmAYY)A.g k.so.Kk......w'.g#+;+[. ..<T.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setufd6.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2456
                      Entropy (8bit):3.6725407729186026
                      Encrypted:false
                      SSDEEP:48:rsAMapXYD5xibcPTmscu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAMaXPcrmqrvnp6kY05w7tCYOvlnAMn
                      MD5:6DD6AF0025691CD415234E63A59FB00B
                      SHA1:19BAD7981EACD8AB6132BC747ED71D11AD13FDCE
                      SHA-256:05F3257D331575BD32DD31D479582AFDEB9466496E2D384FF16E7EB537B86893
                      SHA-512:BB456B6418B7F5C728AEA06046A5946C0461AEE96BAA06C8BD6F467BE1C8B83B08FE4278ADEA0EC608B1A70E40CC5041F7A2B2963C03B13E5C6A90F04445DC3A
                      Malicious:false
                      Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.T.e.k.t.r.o.n.i.x. .A.r.b.E.x.p.r.e.s.s.......P.r.o.d.u.c.t.G.U.I.D.=.5.0.4.5.7.5.6.C.-.7.5.5.2.-.4.E.4.8.-.B.3.9.F.-.C.2.8.A.4.8.E.4.E.A.C.D.....C.o.m.p.a.n.y.N.a.m.e.=.T.e.k.t.r.o.n.i.x.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...T.e.k.t.r.o.n.i.x...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.....

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.exe (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):804352
                      Entropy (8bit):6.5947838380291275
                      Encrypted:false
                      SSDEEP:12288:f3QOlnoHw/BVWJ0kVrOSknpcfAA3dF3q4NP:f37noQ/BVcN6P2tQ4NP
                      MD5:F037C2B0C1EB809C474EECFCB820F997
                      SHA1:543B57630595D55BCF6C38BA5B11F7D0B770DF30
                      SHA-256:1C07774BA5D0543F9109D8D67B8AB991F32B8DFA440787DE57E339BBC2073816
                      SHA-512:CE86A018D827F4E63E150A19680EE2EE36C65A070B7EE700796BD5330B552C55FC9730416FDEB5B2F52BC906E7FC09E52CFE5441E33C8913816C14C0B69F38C8
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`&...H...H...H...D...H.U.F...H...C...H..'B._.H..y...H.."T...H..#m...H...I...H.,"Q...H..'C...H...N...H.Rich..H.........................PE..L....=VL.................P..........}........`....@..........................................................................$..........x............................................................................`...............................text...cN.......P.................. ..`.rdata..V....`.......T..............@..@.data...$....P.......8..............@....rsrc...x...........................@..@........................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.ilg (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):304128
                      Entropy (8bit):2.777174706338683
                      Encrypted:false
                      SSDEEP:3072:HKaD0Ngzsd8RqY/ix4K5cC3NACuBCfuIdRdxMchpkgK/WXVhc1ESEBnz/JK583Fd:4YY
                      MD5:55F27335F7FBF56D3DF0E69CCA8AF0D3
                      SHA1:02FCE2AABEB9DF93165CE7106D0BD0B2BBE02396
                      SHA-256:3E36E75EE10F078730CF3287541AAF18E8C6B987D7F6FEEB12BDB8CC12CA031C
                      SHA-512:45542479BFF56D437DA88975A5DE313A6F5EE975384532F503DDFE0490EFFEC33DCCBD7BE2324E9A4B03BE80AE798D3772F79568D2ED9D52C54E92A1EAF91CC2
                      Malicious:false
                      Preview:......................>.......................................................v............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .......&..._...!..."...#...$...%...'...(...5...?...*...+...,...-......./...0...1...2...3...4...V...6...7...8...9...:...;...<...=...>...@...Z...A...]...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y.......[...\...^...`...a.......b...c.......m...e...f...g...h...i...j...k...l...n...p...o...q...r...s...t.......u...........x...y...z...

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.ini

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2604
                      Entropy (8bit):3.697107381721997
                      Encrypted:false
                      SSDEEP:48:rsAMapXYD5xibcPTKXYYOmscu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOybg:rsAMaXPcmX9Omqrvnp6kY05w7tCYOvlR
                      MD5:88F239292F77F747E8CC57E9D8D940CD
                      SHA1:2E773E9E262447429778B18370B393E096FFAA8F
                      SHA-256:A9148AC24578F54D4F544D0E4BE78CD560B4022450122B95DEDE6B4043BDB8F1
                      SHA-512:62A889F0792E6C412A85A131A245B00322F56A77B49B668A4C12C700E7C5F90812B02689EBB5DE57644525BD79AE01B4EAE0C4DAAE24906BFF017E7A2AF21429
                      Malicious:false
                      Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.T.e.k.t.r.o.n.i.x. .A.r.b.E.x.p.r.e.s.s.......P.r.o.d.u.c.t.G.U.I.D.=.5.0.4.5.7.5.6.C.-.7.5.5.2.-.4.E.4.8.-.B.3.9.F.-.C.2.8.A.4.8.E.4.E.A.C.D.....C.o.m.p.a.n.y.N.a.m.e.=.T.e.k.t.r.o.n.i.x.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...T.e.k.t.r.o.n.i.x...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.....S.o.u.r.c.e.=.0.....A.l.l.U.s.e.r.s.=.1.....I.n.s.t.a.l.l.G.u.i.d.=.{.5.0.4.5.7.5.6.C.-.7.5.5.2.-.4.E.4.8.-.B.3.9.F.-.C.2.8.A.4.8.E.4.E.A.C.D.}.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.inx (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):246914
                      Entropy (8bit):7.384542988989865
                      Encrypted:false
                      SSDEEP:3072:jboSoC531QrAcXoLqmRemqmZNCGqgzADb2EZ01m+qM8fvXzq7vy51QiabTeUL+9U:jboNCpiYGGNCd+uC67CTeVHJE
                      MD5:9F8490DD84FDDECA54D6F14F25870974
                      SHA1:ED5998423E45E47D67E7ABFA9D304D81E1C5C164
                      SHA-256:2DEFD9BD3F762CE684820242B72605FF9D1C96EDE0B12932B5C3C970F5ADFF8F
                      SHA-512:CBC6575408171D438BA590F39B49A2551C9F2EF1F29B4222205D2934A32084137E59FED3A8EAE7C494BA021318AE76906365F89DA23C3E84F11F2B9C29FA4269
                      Malicious:false
                      Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a@!mQ.Y]A..M1%*)!.)........................................}...m..q]}.eMm.U=].E-M.5.=.%.-..............................U......q..8...X...iaaUi.@..MEE)M..wSk..g....._.c.33o/.......<...H..$....,.h......m..X........E]].E....wg.S[wSS.....K./C3W.$H`P(.......H.$.....u..a...0x$...5mAYY.A....ck.cc.k.W.g/......;.oX0 .T,.0,,...........\......q..Yq... ....1II.1....W.k[k.......#...d<$@<<......8... ,|$..`......1q.$.............!!!.)g.K.Ow.;_.....#.<4l.P....L.....|,...........Y..D..P......1II.1.......C..cW{.......?.TDl....0X......$...$....D...iu.1u.0.T...s.....)!.).C.K3.3S#k.C7[.....8.L<D.<.4.,(....q.....H..\.iaaMi........p%==.%c.C.G;{{0........XHP.h<@........,..(......X...A}y]a.sD.....5I=55)=s.._.....7GO...../OlT(.....X.................y.eqqey...]UU5]..w{...-%%.-O.G.[.....O.k.tH......4(L...............u..au...YmAYY)A.g k.so.Kk......w'.g#+;+[. ..<T.

                      C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.isn (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Atari MSA archive data, -11636 sectors per track, starting track: 22332, ending track: 3470
                      Category:dropped
                      Size (bytes):259693
                      Entropy (8bit):6.692274993753087
                      Encrypted:false
                      SSDEEP:6144:qsIKmUhmFIr3hq5aKN+mpcSjP23O3yjlD3trv0:UaNU
                      MD5:5B26FDB5A5A3B6C06F591B358F970236
                      SHA1:8E817F8AA8CDB649C1566AB12F513A6E1404988D
                      SHA-256:9561957AC4300F51E48C55E907DAB6F94A5EA98A2AA221C055FBE463618DFE71
                      SHA-512:47519049B4048DC7AA2FF3898FF1CF06858F6310454969B6DD8192D4B0DC7C32A854A83C8BFD19DEA7EDB1623D6B296D8526B7352A17C680C78D148AD2129EA4
                      Malicious:false
                      Preview:.....W<.....%.*K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

                      C:\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbE5441.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PDF document, version 1.4, 4 pages
                      Category:dropped
                      Size (bytes):828138
                      Entropy (8bit):7.9451206492467294
                      Encrypted:false
                      SSDEEP:24576:HCdcr3vE16zjFILkgiEL9kpDO30yECo2sNC:HCdc7vE14hv2LepCUZLNC
                      MD5:DC0CC281F569D18346E0A49AECAFE251
                      SHA1:947338AA8C896EAEE9CBE4167C41FF07DDB9BC17
                      SHA-256:177C52E37EEF22797B45A260BB154BCA0F13C50348B4E24AB50E5A07C4982C26
                      SHA-512:3106D28AE12DFA2422E9B458D0755C6D38D8C71F9FDB1FAB9C348C3A4063E4A5C726B64DC1FA720A228C908469401D24E8253659E6DF672B38CA7011C0F441B7
                      Malicious:false
                      Preview:%PDF-1.4.%......207 0 obj.<</Linearized 1/L 823737/O 210/E 339708/N 13/T 819476/H [ 676 481]>>.endobj. ..xref..207 19..0000000016 00000 n..0000001157 00000 n..0000001272 00000 n..0000001307 00000 n..0000001441 00000 n..0000001596 00000 n..0000002035 00000 n..0000002563 00000 n..0000002666 00000 n..0000002923 00000 n..0000003186 00000 n..0000003701 00000 n..0000003961 00000 n..0000037165 00000 n..0000054004 00000 n..0000070131 00000 n..0000071553 00000 n..0000071808 00000 n..0000000676 00000 n..trailer..<</Size 226/Root 208 0 R/Info 206 0 R/ID[<2D667FB695AF4EBB5E2EB1C113AEEDD6><C423B4BFA381BE4F9C5EFFF78A5AB2B1>]/Prev 819464>>..startxref..0..%%EOF.. ..225 0 obj.<</E 413/Filter/FlateDecode/I 445/L 429/Length 380/O 397/S 284>>stream..h.b```."q.......... ........(. .$.T....#CC..!!.`...nF....".mS.....!p.n..R...#.F....".....Ge\C....I..{..ZU..S...=....!.....2Q.mv.....<...A.."...bb.S.U."..;C.@".G..600.T40..1..yG.........kXF.._."..CC+@|F..4P.I.Hp..J...|..n........X..-ep.1

                      C:\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbE549f.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PDF document, version 1.4
                      Category:dropped
                      Size (bytes):8258953
                      Entropy (8bit):7.946180407433681
                      Encrypted:false
                      SSDEEP:196608:NWhQSqNfgZUx3wn8HsSAy7dI7Iq3cOKlzi:cUNfgilw8M/yhRrZi
                      MD5:BA9FC01FA806C5AAC09ADCB74B78FBA3
                      SHA1:BFCB8D889A8BB8D81DD5E602816FFFC22D87B47C
                      SHA-256:C61C56FA5A25C6097766E56D688D57B8A22A00A5D1427048C08F06F4013B0CCC
                      SHA-512:DADE634257446B35FB835059CDCE7C6C99D91BAC9182463733CA7C78B9DD0810D9F89601EA6B643C1B467C0B7EFDD9C9D99B74FCB6460896321AE8E0E5025FAE
                      Malicious:false
                      Preview:%PDF-1.4.%......4300 0 obj.<</Linearized 1/L 8253456/O 4303/E 350537/N 216/T 8167334/H [ 756 3657]>>.endobj. ..xref..4300 23..0000000016 00000 n..0000004413 00000 n..0000004535 00000 n..0000004573 00000 n..0000004755 00000 n..0000004867 00000 n..0000004979 00000 n..0000005088 00000 n..0000005200 00000 n..0000005362 00000 n..0000005995 00000 n..0000006559 00000 n..0000006663 00000 n..0000006928 00000 n..0000007187 00000 n..0000007671 00000 n..0000007931 00000 n..0000041136 00000 n..0000058843 00000 n..0000081014 00000 n..0000082379 00000 n..0000082636 00000 n..0000000756 00000 n..trailer..<</Size 4323/Root 4301 0 R/Info 4299 0 R/ID[<69AEC049D3E80E75B29F0D13EB84BBE8><208088BDD979954295A7178F5471D58E>]/Prev 8167321>>..startxref..0..%%EOF.. ..4322 0 obj.<</E 6509/Filter/FlateDecode/I 6541/L 6525/Length 3549/O 6493/S 6256>>stream..h..Y.T....o~.$...A.....J.h.2.[..."...Ee........vnK0...E..v..EZ..h.s...?.ju.`Nw.{..V.mw..=..m..y.7.pn..}o...y.......~.............`..j...#......y.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbExpress Installation Manual.pdf (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PDF document, version 1.4, 4 pages
                      Category:dropped
                      Size (bytes):828138
                      Entropy (8bit):7.9451206492467294
                      Encrypted:false
                      SSDEEP:24576:HCdcr3vE16zjFILkgiEL9kpDO30yECo2sNC:HCdc7vE14hv2LepCUZLNC
                      MD5:DC0CC281F569D18346E0A49AECAFE251
                      SHA1:947338AA8C896EAEE9CBE4167C41FF07DDB9BC17
                      SHA-256:177C52E37EEF22797B45A260BB154BCA0F13C50348B4E24AB50E5A07C4982C26
                      SHA-512:3106D28AE12DFA2422E9B458D0755C6D38D8C71F9FDB1FAB9C348C3A4063E4A5C726B64DC1FA720A228C908469401D24E8253659E6DF672B38CA7011C0F441B7
                      Malicious:false
                      Preview:%PDF-1.4.%......207 0 obj.<</Linearized 1/L 823737/O 210/E 339708/N 13/T 819476/H [ 676 481]>>.endobj. ..xref..207 19..0000000016 00000 n..0000001157 00000 n..0000001272 00000 n..0000001307 00000 n..0000001441 00000 n..0000001596 00000 n..0000002035 00000 n..0000002563 00000 n..0000002666 00000 n..0000002923 00000 n..0000003186 00000 n..0000003701 00000 n..0000003961 00000 n..0000037165 00000 n..0000054004 00000 n..0000070131 00000 n..0000071553 00000 n..0000071808 00000 n..0000000676 00000 n..trailer..<</Size 226/Root 208 0 R/Info 206 0 R/ID[<2D667FB695AF4EBB5E2EB1C113AEEDD6><C423B4BFA381BE4F9C5EFFF78A5AB2B1>]/Prev 819464>>..startxref..0..%%EOF.. ..225 0 obj.<</E 413/Filter/FlateDecode/I 445/L 429/Length 380/O 397/S 284>>stream..h.b```."q.......... ........(. .$.T....#CC..!!.`...nF....".mS.....!p.n..R...#.F....".....Ge\C....I..{..ZU..S...=....!.....2Q.mv.....<...A.."...bb.S.U."..;C.@".G..600.T40..1..yG.........kXF.._."..CC+@|F..4P.I.Hp..J...|..n........X..-ep.1

                      C:\Program Files (x86)\Tektronix\ArbExpress\Documentation\ArbExpress User Manual.pdf (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PDF document, version 1.4
                      Category:dropped
                      Size (bytes):8258953
                      Entropy (8bit):7.946180407433681
                      Encrypted:false
                      SSDEEP:196608:NWhQSqNfgZUx3wn8HsSAy7dI7Iq3cOKlzi:cUNfgilw8M/yhRrZi
                      MD5:BA9FC01FA806C5AAC09ADCB74B78FBA3
                      SHA1:BFCB8D889A8BB8D81DD5E602816FFFC22D87B47C
                      SHA-256:C61C56FA5A25C6097766E56D688D57B8A22A00A5D1427048C08F06F4013B0CCC
                      SHA-512:DADE634257446B35FB835059CDCE7C6C99D91BAC9182463733CA7C78B9DD0810D9F89601EA6B643C1B467C0B7EFDD9C9D99B74FCB6460896321AE8E0E5025FAE
                      Malicious:false
                      Preview:%PDF-1.4.%......4300 0 obj.<</Linearized 1/L 8253456/O 4303/E 350537/N 216/T 8167334/H [ 756 3657]>>.endobj. ..xref..4300 23..0000000016 00000 n..0000004413 00000 n..0000004535 00000 n..0000004573 00000 n..0000004755 00000 n..0000004867 00000 n..0000004979 00000 n..0000005088 00000 n..0000005200 00000 n..0000005362 00000 n..0000005995 00000 n..0000006559 00000 n..0000006663 00000 n..0000006928 00000 n..0000007187 00000 n..0000007671 00000 n..0000007931 00000 n..0000041136 00000 n..0000058843 00000 n..0000081014 00000 n..0000082379 00000 n..0000082636 00000 n..0000000756 00000 n..trailer..<</Size 4323/Root 4301 0 R/Info 4299 0 R/ID[<69AEC049D3E80E75B29F0D13EB84BBE8><208088BDD979954295A7178F5471D58E>]/Prev 8167321>>..startxref..0..%%EOF.. ..4322 0 obj.<</E 6509/Filter/FlateDecode/I 6541/L 6525/Length 3549/O 6493/S 6256>>stream..h..Y.T....o~.$...A.....J.h.2.[..."...Ee........vnK0...E..v..EZ..h.s...?.ju.`Nw.{..V.mw..=..m..y.7.pn..}o...y.......~.............`..j...#......y.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Ampl43f5.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):505
                      Entropy (8bit):4.969398482301632
                      Encrypted:false
                      SSDEEP:12:m4IZdO7IhelNoF0BE6Oi+hPw4s2nYVWPHtFOP:QbcWIoy5+hogFIP
                      MD5:FCB46D6B1D150E1D26521B99B556F7C7
                      SHA1:D5FD3FB1A0953F326904BA77E43F4EB5E710B6B1
                      SHA-256:D4E500AEA88CB9808F5EBC5CE9D6DF11F765E2AD07E5001BE41EA41D16133096
                      SHA-512:287225D079909108F2FB3CAE35E8D9D7E252440BE0C2BE1FFF4498C19E056544DE71FC8384FE36BF0C21E916E778ABCC1DF09688CEB5D74F142BD8F069E17634
                      Malicious:false
                      Preview:#This equation represents Amplitude Modulation..# Carrier is 10Hz cosine wave with 1V peak amp & ..#a 0.5 second time advance (a negative delay). ..#The signal is .5 Hz sine wave with a 1V peak amp...#View at: Amp=2v Offset=0v Start=0s Stop=1s..#Change the '.5' to change the signal frequency...#Change the '10' to change the carrier frequency...#Change the '+.5' to change the time shift...#View the waveform with Settings: Points:1M, SR:1MS/s....range(0us,1s)..sin(2*pi*0.5*t) * cos(2*pi*10*(t+0.5))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Amplitude Modulation.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):505
                      Entropy (8bit):4.969398482301632
                      Encrypted:false
                      SSDEEP:12:m4IZdO7IhelNoF0BE6Oi+hPw4s2nYVWPHtFOP:QbcWIoy5+hogFIP
                      MD5:FCB46D6B1D150E1D26521B99B556F7C7
                      SHA1:D5FD3FB1A0953F326904BA77E43F4EB5E710B6B1
                      SHA-256:D4E500AEA88CB9808F5EBC5CE9D6DF11F765E2AD07E5001BE41EA41D16133096
                      SHA-512:287225D079909108F2FB3CAE35E8D9D7E252440BE0C2BE1FFF4498C19E056544DE71FC8384FE36BF0C21E916E778ABCC1DF09688CEB5D74F142BD8F069E17634
                      Malicious:false
                      Preview:#This equation represents Amplitude Modulation..# Carrier is 10Hz cosine wave with 1V peak amp & ..#a 0.5 second time advance (a negative delay). ..#The signal is .5 Hz sine wave with a 1V peak amp...#View at: Amp=2v Offset=0v Start=0s Stop=1s..#Change the '.5' to change the signal frequency...#Change the '10' to change the carrier frequency...#Change the '+.5' to change the time shift...#View the waveform with Settings: Points:1M, SR:1MS/s....range(0us,1s)..sin(2*pi*0.5*t) * cos(2*pi*10*(t+0.5))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Amsw4405.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):390
                      Entropy (8bit):4.949868493062765
                      Encrypted:false
                      SSDEEP:12:3H2HFLDM1xjF+IYaDNF8NuOuqwNAdnYf7G2:aLI1X+IYyNF8N+nSyT
                      MD5:F28E823CE6BA3260FE9A014B46A3D92F
                      SHA1:5D4BA0C3306E21AB3D7A4720084A0BA98F188DDD
                      SHA-256:C92E49BC8767FFDF3AA238DE80579FFA5B764CE9D7F2BCE06887F4A34D7372A3
                      SHA-512:1E01F39227FACB6A607345E30C1413EB951C44AD1ABA5BB0C08D5619E269088D1C965FD1393F43BC9532E8F11E74D79E885BBCD80A3B261828266E21F8A83B93
                      Malicious:false
                      Preview:#This waveform is for Amsweep waveform..#Settings: Number of Points 1M, Sampling Rate 1MS/s..#Carrier signal is a 22.5 Hz sine wave with .5V pk amp...#The 't'factor will cause increase in amp...#Change the '.5' to change the rate of growth...#Change the '22.5' to change the carrier frequency..#View the Waveform with Settings Points:50K, SR:50K.....range(0s,1s)..0.5*t*sin(2*pi*22.5*t)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Amsweep.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):390
                      Entropy (8bit):4.949868493062765
                      Encrypted:false
                      SSDEEP:12:3H2HFLDM1xjF+IYaDNF8NuOuqwNAdnYf7G2:aLI1X+IYyNF8N+nSyT
                      MD5:F28E823CE6BA3260FE9A014B46A3D92F
                      SHA1:5D4BA0C3306E21AB3D7A4720084A0BA98F188DDD
                      SHA-256:C92E49BC8767FFDF3AA238DE80579FFA5B764CE9D7F2BCE06887F4A34D7372A3
                      SHA-512:1E01F39227FACB6A607345E30C1413EB951C44AD1ABA5BB0C08D5619E269088D1C965FD1393F43BC9532E8F11E74D79E885BBCD80A3B261828266E21F8A83B93
                      Malicious:false
                      Preview:#This waveform is for Amsweep waveform..#Settings: Number of Points 1M, Sampling Rate 1MS/s..#Carrier signal is a 22.5 Hz sine wave with .5V pk amp...#The 't'factor will cause increase in amp...#Change the '.5' to change the rate of growth...#Change the '22.5' to change the carrier frequency..#View the Waveform with Settings Points:50K, SR:50K.....range(0s,1s)..0.5*t*sin(2*pi*22.5*t)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Damp4405.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):450
                      Entropy (8bit):5.120545096930141
                      Encrypted:false
                      SSDEEP:6:LVIVGc9BkwIOFTNaDd4VFBsovsmJaF1z8U2n3ofPFPExG2C3aoV:W0aBk/QNaDd4VFuAJaLz92nYftPSJCtV
                      MD5:0C1288F5BBBC555F5A8667FD41A5328C
                      SHA1:18D8A5B892FD098275709A819E2D3F12504AD2CA
                      SHA-256:71A2C40EB5FC2260791B4A6F4C088AC7ED2FC0FB31D7575FBCB5A1E60D47DFB6
                      SHA-512:E9AEDC0ABCCBE03D76100F1B83756DCE328738365B2C6087E81BC6E8A1C1BFDDC993227D49E3CD58558C857C16E6CDBE33F12F7E15BEAA72EE10A66657454B1D
                      Malicious:false
                      Preview:#This equation is for Damped Sine Waveform..#K0 indicates the inductance(L),..#k1 indicates the capacitance (C),..#k3 indicates the damping time constant...#The equation represents an attenuated amplitude ..#waveform with a resonance frequency ..#of 1MHz(L = 2mH, C-12.66pf) and a damping time: 6us...#View the waveform with Settings Points:4K,SR:100MS/s....range(0us,40us)..K0=2e-3..K1=12.66e-12..K2=K0*K1..K3=6e-6..exp(-t/k3)*sin(1/sqrt(k2) *t)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Damping Sine.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):450
                      Entropy (8bit):5.120545096930141
                      Encrypted:false
                      SSDEEP:6:LVIVGc9BkwIOFTNaDd4VFBsovsmJaF1z8U2n3ofPFPExG2C3aoV:W0aBk/QNaDd4VFuAJaLz92nYftPSJCtV
                      MD5:0C1288F5BBBC555F5A8667FD41A5328C
                      SHA1:18D8A5B892FD098275709A819E2D3F12504AD2CA
                      SHA-256:71A2C40EB5FC2260791B4A6F4C088AC7ED2FC0FB31D7575FBCB5A1E60D47DFB6
                      SHA-512:E9AEDC0ABCCBE03D76100F1B83756DCE328738365B2C6087E81BC6E8A1C1BFDDC993227D49E3CD58558C857C16E6CDBE33F12F7E15BEAA72EE10A66657454B1D
                      Malicious:false
                      Preview:#This equation is for Damped Sine Waveform..#K0 indicates the inductance(L),..#k1 indicates the capacitance (C),..#k3 indicates the damping time constant...#The equation represents an attenuated amplitude ..#waveform with a resonance frequency ..#of 1MHz(L = 2mH, C-12.66pf) and a damping time: 6us...#View the waveform with Settings Points:4K,SR:100MS/s....range(0us,40us)..K0=2e-3..K1=12.66e-12..K2=K0*K1..K3=6e-6..exp(-t/k3)*sin(1/sqrt(k2) *t)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Doub4415.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):4.857688459447877
                      Encrypted:false
                      SSDEEP:6:CBq63Ls4Gvn3ofUKWDEPoXx49PAqtLeAJXOoP+n:363hGvnYfTWD0TP3Je8+n
                      MD5:FE5D6B47691F6AD04AF3523135C29F3D
                      SHA1:85A79D23313F2812982FA3AC46630795E9ADF1A2
                      SHA-256:5ADFF3386E7F26FE9D83F4C711A6B6D74931D2CDFA1009901D61BB06B837D3BF
                      SHA-512:D258893F6E728F8AF5158D9040DC53B97BC689DBDC1431922053FEB8979CC2E284114E9249346A4D1E015F9FA7402E0E6358738A266CEBD4A03510D3C0704A7F
                      Malicious:false
                      Preview:#This equation is the rising & falling exponential function..#K1 and K2 are the rising and falling time constants..#View the waveform with Settings Points:100K,SR:1GS/s....range(0,100us)..k1=1e-6 #rise time constant..k2=10e-6 #fall time constant..exp(-t/k2)-exp(-t/k1)..norm()......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Double_Exp.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):289
                      Entropy (8bit):4.857688459447877
                      Encrypted:false
                      SSDEEP:6:CBq63Ls4Gvn3ofUKWDEPoXx49PAqtLeAJXOoP+n:363hGvnYfTWD0TP3Je8+n
                      MD5:FE5D6B47691F6AD04AF3523135C29F3D
                      SHA1:85A79D23313F2812982FA3AC46630795E9ADF1A2
                      SHA-256:5ADFF3386E7F26FE9D83F4C711A6B6D74931D2CDFA1009901D61BB06B837D3BF
                      SHA-512:D258893F6E728F8AF5158D9040DC53B97BC689DBDC1431922053FEB8979CC2E284114E9249346A4D1E015F9FA7402E0E6358738A266CEBD4A03510D3C0704A7F
                      Malicious:false
                      Preview:#This equation is the rising & falling exponential function..#K1 and K2 are the rising and falling time constants..#View the waveform with Settings Points:100K,SR:1GS/s....range(0,100us)..k1=1e-6 #rise time constant..k2=10e-6 #fall time constant..exp(-t/k2)-exp(-t/k1)..norm()......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Exp_4415.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):139
                      Entropy (8bit):4.936413376137447
                      Encrypted:false
                      SSDEEP:3:DaL2CWVrADcyWYVg3+fYRV3oyMLwEkPE2nrMY4VNtiyovyn:LredVin3ofGPEmubvn
                      MD5:7C62DD220E67965419992DB8462B3666
                      SHA1:356AEBB0635936EAADF828BB251B2C84AE3E1EEA
                      SHA-256:452A172DD1EED198FFA0C86143EC7BDE76F1514599EB4B8D7403C92CC35841F6
                      SHA-512:876E3C455E78593341442D2673965C534E2A60716C2FEEE8C50E356005CA49E83AE0F43C95684214810B3A2AD137EE9A8FD4992777A1CCB93AC770BD4C59E285
                      Malicious:false
                      Preview:#This equation is for Exponential Rise waveform..#View the waveform with Settings Points:100K,SR:1MS/s....range(0,10ms)..1- exp(-5*t)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Exp_rise.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):139
                      Entropy (8bit):4.936413376137447
                      Encrypted:false
                      SSDEEP:3:DaL2CWVrADcyWYVg3+fYRV3oyMLwEkPE2nrMY4VNtiyovyn:LredVin3ofGPEmubvn
                      MD5:7C62DD220E67965419992DB8462B3666
                      SHA1:356AEBB0635936EAADF828BB251B2C84AE3E1EEA
                      SHA-256:452A172DD1EED198FFA0C86143EC7BDE76F1514599EB4B8D7403C92CC35841F6
                      SHA-512:876E3C455E78593341442D2673965C534E2A60716C2FEEE8C50E356005CA49E83AE0F43C95684214810B3A2AD137EE9A8FD4992777A1CCB93AC770BD4C59E285
                      Malicious:false
                      Preview:#This equation is for Exponential Rise waveform..#View the waveform with Settings Points:100K,SR:1MS/s....range(0,10ms)..1- exp(-5*t)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Expo4424.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):397
                      Entropy (8bit):4.976605528490228
                      Encrypted:false
                      SSDEEP:12:v3NVi6GZu1fvP8yed81yedkh28inYfoPakveH:GQ1PQomXoCkM
                      MD5:D891AA5C9E06337D5F26F4FA306B32F0
                      SHA1:A3A12735CDA61A59AC7AA9F3FFDAFEA33E38BD2D
                      SHA-256:70C4EBC9D2162497FC9A805156873C49B26D3311555BF6569C0EF12256F109A6
                      SHA-512:55EB2DF07A2EB5CE57C0CC873BA74695E9BA0F77FB8C52FDF77BB075DF3004511EC06C0DA819A3F755E34B7A835DD47BBFB2A250226AF8456251803A8969292D
                      Malicious:false
                      Preview:#An exponentially decaying sine wave with ..#Freq=1KHz,5V peak amp,decaying time constant 10ms...#Change the '5' to change the peak amp of the sine wave...#Change the '10^3' to change the frequency of the sine wave...#Change the '10^-2' to change the time constant of the decay..#View the waveform with Settings Points:10K, SR:1MS/s....range(0ms,10ms)..k0=1e3..k1=1e-2..5*sin(2*pi*k0*t)*exp(-t/k1)

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Exponential Sine.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):397
                      Entropy (8bit):4.976605528490228
                      Encrypted:false
                      SSDEEP:12:v3NVi6GZu1fvP8yed81yedkh28inYfoPakveH:GQ1PQomXoCkM
                      MD5:D891AA5C9E06337D5F26F4FA306B32F0
                      SHA1:A3A12735CDA61A59AC7AA9F3FFDAFEA33E38BD2D
                      SHA-256:70C4EBC9D2162497FC9A805156873C49B26D3311555BF6569C0EF12256F109A6
                      SHA-512:55EB2DF07A2EB5CE57C0CC873BA74695E9BA0F77FB8C52FDF77BB075DF3004511EC06C0DA819A3F755E34B7A835DD47BBFB2A250226AF8456251803A8969292D
                      Malicious:false
                      Preview:#An exponentially decaying sine wave with ..#Freq=1KHz,5V peak amp,decaying time constant 10ms...#Change the '5' to change the peak amp of the sine wave...#Change the '10^3' to change the frequency of the sine wave...#Change the '10^-2' to change the time constant of the decay..#View the waveform with Settings Points:10K, SR:1MS/s....range(0ms,10ms)..k0=1e3..k1=1e-2..5*sin(2*pi*k0*t)*exp(-t/k1)

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\FM S4424.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):408
                      Entropy (8bit):4.859348265206968
                      Encrypted:false
                      SSDEEP:12:pW0NNQe14wvo/s1xQ3o4uvoxnYf7IrEoaIF8ePdP:pXNNjw/nYPw28rEoavqP
                      MD5:CD156D4AFD246FF83666BB1A138123BB
                      SHA1:E15712B02761AA43A90AE69C4A25033B3B63756B
                      SHA-256:290A151A4261ED9FD2AB455AA9B6A59C2B6A225973877F2681DA4C2C1B730363
                      SHA-512:09FA5FC65740B6A54B0FAB5893E5A10C25AABBB9428B4A150B18586BD5A17023088E9689AC4F86155106DBEEC14ED05B54170E83902953B2E2AB7748060F0E64
                      Malicious:false
                      Preview:#The carrier is a 40 Hz sine wave with a .97 volt DC offset...#The signal is a 2 Hz cosine wave...#Change '.97' to change the offset of the carrier sine wave..#Change the '2' to change the freq of the signal cosine wave..#Change the '40'to change the freq of the carrier sine wave..#View the waveform with Settings Points:1M,SR:5MS/s......range(0ms,200ms)..(sin(80*(pi*t-pi))+0.97) * cos((80*(pi*t-pi))/20)..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\FM Stereo.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):408
                      Entropy (8bit):4.859348265206968
                      Encrypted:false
                      SSDEEP:12:pW0NNQe14wvo/s1xQ3o4uvoxnYf7IrEoaIF8ePdP:pXNNjw/nYPw28rEoavqP
                      MD5:CD156D4AFD246FF83666BB1A138123BB
                      SHA1:E15712B02761AA43A90AE69C4A25033B3B63756B
                      SHA-256:290A151A4261ED9FD2AB455AA9B6A59C2B6A225973877F2681DA4C2C1B730363
                      SHA-512:09FA5FC65740B6A54B0FAB5893E5A10C25AABBB9428B4A150B18586BD5A17023088E9689AC4F86155106DBEEC14ED05B54170E83902953B2E2AB7748060F0E64
                      Malicious:false
                      Preview:#The carrier is a 40 Hz sine wave with a .97 volt DC offset...#The signal is a 2 Hz cosine wave...#Change '.97' to change the offset of the carrier sine wave..#Change the '2' to change the freq of the signal cosine wave..#Change the '40'to change the freq of the carrier sine wave..#View the waveform with Settings Points:1M,SR:5MS/s......range(0ms,200ms)..(sin(80*(pi*t-pi))+0.97) * cos((80*(pi*t-pi))/20)..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Freq4434.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):485
                      Entropy (8bit):4.945751889940425
                      Encrypted:false
                      SSDEEP:12:bA9bw8uE7DipN8213WIDSfbHUmfyDa5XJHUlPVQey:Ys8riVzSfXyDs5CPOf
                      MD5:B22FDD3526C9365142D0B61FF403BF97
                      SHA1:FC2875DF4902684FC7A2FFF75DBE84172558AF0E
                      SHA-256:ABBBB6F9B7B8BFB06F887D586250DD031B91791F4E793219BBED173B5FEFF7FE
                      SHA-512:74E8EEDDF97ADFFAAF1BA87F3BEE20CF8190793E38E1E5C8D0304AF14E089D1347C75FC8F1287A22DA2CE4B863AA0F2D66FE072C5AE554753C619E1F0901D585
                      Malicious:false
                      Preview:#This equation is for Frequency Modulation waveform..#k0 = modulation signal frequency..#k1 is carrier freq & k2 is the freq deviation. ..#K0 is the frequency of the cosine wave ..#that is used to modulate a sine wave of freq k1...#The Modulation index is given by k2/k0...#View the waveform with the Settings Points:2K SR=100M....range (0,20us)..k0=50e3. #modulation frequency..k1=2.5e6 #carrier freqeuncy..k2=2e6 #frequency deviation....Sin(2*pi*k1*t +k2/k0*sin(2*pi*k0*t))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Frequency Modulation.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):485
                      Entropy (8bit):4.945751889940425
                      Encrypted:false
                      SSDEEP:12:bA9bw8uE7DipN8213WIDSfbHUmfyDa5XJHUlPVQey:Ys8riVzSfXyDs5CPOf
                      MD5:B22FDD3526C9365142D0B61FF403BF97
                      SHA1:FC2875DF4902684FC7A2FFF75DBE84172558AF0E
                      SHA-256:ABBBB6F9B7B8BFB06F887D586250DD031B91791F4E793219BBED173B5FEFF7FE
                      SHA-512:74E8EEDDF97ADFFAAF1BA87F3BEE20CF8190793E38E1E5C8D0304AF14E089D1347C75FC8F1287A22DA2CE4B863AA0F2D66FE072C5AE554753C619E1F0901D585
                      Malicious:false
                      Preview:#This equation is for Frequency Modulation waveform..#k0 = modulation signal frequency..#k1 is carrier freq & k2 is the freq deviation. ..#K0 is the frequency of the cosine wave ..#that is used to modulate a sine wave of freq k1...#The Modulation index is given by k2/k0...#View the waveform with the Settings Points:2K SR=100M....range (0,20us)..k0=50e3. #modulation frequency..k1=2.5e6 #carrier freqeuncy..k2=2e6 #frequency deviation....Sin(2*pi*k1*t +k2/k0*sin(2*pi*k0*t))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Gaus4434.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):331
                      Entropy (8bit):4.76249485641638
                      Encrypted:false
                      SSDEEP:6:m4ZdAcnkBSJ1m2K2ZzKGE4RRwrAMjfQfDX0MFFSyKGEP1kp:m4ZCcnkkJbK2ZzG4R+UmfQfr0MFIJNC
                      MD5:8139C77E3F8F178BFC28285513C529B3
                      SHA1:4EEAC2EFEC5E9C847E85CCA97C712F9B9F43F198
                      SHA-256:EA52B1F3EA5430C24F09B4D02B3ABE2839308466730F4D5FBB94B7E2BDA01ABA
                      SHA-512:FD2900EC8DDF5B2EF6506E8077C960B0A803F6DE23A0A6C69F3AC2F6DBD3F74E6674C347946B46ED5F7DB72D26147A84A1CCE60A026A45E7C32526C93BC9C8FD
                      Malicious:false
                      Preview:#This equation represents the Gaussian pulse...#Ko indicates the half width for the pulse,..#K1 indicates the peak location of the pulse..#View the waveform with the Settings Points:10K,SR:1G......range(0,10us)..k0=0.3e-6 #pulse width..k1=1.28e-6 #peak location..exp(-ln(2) * (( 2 * (t-k1)/k0)^2)) ....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Gaussian.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):331
                      Entropy (8bit):4.76249485641638
                      Encrypted:false
                      SSDEEP:6:m4ZdAcnkBSJ1m2K2ZzKGE4RRwrAMjfQfDX0MFFSyKGEP1kp:m4ZCcnkkJbK2ZzG4R+UmfQfr0MFIJNC
                      MD5:8139C77E3F8F178BFC28285513C529B3
                      SHA1:4EEAC2EFEC5E9C847E85CCA97C712F9B9F43F198
                      SHA-256:EA52B1F3EA5430C24F09B4D02B3ABE2839308466730F4D5FBB94B7E2BDA01ABA
                      SHA-512:FD2900EC8DDF5B2EF6506E8077C960B0A803F6DE23A0A6C69F3AC2F6DBD3F74E6674C347946B46ED5F7DB72D26147A84A1CCE60A026A45E7C32526C93BC9C8FD
                      Malicious:false
                      Preview:#This equation represents the Gaussian pulse...#Ko indicates the half width for the pulse,..#K1 indicates the peak location of the pulse..#View the waveform with the Settings Points:10K,SR:1G......range(0,10us)..k0=0.3e-6 #pulse width..k1=1.28e-6 #peak location..exp(-ln(2) * (( 2 * (t-k1)/k0)^2)) ....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Half AM.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):497
                      Entropy (8bit):4.93102542385619
                      Encrypted:false
                      SSDEEP:12:cUO5GkXDGECWokCNueciuvoc+vo11xQNoxUmAPIabhi/:u3zmvBN2w/wm6ORg/
                      MD5:D33912084734C25874BCDE2C565FAECE
                      SHA1:C6E84929BE959CE19A6D04531535F16CC2AA0B1D
                      SHA-256:ECA7B9EBAC80C530731C6013248D3E8CC44437C738459A29485DBC7682D4F7B4
                      SHA-512:5726F95AC55D851464138786D321D7BD5935A32D5E2FB7A771561F33B1C526632C87AFE1AD20020C014373B7E5EE537DD41DB6423411511F1AE40A976EF233AB
                      Malicious:false
                      Preview:#Half AM. This is an AM modulated wave..#The bottom half inverted and added to the top half...#The carrier wave is a 40 Hz sine wave..#with a DC offset of .97V...#The signal is a 2 Hz sine wave...#Change '10'to change freq of the carrier sine wave..#Change '.97'to change DC offset of the carrier sine wave..#Change '8' to change the freq of the signal sine wave..#View the waveform with the Settings:Points: 500K, SR:1MS/s....range(0ms,500ms)..abs((sin(8*pi*10*t)+0.97) * sin((8*pi*10*t)/20))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Half Cycle Sine Wave.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):192
                      Entropy (8bit):4.830206090819378
                      Encrypted:false
                      SSDEEP:3:jJEN2CWVQCFEXgDFyUALGmN+V9FgrLVyGo+fYR9AMRxyMLwEG12+/sIov:NpQCFEQDFVAymQVgtyprAMjfY14F
                      MD5:76F61980C368DB2272611E02C60F51D5
                      SHA1:BD0F347580B8BE6148F2F60E9FA3784950239C06
                      SHA-256:48C7A14B9CB70CF01DD28722F57FF88053A4C41416CD7BE439DA6CA43E9C9BC8
                      SHA-512:9268F44399790347DD4C22680170FD64E0BE715A4765CC425701AB9B4EB2DB95CD64E5675FBDB49B3C6AF0710C73EF40CBD2F172950B336E7F024A7F5C87CE45
                      Malicious:false
                      Preview:#This Equation is for generating a Half cycle Sine Wave..#Change the range according to your settings..#View the waveform with the Settings Points:100K,SR:50M....range(0,2ms)..sin(0.5 * w)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Half4444.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):497
                      Entropy (8bit):4.93102542385619
                      Encrypted:false
                      SSDEEP:12:cUO5GkXDGECWokCNueciuvoc+vo11xQNoxUmAPIabhi/:u3zmvBN2w/wm6ORg/
                      MD5:D33912084734C25874BCDE2C565FAECE
                      SHA1:C6E84929BE959CE19A6D04531535F16CC2AA0B1D
                      SHA-256:ECA7B9EBAC80C530731C6013248D3E8CC44437C738459A29485DBC7682D4F7B4
                      SHA-512:5726F95AC55D851464138786D321D7BD5935A32D5E2FB7A771561F33B1C526632C87AFE1AD20020C014373B7E5EE537DD41DB6423411511F1AE40A976EF233AB
                      Malicious:false
                      Preview:#Half AM. This is an AM modulated wave..#The bottom half inverted and added to the top half...#The carrier wave is a 40 Hz sine wave..#with a DC offset of .97V...#The signal is a 2 Hz sine wave...#Change '10'to change freq of the carrier sine wave..#Change '.97'to change DC offset of the carrier sine wave..#Change '8' to change the freq of the signal sine wave..#View the waveform with the Settings:Points: 500K, SR:1MS/s....range(0ms,500ms)..abs((sin(8*pi*10*t)+0.97) * sin((8*pi*10*t)/20))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Half4453.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):192
                      Entropy (8bit):4.830206090819378
                      Encrypted:false
                      SSDEEP:3:jJEN2CWVQCFEXgDFyUALGmN+V9FgrLVyGo+fYR9AMRxyMLwEG12+/sIov:NpQCFEQDFVAymQVgtyprAMjfY14F
                      MD5:76F61980C368DB2272611E02C60F51D5
                      SHA1:BD0F347580B8BE6148F2F60E9FA3784950239C06
                      SHA-256:48C7A14B9CB70CF01DD28722F57FF88053A4C41416CD7BE439DA6CA43E9C9BC8
                      SHA-512:9268F44399790347DD4C22680170FD64E0BE715A4765CC425701AB9B4EB2DB95CD64E5675FBDB49B3C6AF0710C73EF40CBD2F172950B336E7F024A7F5C87CE45
                      Malicious:false
                      Preview:#This Equation is for generating a Half cycle Sine Wave..#Change the range according to your settings..#View the waveform with the Settings Points:100K,SR:50M....range(0,2ms)..sin(0.5 * w)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Inte4453.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):364
                      Entropy (8bit):4.876191911381749
                      Encrypted:false
                      SSDEEP:6:fUkzhRGN31onAHv7eFkSVKRC0G/RCC3y/rAMjfNmwPEbQbVLQE5adOvoQVLQE0o0:fqhiAHzKVKRtQR7C/UmfXP9bVLyyxLab
                      MD5:55795B722BD757E36B0C09B3E97D209F
                      SHA1:05699F10AECAD9D91CE794B6A5B8D2D8E173427F
                      SHA-256:D6CE43FB56E0446A8C85149956A3024DF6C62434722CAE269E05F9A69761101F
                      SHA-512:A28D2427E067CDFE6AB9315ECBE3BAA0986E738715A5E41346ABEB4B5061D8048503E4517097F3E383934D925A339908F890A900826BE9CF4DBAED3DA6F040DC
                      Malicious:false
                      Preview:#This equation Integrates the function Using integ()..# over the range specified with range()...#The integ() comprises an entire line...# After integ(),specify normalization norm() as necessary...#View the waveform with the Settings Points:1000,SR:10MS/s....range(0,33us)..-0.5..range(33us,66us)..0.5..range(66us,100us)..-0.5..range(0,100us)..integ()..norm()......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Inte4463.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):467
                      Entropy (8bit):4.77019913944265
                      Encrypted:false
                      SSDEEP:12:3tsTbNmEaerr1ckTFeJPrkvZnoxuvqOxQVk2UmfK2+:WXNxrOpFrk99ajE
                      MD5:3E0520160023F34469E4E5EF6C6F69EC
                      SHA1:E4E7AFF70BA491A592B871E49539C8546254EEC2
                      SHA-256:910233B1A7383E07C99D47CE7DAC14A3D62A5AF8171025897DB83675D439E256
                      SHA-512:E585F12CE8F6E4465B0D459B714BB96FBD82CC4413B8E98D43F0BEA8A71A6FEF3BEF8EB7FCFA0A6EB800560D58FD571106666751B524D475C7A96B486F519C51
                      Malicious:false
                      Preview:#IM modulated wave. ..#The carrier is a 52.5Hz sine wave with .2v peak...#The signal wave is a .5 Hz sine wave...#The two waves have been added rather than multiplied...#Change '.2' to change the peak volt of the carrier wave...#Change the '52.5' to change the freq of the carrier wave...#Change the '.5' to change the freq of the signal wave...#View the waveform with the Settings Points:1M, SR:1M....range (0,1s)..0.2*sin(2*pi*52.5*t) + sin(2*pi*0.5*t)............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Integ.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):364
                      Entropy (8bit):4.876191911381749
                      Encrypted:false
                      SSDEEP:6:fUkzhRGN31onAHv7eFkSVKRC0G/RCC3y/rAMjfNmwPEbQbVLQE5adOvoQVLQE0o0:fqhiAHzKVKRtQR7C/UmfXP9bVLyyxLab
                      MD5:55795B722BD757E36B0C09B3E97D209F
                      SHA1:05699F10AECAD9D91CE794B6A5B8D2D8E173427F
                      SHA-256:D6CE43FB56E0446A8C85149956A3024DF6C62434722CAE269E05F9A69761101F
                      SHA-512:A28D2427E067CDFE6AB9315ECBE3BAA0986E738715A5E41346ABEB4B5061D8048503E4517097F3E383934D925A339908F890A900826BE9CF4DBAED3DA6F040DC
                      Malicious:false
                      Preview:#This equation Integrates the function Using integ()..# over the range specified with range()...#The integ() comprises an entire line...# After integ(),specify normalization norm() as necessary...#View the waveform with the Settings Points:1000,SR:10MS/s....range(0,33us)..-0.5..range(33us,66us)..0.5..range(66us,100us)..-0.5..range(0,100us)..integ()..norm()......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Integer.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):467
                      Entropy (8bit):4.77019913944265
                      Encrypted:false
                      SSDEEP:12:3tsTbNmEaerr1ckTFeJPrkvZnoxuvqOxQVk2UmfK2+:WXNxrOpFrk99ajE
                      MD5:3E0520160023F34469E4E5EF6C6F69EC
                      SHA1:E4E7AFF70BA491A592B871E49539C8546254EEC2
                      SHA-256:910233B1A7383E07C99D47CE7DAC14A3D62A5AF8171025897DB83675D439E256
                      SHA-512:E585F12CE8F6E4465B0D459B714BB96FBD82CC4413B8E98D43F0BEA8A71A6FEF3BEF8EB7FCFA0A6EB800560D58FD571106666751B524D475C7A96B486F519C51
                      Malicious:false
                      Preview:#IM modulated wave. ..#The carrier is a 52.5Hz sine wave with .2v peak...#The signal wave is a .5 Hz sine wave...#The two waves have been added rather than multiplied...#Change '.2' to change the peak volt of the carrier wave...#Change the '52.5' to change the freq of the carrier wave...#Change the '.5' to change the freq of the signal wave...#View the waveform with the Settings Points:1M, SR:1M....range (0,1s)..0.2*sin(2*pi*52.5*t) + sin(2*pi*0.5*t)............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\InterMod.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):467
                      Entropy (8bit):4.77019913944265
                      Encrypted:false
                      SSDEEP:12:3tsTbNmEaerr1ckTFeJPrkvZnoxuvqOxQVk2UmfK2+:WXNxrOpFrk99ajE
                      MD5:3E0520160023F34469E4E5EF6C6F69EC
                      SHA1:E4E7AFF70BA491A592B871E49539C8546254EEC2
                      SHA-256:910233B1A7383E07C99D47CE7DAC14A3D62A5AF8171025897DB83675D439E256
                      SHA-512:E585F12CE8F6E4465B0D459B714BB96FBD82CC4413B8E98D43F0BEA8A71A6FEF3BEF8EB7FCFA0A6EB800560D58FD571106666751B524D475C7A96B486F519C51
                      Malicious:false
                      Preview:#IM modulated wave. ..#The carrier is a 52.5Hz sine wave with .2v peak...#The signal wave is a .5 Hz sine wave...#The two waves have been added rather than multiplied...#Change '.2' to change the peak volt of the carrier wave...#Change the '52.5' to change the freq of the carrier wave...#Change the '.5' to change the freq of the signal wave...#View the waveform with the Settings Points:1M, SR:1M....range (0,1s)..0.2*sin(2*pi*52.5*t) + sin(2*pi*0.5*t)............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Line4472.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):264
                      Entropy (8bit):5.053587940932463
                      Encrypted:false
                      SSDEEP:3:DaL2CWV/AVwMIVbUfYR9AMRxxLBhxhwPE2+RyUnjVFtI8XkwCFD7RtVkFFFmIJMe:L/AxIVb1rAMjx73wPEDDVnVdkkFFkkEa
                      MD5:AFCEA1DAB3A5DBB948B8616EED6E7D6C
                      SHA1:D70DDF8A7C51BD7392F626C82EED188B8B726A37
                      SHA-256:3EBAF1E492B133E288670E2D3E839459EB9F8C2F5A7C0B7555C1B31BE9181DA7
                      SHA-512:06C4083202EE00D1FD6F5498DB32E8B384C31246F5BA3F8B266E0A3393A5ABF08E269F00D8CC5A9D445030EE82DBA4887BC26C6A88431EFCCE7C27B053631E2F
                      Malicious:false
                      Preview:#This equation is for Linear Sweep Waveform..##View the waveform with the Settings:Points:50K,SR:10MS/s....range(0, 5ms)..k0=1.6e-3 #sweep period..k1=5e3 #starting frequency..k2=50e-3 #ending frequency..sin(2*pi*k1*t+2*pi*(k2-k1)*(t^2)/2/k0)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Linear_Sweep.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):264
                      Entropy (8bit):5.053587940932463
                      Encrypted:false
                      SSDEEP:3:DaL2CWV/AVwMIVbUfYR9AMRxxLBhxhwPE2+RyUnjVFtI8XkwCFD7RtVkFFFmIJMe:L/AxIVb1rAMjx73wPEDDVnVdkkFFkkEa
                      MD5:AFCEA1DAB3A5DBB948B8616EED6E7D6C
                      SHA1:D70DDF8A7C51BD7392F626C82EED188B8B726A37
                      SHA-256:3EBAF1E492B133E288670E2D3E839459EB9F8C2F5A7C0B7555C1B31BE9181DA7
                      SHA-512:06C4083202EE00D1FD6F5498DB32E8B384C31246F5BA3F8B266E0A3393A5ABF08E269F00D8CC5A9D445030EE82DBA4887BC26C6A88431EFCCE7C27B053631E2F
                      Malicious:false
                      Preview:#This equation is for Linear Sweep Waveform..##View the waveform with the Settings:Points:50K,SR:10MS/s....range(0, 5ms)..k0=1.6e-3 #sweep period..k1=5e3 #starting frequency..k2=50e-3 #ending frequency..sin(2*pi*k1*t+2*pi*(k2-k1)*(t^2)/2/k0)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Log 4482.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):337
                      Entropy (8bit):5.099670085906036
                      Encrypted:false
                      SSDEEP:6:LPuVGaW0xxjrAMjf73wPETvHkkFFGoLnAKNAXPUEoan:Lu0a5jUmfMPQEkxIIan
                      MD5:7956BA42014702F58D208713C787E20E
                      SHA1:16D60165E3C811E9F75525270C7C21B58E35AAA6
                      SHA-256:AF6DDDEFAC0DF61177D9D75E3D8E50F0F599674B83AE4C1CBE3FCC53332664A4
                      SHA-512:9B825321B914D9EA49ADBE2C129EE11A0911B72E9D85541861ABF5BF1FA3984F916D7A8815CCBEE67EFBC68BC6A75EC8C8AD1793F4CD1C53D861B8E549E0CEE1
                      Malicious:false
                      Preview:#This equation is for Log Sweep waveform..#K0 indicates sweep Period;..# K1 and K2 are the start and end frequencys...#View the waveform with the Settings Points:50K,SR:10MS/s....range(0, 0.22ms)..k0=2.2e-3 # sweep period..k1=5e3 #starting frequency..k2=50e-3 #ending frequency..K3=ln(k2/k1)....sin(2*pi*k1*k0/k3*(exp(k3*x)-1))......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Log Sweep.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):337
                      Entropy (8bit):5.099670085906036
                      Encrypted:false
                      SSDEEP:6:LPuVGaW0xxjrAMjf73wPETvHkkFFGoLnAKNAXPUEoan:Lu0a5jUmfMPQEkxIIan
                      MD5:7956BA42014702F58D208713C787E20E
                      SHA1:16D60165E3C811E9F75525270C7C21B58E35AAA6
                      SHA-256:AF6DDDEFAC0DF61177D9D75E3D8E50F0F599674B83AE4C1CBE3FCC53332664A4
                      SHA-512:9B825321B914D9EA49ADBE2C129EE11A0911B72E9D85541861ABF5BF1FA3984F916D7A8815CCBEE67EFBC68BC6A75EC8C8AD1793F4CD1C53D861B8E549E0CEE1
                      Malicious:false
                      Preview:#This equation is for Log Sweep waveform..#K0 indicates sweep Period;..# K1 and K2 are the start and end frequencys...#View the waveform with the Settings Points:50K,SR:10MS/s....range(0, 0.22ms)..k0=2.2e-3 # sweep period..k1=5e3 #starting frequency..k2=50e-3 #ending frequency..K3=ln(k2/k1)....sin(2*pi*k1*k0/k3*(exp(k3*x)-1))......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Log.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):189
                      Entropy (8bit):4.846284429921489
                      Encrypted:false
                      SSDEEP:3:GWERLLqiRNgTZV0+SdAlSKi5XGWZ4BS+fYR9AMRxyMLwAhwPE2nuosCGNqpvy:GWE3fbu2rAMjf1wPEPosCJa
                      MD5:55D13BF13647F24495E4996241BDD25E
                      SHA1:4FD42642199D84ECC6ADBB6DFCAC5141F7DD16FB
                      SHA-256:4A6222377ED50E319E6BD66B50CCAC571D5EBE31FAC670F17BCCD09B2B416585
                      SHA-512:68785A43B37914E97FE91E2834439E608AE112179921DDB805B43678E095FA3D7B276E228CE243DFB45CF3F248BCB4F4F95FFE7E7BD544C65AF88C5AF70E9843
                      Malicious:false
                      Preview:#This equation uses the log function...#The arguments to the log function must be positive...#View the waveform with the Settings Points:1K,SR:10MS/s....range(0,100us)..log(10*(x+0.1))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Log4482.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):189
                      Entropy (8bit):4.846284429921489
                      Encrypted:false
                      SSDEEP:3:GWERLLqiRNgTZV0+SdAlSKi5XGWZ4BS+fYR9AMRxyMLwAhwPE2nuosCGNqpvy:GWE3fbu2rAMjf1wPEPosCJa
                      MD5:55D13BF13647F24495E4996241BDD25E
                      SHA1:4FD42642199D84ECC6ADBB6DFCAC5141F7DD16FB
                      SHA-256:4A6222377ED50E319E6BD66B50CCAC571D5EBE31FAC670F17BCCD09B2B416585
                      SHA-512:68785A43B37914E97FE91E2834439E608AE112179921DDB805B43678E095FA3D7B276E228CE243DFB45CF3F248BCB4F4F95FFE7E7BD544C65AF88C5AF70E9843
                      Malicious:false
                      Preview:#This equation uses the log function...#The arguments to the log function must be positive...#View the waveform with the Settings Points:1K,SR:10MS/s....range(0,100us)..log(10*(x+0.1))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Lore4492.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):311
                      Entropy (8bit):5.023728917051655
                      Encrypted:false
                      SSDEEP:6:LQCFE3LBSJ1aK2ZzKGE4RRwrAMjfGFPEOfI0MCKGEQleJj:D+3LkJgK2ZzG4R+UmfOPpfI0M5fJj
                      MD5:6864DADECF74B57E925875F90370E743
                      SHA1:826EA6ECDFEA943732B594D6E4DD555445B23A05
                      SHA-256:C66F7DC0A1555D3E8427406C69CF0593990E3B119790598344B9AB0366EF2DC3
                      SHA-512:696C40AC563736E6F635621506B73802013B3A9BBF41D80F3E095D1CB540B7EF83020A9B29BC41CBC1EDF82A36F3DE2785C6F536561DC3D1AA864E53510E58B6
                      Malicious:false
                      Preview:#This equation is for generating a Lorentz Pulse..#K0 indicates the half width for the pulse; ..#K1 indicates the peak location of the pulse..#View the waveform with the Settings Points:1K,SR:100MS/s....range(0,10us)..k0=0.3e-6. #pulse width..k1=1.28e-6. #peak location..1/(1+(2*(t-k1)/k0) ^2)..................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Lorentz Pulse.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):311
                      Entropy (8bit):5.023728917051655
                      Encrypted:false
                      SSDEEP:6:LQCFE3LBSJ1aK2ZzKGE4RRwrAMjfGFPEOfI0MCKGEQleJj:D+3LkJgK2ZzG4R+UmfOPpfI0M5fJj
                      MD5:6864DADECF74B57E925875F90370E743
                      SHA1:826EA6ECDFEA943732B594D6E4DD555445B23A05
                      SHA-256:C66F7DC0A1555D3E8427406C69CF0593990E3B119790598344B9AB0366EF2DC3
                      SHA-512:696C40AC563736E6F635621506B73802013B3A9BBF41D80F3E095D1CB540B7EF83020A9B29BC41CBC1EDF82A36F3DE2785C6F536561DC3D1AA864E53510E58B6
                      Malicious:false
                      Preview:#This equation is for generating a Lorentz Pulse..#K0 indicates the half width for the pulse; ..#K1 indicates the peak location of the pulse..#View the waveform with the Settings Points:1K,SR:100MS/s....range(0,10us)..k0=0.3e-6. #pulse width..k1=1.28e-6. #peak location..1/(1+(2*(t-k1)/k0) ^2)..................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Mark4492.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):316
                      Entropy (8bit):4.743393662503266
                      Encrypted:false
                      SSDEEP:6:NnXvfqPSXeezyQ7AUOu5ZAHv7eirAMjf1wPE66l92bEeXGkEeXHn:h6PSunQEXu5+HzxUmfyPz6l92g2GN2Hn
                      MD5:E782A64F91750C3A2F0076D6B6F7318D
                      SHA1:3F31BFB63857FB72FD65FA41FBFB340762DC5A4F
                      SHA-256:C8E48154F26FED806E93F6ECCC003CC88997120F74D93673CFE2CAC3E301927D
                      SHA-512:265DA2CE5C0DD2DB738684E05E498827B0B657B6992174040F189AE53F6B4F83AA56122AF0621F79B4B2AF2377412005A8013D19FB3B17DBF8B344F15B66D42B
                      Malicious:false
                      Preview:#This Equation uses the Marker Function...#Marker Sets the marker over the range specified ..#with the range function...#The marker function comprises an entire line...#View the waveform with the Settings Points:1K,SR:10MS/s....range( 0, 100us )..sin( w )..range( 0, 50us )..mark( 1 )..range( 0, 100us )..mark( 2 )..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Marker.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):316
                      Entropy (8bit):4.743393662503266
                      Encrypted:false
                      SSDEEP:6:NnXvfqPSXeezyQ7AUOu5ZAHv7eirAMjf1wPE66l92bEeXGkEeXHn:h6PSunQEXu5+HzxUmfyPz6l92g2GN2Hn
                      MD5:E782A64F91750C3A2F0076D6B6F7318D
                      SHA1:3F31BFB63857FB72FD65FA41FBFB340762DC5A4F
                      SHA-256:C8E48154F26FED806E93F6ECCC003CC88997120F74D93673CFE2CAC3E301927D
                      SHA-512:265DA2CE5C0DD2DB738684E05E498827B0B657B6992174040F189AE53F6B4F83AA56122AF0621F79B4B2AF2377412005A8013D19FB3B17DBF8B344F15B66D42B
                      Malicious:false
                      Preview:#This Equation uses the Marker Function...#Marker Sets the marker over the range specified ..#with the range function...#The marker function comprises an entire line...#View the waveform with the Settings Points:1K,SR:10MS/s....range( 0, 100us )..sin( w )..range( 0, 50us )..mark( 1 )..range( 0, 100us )..mark( 2 )..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Max_44a1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):303
                      Entropy (8bit):4.925498494890953
                      Encrypted:false
                      SSDEEP:6:NjTFBJAegLbFRCikKJSiWo0KcMyprAMjfC6wPEPoeYpoLoR:BRrAeWFRCixDYBpUmfCBP0biVR
                      MD5:0530CE1E756114BE03F567A49E052816
                      SHA1:1C42A398D2F5C0A1BB4A6898E9904A4DA4BEECE3
                      SHA-256:E31D877282E6ED7D950552C9A2EBB55D5C564205E7F8DF951847968255B7706C
                      SHA-512:2C3F691F3B5F386F8BCDAC7456799E2C262044770E469EAC31CECDE4F60084C93BCC3F5EA3258111789AB0F5185529562695D0435183F55452362DF0ED602FE3
                      Malicious:false
                      Preview:#This Equation uses maximum and, minimum functions...#maximum function takes the larger of ..#two values and minimum takes the smaller of two values...#View the waveform with the Settings Points:1000,SR=10MS/s....range(0,100us)..sin(2*pi*x)..range(0,50us)..min(v,0.5)..range(50us,100us)..max(v,-0.5)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Max_min.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):303
                      Entropy (8bit):4.925498494890953
                      Encrypted:false
                      SSDEEP:6:NjTFBJAegLbFRCikKJSiWo0KcMyprAMjfC6wPEPoeYpoLoR:BRrAeWFRCixDYBpUmfCBP0biVR
                      MD5:0530CE1E756114BE03F567A49E052816
                      SHA1:1C42A398D2F5C0A1BB4A6898E9904A4DA4BEECE3
                      SHA-256:E31D877282E6ED7D950552C9A2EBB55D5C564205E7F8DF951847968255B7706C
                      SHA-512:2C3F691F3B5F386F8BCDAC7456799E2C262044770E469EAC31CECDE4F60084C93BCC3F5EA3258111789AB0F5185529562695D0435183F55452362DF0ED602FE3
                      Malicious:false
                      Preview:#This Equation uses maximum and, minimum functions...#maximum function takes the larger of ..#two values and minimum takes the smaller of two values...#View the waveform with the Settings Points:1000,SR=10MS/s....range(0,100us)..sin(2*pi*x)..range(0,50us)..min(v,0.5)..range(50us,100us)..max(v,-0.5)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Modu44a1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):473
                      Entropy (8bit):4.791071222812472
                      Encrypted:false
                      SSDEEP:12:fc6+oEIINmEqoCxQHFRK1xuhs1V1VO/KDiVk2nYfcrSSr:0r3L+mh01IYisne
                      MD5:BC30D228E74DFA5EE751A43FF8B76B64
                      SHA1:701EC396BB5C9C3671DBAB50AB8C87E3162FD5FE
                      SHA-256:772412080DC396EA9082BE8276938A7B888AB62C9C4C31B375F2DEFB0B867C15
                      SHA-512:23D73F7DF3FBA95D8BD6F6F86565D085611262AB225E2ED96505688CE1E2BB281AB9024859F1856E896CF19A49CC2C55DDF66EB1CF8430E2F321D5BD8E9642F2
                      Malicious:false
                      Preview:#This is a sum of a modulated wave & it's own carrier..#wave doubled.Thecarrier wave is a 3Hz sine wave, ..#The signal wave is a .1Hz sine wave..#Change '.1' to change the freq of the signal wave..#Change '3' to change the freq of the carrier wave..#Change the '2' to change the size of the carrier wave..#Change '.5' to change the amplitude of the signal wave...#View the waveform with Settings Points:5M, SR:1M....range(0,5s)..2*(1+0.5*sin(2*pi*0.1*t))*sin(2*pi*3*t)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Modulated Wave with Carrier.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):473
                      Entropy (8bit):4.791071222812472
                      Encrypted:false
                      SSDEEP:12:fc6+oEIINmEqoCxQHFRK1xuhs1V1VO/KDiVk2nYfcrSSr:0r3L+mh01IYisne
                      MD5:BC30D228E74DFA5EE751A43FF8B76B64
                      SHA1:701EC396BB5C9C3671DBAB50AB8C87E3162FD5FE
                      SHA-256:772412080DC396EA9082BE8276938A7B888AB62C9C4C31B375F2DEFB0B867C15
                      SHA-512:23D73F7DF3FBA95D8BD6F6F86565D085611262AB225E2ED96505688CE1E2BB281AB9024859F1856E896CF19A49CC2C55DDF66EB1CF8430E2F321D5BD8E9642F2
                      Malicious:false
                      Preview:#This is a sum of a modulated wave & it's own carrier..#wave doubled.Thecarrier wave is a 3Hz sine wave, ..#The signal wave is a .1Hz sine wave..#Change '.1' to change the freq of the signal wave..#Change '3' to change the freq of the carrier wave..#Change the '2' to change the size of the carrier wave..#Change '.5' to change the amplitude of the signal wave...#View the waveform with Settings Points:5M, SR:1M....range(0,5s)..2*(1+0.5*sin(2*pi*0.1*t))*sin(2*pi*3*t)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Nois44b1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):412
                      Entropy (8bit):4.888129997126819
                      Encrypted:false
                      SSDEEP:12:bwbcCy0qEcluZswD4vxbyeQwDJUmf7MFPqpxYtn:zhlum2z2tsyQ
                      MD5:8B4B62F06EEE9A4004405B9E5FEF72C0
                      SHA1:1AEF6DAE91FA259AF4AC3909B4A32348BC5B32E1
                      SHA-256:B2DF1EE7AE8EE2F6F10390B72BE6819D7E5DCB532D41BEA9FC93A2628D2B5DCC
                      SHA-512:98C42FDA1B94E62D657386472C4BF7D3B325E0F26CD9737422C48AA73D7C58BAE176BBA4ED14B84415AA799E1E3F61CF5AC2586684BAE5BDE0EE3E7372801A0D
                      Malicious:false
                      Preview:#NoiseSyn (Sine wave with random noise added)..#<NoiseSyn> sin(2*pi*3.5*t) + .3*rand..#This is a 3.5 Hz sine wave with random noise added...#The added noise has a maximum ..#magnitude of .3 volts...#Change the '3.5' to change the freq of the sine wave...#Change the '.3' for the max magnitude of the noise...#View the waveform with the Settings Points:1M,SR:1MS/s....range(0,1s)..sin(2*pi*0.5*t) + rnd(8.3)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\NoiseSyn.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):412
                      Entropy (8bit):4.888129997126819
                      Encrypted:false
                      SSDEEP:12:bwbcCy0qEcluZswD4vxbyeQwDJUmf7MFPqpxYtn:zhlum2z2tsyQ
                      MD5:8B4B62F06EEE9A4004405B9E5FEF72C0
                      SHA1:1AEF6DAE91FA259AF4AC3909B4A32348BC5B32E1
                      SHA-256:B2DF1EE7AE8EE2F6F10390B72BE6819D7E5DCB532D41BEA9FC93A2628D2B5DCC
                      SHA-512:98C42FDA1B94E62D657386472C4BF7D3B325E0F26CD9737422C48AA73D7C58BAE176BBA4ED14B84415AA799E1E3F61CF5AC2586684BAE5BDE0EE3E7372801A0D
                      Malicious:false
                      Preview:#NoiseSyn (Sine wave with random noise added)..#<NoiseSyn> sin(2*pi*3.5*t) + .3*rand..#This is a 3.5 Hz sine wave with random noise added...#The added noise has a maximum ..#magnitude of .3 volts...#Change the '3.5' to change the freq of the sine wave...#Change the '.3' for the max magnitude of the noise...#View the waveform with the Settings Points:1M,SR:1MS/s....range(0,1s)..sin(2*pi*0.5*t) + rnd(8.3)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Norm.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):399
                      Entropy (8bit):4.814128885181189
                      Encrypted:false
                      SSDEEP:6:NsJgxKJ+JmVpbDhRGFUSe6+47AvEQhgAZVaxSxKJkR4YRbGAHv7eirAsjf6J4vww:HJkzW6Se07oFzZTRbHzxUGfmaEoJr
                      MD5:6C23E71EB64875F0C62C06D30BDC60A1
                      SHA1:ED160FC9B69B8D0A12F8D40B68A86F27A6BB0E7D
                      SHA-256:FAFD7585680F0B410DF1EB4A7C471939872E2F6669F725FE88F6ABBFDE06B43E
                      SHA-512:C60749D033324CECFCBB1960A2D365EE615FA262F7E63C2103222DAC2E4FC3FC990B8435EFA5D2EE9D5F64B4D74635B2B74F4143AB8112B87156E0409EE3F01E
                      Malicious:false
                      Preview:#This Equation uses the normalize function...#The normalize function normalizes the range ..#specified with range function and ..#scales the amplitude values so that the maximum ..#absolute value is 1.0 (i.e. a value of +1.0 or -1.0)...#The normalize statement comprises an entire line...#View the waveform with the settings Points:1k, SR:10MS/s......range(0,100us)..sin(2*pi*x)+rnd()/10..norm()....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Norm44b1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):399
                      Entropy (8bit):4.814128885181189
                      Encrypted:false
                      SSDEEP:6:NsJgxKJ+JmVpbDhRGFUSe6+47AvEQhgAZVaxSxKJkR4YRbGAHv7eirAsjf6J4vww:HJkzW6Se07oFzZTRbHzxUGfmaEoJr
                      MD5:6C23E71EB64875F0C62C06D30BDC60A1
                      SHA1:ED160FC9B69B8D0A12F8D40B68A86F27A6BB0E7D
                      SHA-256:FAFD7585680F0B410DF1EB4A7C471939872E2F6669F725FE88F6ABBFDE06B43E
                      SHA-512:C60749D033324CECFCBB1960A2D365EE615FA262F7E63C2103222DAC2E4FC3FC990B8435EFA5D2EE9D5F64B4D74635B2B74F4143AB8112B87156E0409EE3F01E
                      Malicious:false
                      Preview:#This Equation uses the normalize function...#The normalize function normalizes the range ..#specified with range function and ..#scales the amplitude values so that the maximum ..#absolute value is 1.0 (i.e. a value of +1.0 or -1.0)...#The normalize statement comprises an entire line...#View the waveform with the settings Points:1k, SR:10MS/s......range(0,100us)..sin(2*pi*x)+rnd()/10..norm()....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Phas44c1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):168
                      Entropy (8bit):4.947763801831567
                      Encrypted:false
                      SSDEEP:3:jJEN2CWVkHQKLyrQ/HM85+fYR9AMRxyMLw1QoaxfuWXVq1qMwovy:NphQgQ/s8prAMjfOtaluQVq1gyy
                      MD5:3F802560AF441905A552F006E502032A
                      SHA1:AF4BD21E4D0CD2615B7235F8D76770A4288658AA
                      SHA-256:7B3D7F7B2FA16851396EACD1D56AB6550257C42E96F4ACFCB905DE48A8F526C5
                      SHA-512:509C1FEC123C5C60D4D47AC0E3F47904C2F6EC6A7E6A292DD884204EF5875BD1B17E97B108E02BF7EA194BB98241C9D406584930DBE28A4A63769ABC7F85F642
                      Malicious:false
                      Preview:#This Equation is for Phase modulation..#Here w = 2 * pi * x..#View the waveform with the Settings Points:5K,SR:1MS/s......range(0us,5ms)..Sin(20*w+pi*Sin(2*w))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Phase modulation.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):168
                      Entropy (8bit):4.947763801831567
                      Encrypted:false
                      SSDEEP:3:jJEN2CWVkHQKLyrQ/HM85+fYR9AMRxyMLw1QoaxfuWXVq1qMwovy:NphQgQ/s8prAMjfOtaluQVq1gyy
                      MD5:3F802560AF441905A552F006E502032A
                      SHA1:AF4BD21E4D0CD2615B7235F8D76770A4288658AA
                      SHA-256:7B3D7F7B2FA16851396EACD1D56AB6550257C42E96F4ACFCB905DE48A8F526C5
                      SHA-512:509C1FEC123C5C60D4D47AC0E3F47904C2F6EC6A7E6A292DD884204EF5875BD1B17E97B108E02BF7EA194BB98241C9D406584930DBE28A4A63769ABC7F85F642
                      Malicious:false
                      Preview:#This Equation is for Phase modulation..#Here w = 2 * pi * x..#View the waveform with the Settings Points:5K,SR:1MS/s......range(0us,5ms)..Sin(20*w+pi*Sin(2*w))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Ramp Negative.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):173
                      Entropy (8bit):4.682901391331885
                      Encrypted:false
                      SSDEEP:3:DaL2CWV0Iq6mMIVrjoKnDDaCFRMnEtWFS2MAWe+fYR9AMRxyMLw1QoaxmLoJ7v:L0IxIVrZDab2WFzgwrAMjfOtaYLoV
                      MD5:C729E8E44B9980764883297EB639E6C6
                      SHA1:2D5C85E07361408F00E71440CA46552D198C4E6F
                      SHA-256:C4E1A6DADDA4D5EF3DFD9A63297E33A58D52DB2A0E19E80C7E58655239C99FA9
                      SHA-512:23EFADBBD8E204A36686BDC71760346B4ECB2A8C272B4345C5002609A11A8F56817E495842C2C589D1337242535E5C130A755FFCE938B26025E5E02DED40FB38
                      Malicious:false
                      Preview:#This equation is for Ramp Waveform..#Here t = Time from starting time that range specifies..#View the waveform with the Settings Points:5K,SR:1MS/s......range(0,5ms)..t....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Ramp.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):173
                      Entropy (8bit):4.682901391331885
                      Encrypted:false
                      SSDEEP:3:DaL2CWV0Iq6mMIVrjoKnDDaCFRMnEtWFS2MAWe+fYR9AMRxyMLw1QoaxmLoJ7v:L0IxIVrZDab2WFzgwrAMjfOtaYLoV
                      MD5:C729E8E44B9980764883297EB639E6C6
                      SHA1:2D5C85E07361408F00E71440CA46552D198C4E6F
                      SHA-256:C4E1A6DADDA4D5EF3DFD9A63297E33A58D52DB2A0E19E80C7E58655239C99FA9
                      SHA-512:23EFADBBD8E204A36686BDC71760346B4ECB2A8C272B4345C5002609A11A8F56817E495842C2C589D1337242535E5C130A755FFCE938B26025E5E02DED40FB38
                      Malicious:false
                      Preview:#This equation is for Ramp Waveform..#Here t = Time from starting time that range specifies..#View the waveform with the Settings Points:5K,SR:1MS/s......range(0,5ms)..t....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Ramp44c1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):173
                      Entropy (8bit):4.682901391331885
                      Encrypted:false
                      SSDEEP:3:DaL2CWV0Iq6mMIVrjoKnDDaCFRMnEtWFS2MAWe+fYR9AMRxyMLw1QoaxmLoJ7v:L0IxIVrZDab2WFzgwrAMjfOtaYLoV
                      MD5:C729E8E44B9980764883297EB639E6C6
                      SHA1:2D5C85E07361408F00E71440CA46552D198C4E6F
                      SHA-256:C4E1A6DADDA4D5EF3DFD9A63297E33A58D52DB2A0E19E80C7E58655239C99FA9
                      SHA-512:23EFADBBD8E204A36686BDC71760346B4ECB2A8C272B4345C5002609A11A8F56817E495842C2C589D1337242535E5C130A755FFCE938B26025E5E02DED40FB38
                      Malicious:false
                      Preview:#This equation is for Ramp Waveform..#Here t = Time from starting time that range specifies..#View the waveform with the Settings Points:5K,SR:1MS/s......range(0,5ms)..t....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Rect44d0.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):151
                      Entropy (8bit):4.910818136893702
                      Encrypted:false
                      SSDEEP:3:jJEN2CmR9m6vyWYVg3+fYR9AMRxyMLw1QaKWDE2OGN2MLNUwovy:NU6vydVirAMjfO9KWDEi2KWwyy
                      MD5:8CB5B19A42AEB90735A796BE786B6092
                      SHA1:18297753ADABB81C7D777111513735F25A196C9B
                      SHA-256:13ADF1FF7FC9148DA3E9373FAB51C0259C6EC86E1E27FC9BE954C6C0780AB2CF
                      SHA-512:A1DEE52149C90585A2D33EC6EF4F766F1360A76B26AE9499731938323EC7E653D5DF26F2008D1DF11EC4B1E9F48A332D829ADD1E5AF185989D17DD552A258BB9
                      Malicious:false
                      Preview:#This Equation is a Rectified Full wave Sine waveform..#View the waveform with the Settings Points:5K,SR:1GS/s....range(0us,5us)..abs(Sin(3*w))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Rectified Full wave.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):151
                      Entropy (8bit):4.910818136893702
                      Encrypted:false
                      SSDEEP:3:jJEN2CmR9m6vyWYVg3+fYR9AMRxyMLw1QaKWDE2OGN2MLNUwovy:NU6vydVirAMjfO9KWDEi2KWwyy
                      MD5:8CB5B19A42AEB90735A796BE786B6092
                      SHA1:18297753ADABB81C7D777111513735F25A196C9B
                      SHA-256:13ADF1FF7FC9148DA3E9373FAB51C0259C6EC86E1E27FC9BE954C6C0780AB2CF
                      SHA-512:A1DEE52149C90585A2D33EC6EF4F766F1360A76B26AE9499731938323EC7E653D5DF26F2008D1DF11EC4B1E9F48A332D829ADD1E5AF185989D17DD552A258BB9
                      Malicious:false
                      Preview:#This Equation is a Rectified Full wave Sine waveform..#View the waveform with the Settings Points:5K,SR:1GS/s....range(0us,5us)..abs(Sin(3*w))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Roun44d0.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):200
                      Entropy (8bit):4.899696739135102
                      Encrypted:false
                      SSDEEP:6:NfFg5NoaAFXCxDUrAMjfUKWDEPohKNoan:zgT33UUmfTWD0uK6an
                      MD5:E574D3A040F307916F62612BD2C49475
                      SHA1:B0563581B31880D9E1839A56F966BA87D3F37EBC
                      SHA-256:A7A7434434A3C83C386A7DCB3D22121CBA8EB7FFBF7D913070B1DCFACF31C9EF
                      SHA-512:D6989F3DF3BE3BD5AF8E31A538A8ECDC26680C54B7033720D2E67B304CF7EAB7DF34F677619E1E69023971B2ABD09CB4C84ABBD2535D6BA6D1FB708EEB7D0941
                      Malicious:false
                      Preview:#This Equation uses the round Function which..#Rounds off the fraction to obtain the integer...#View the waveform with the Settings Points:100K,SR:1GS/s....range(0,100us)..round(5*sin(2*pi*x))/5......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Round.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):200
                      Entropy (8bit):4.899696739135102
                      Encrypted:false
                      SSDEEP:6:NfFg5NoaAFXCxDUrAMjfUKWDEPohKNoan:zgT33UUmfTWD0uK6an
                      MD5:E574D3A040F307916F62612BD2C49475
                      SHA1:B0563581B31880D9E1839A56F966BA87D3F37EBC
                      SHA-256:A7A7434434A3C83C386A7DCB3D22121CBA8EB7FFBF7D913070B1DCFACF31C9EF
                      SHA-512:D6989F3DF3BE3BD5AF8E31A538A8ECDC26680C54B7033720D2E67B304CF7EAB7DF34F677619E1E69023971B2ABD09CB4C84ABBD2535D6BA6D1FB708EEB7D0941
                      Malicious:false
                      Preview:#This Equation uses the round Function which..#Rounds off the fraction to obtain the integer...#View the waveform with the Settings Points:100K,SR:1GS/s....range(0,100us)..round(5*sin(2*pi*x))/5......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\SINC.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):303
                      Entropy (8bit):5.110108214932373
                      Encrypted:false
                      SSDEEP:6:fBCA7FKx2FouK2ZzKGE4RRcxrAMjf1waEoDkTQLtSaDyj/wv:pfFKx3X2ZzG4RaxUmfyaEJC37
                      MD5:2FBC583223D8A4F863F75D23DF801B23
                      SHA1:FECF01636B91E617C1CD6109945D50D3C5EEF7C6
                      SHA-256:F1D9623A2DE43E7A5227BF7779724CA172FBC24160CA82B54B790C960CE95B2F
                      SHA-512:5E17F7A7FA4BCDB1D17096238057A14361A5C7A5C2D1F9CA48756B306F2E399537D74F455B3FD5F196521AF7386945C12B074DB81A622629AD89AB1A20F29462
                      Malicious:false
                      Preview:#This is the equation for SINC i.e Sin(x)/x pulse..#The K0 indicates the Freq of the wave;..#K1 indicates the peak location of the pulse...#View the waveform with the Settings Points:1K,SR:10MS/s......range(0,100us)..k0=2.5e6..k1=20e-6..k2=10e-10..(sin(2*pi*k0*(t-k1))+k2) / ((2*pi*k0*(t-k1))+k2) ......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\SINC44e0.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):303
                      Entropy (8bit):5.110108214932373
                      Encrypted:false
                      SSDEEP:6:fBCA7FKx2FouK2ZzKGE4RRcxrAMjf1waEoDkTQLtSaDyj/wv:pfFKx3X2ZzG4RaxUmfyaEJC37
                      MD5:2FBC583223D8A4F863F75D23DF801B23
                      SHA1:FECF01636B91E617C1CD6109945D50D3C5EEF7C6
                      SHA-256:F1D9623A2DE43E7A5227BF7779724CA172FBC24160CA82B54B790C960CE95B2F
                      SHA-512:5E17F7A7FA4BCDB1D17096238057A14361A5C7A5C2D1F9CA48756B306F2E399537D74F455B3FD5F196521AF7386945C12B074DB81A622629AD89AB1A20F29462
                      Malicious:false
                      Preview:#This is the equation for SINC i.e Sin(x)/x pulse..#The K0 indicates the Freq of the wave;..#K1 indicates the peak location of the pulse...#View the waveform with the Settings Points:1K,SR:10MS/s......range(0,100us)..k0=2.5e6..k1=20e-6..k2=10e-10..(sin(2*pi*k0*(t-k1))+k2) / ((2*pi*k0*(t-k1))+k2) ......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Wind44e0.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):147
                      Entropy (8bit):5.056218155406864
                      Encrypted:false
                      SSDEEP:3:DaL2CWVvIKlMLZ5YVg3+PRV3oyMLwaMFPE2joTNJMwovn:LvKUVt3ofKFPEfpJZyn
                      MD5:FBC31098FD790592113D5AEDCBB55093
                      SHA1:63F45C7B0103861F44A14EF8A0656F55E5811DD4
                      SHA-256:1C0F9EE8714FD3CFE4AF08C1C0A8C0E4764D94BB9D91BCEF5B327364AAE9DA7B
                      SHA-512:FA63554F9D46699EC84A17F55B17C2DFB6BBB72E9BB50C04E5FC6DC6218BD8536AA9A866E4413CCEDAB062F5E3C960DF3DF8E8C85D0507746AA43639F187522E
                      Malicious:false
                      Preview:#This equation is for Hamming Window waveform..#View the wavform with Settings Points:1K, SR:100MS/s....range(0us,10us)..0.08+0.46*(1-cos(w))......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Wind44ef.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):135
                      Entropy (8bit):4.886866800848952
                      Encrypted:false
                      SSDEEP:3:DaL2CWVs4ijZ5YVg3+PRV3oyMLwaMFPE27gKWAMwn:LgUVt3ofKFPEfKWAZn
                      MD5:C1BC4F4A76D558434E4EAB64569B6407
                      SHA1:BC8A1D891BC0F3B83885B41301EEA37A8650C472
                      SHA-256:D7AA2ACB1A04A8C22C7E7A057680130178C40E5E66D934CC003305D0BE64A7AB
                      SHA-512:E4B28ED3A93B8217C8136307E33D957D2F8D2ED8C2167B730EE2BBED5AC828E203ABFEFB5EE0A5589E8D14A9AAF6BC71DC4D41150A59312B76C830FBE50C9115
                      Malicious:false
                      Preview:#This equation is for Hanning Window waveform..#View the wavform with Settings Points:1K, SR:100MS/s....range(0us,10us)..(1-cos(w))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Window_Hamming.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):147
                      Entropy (8bit):5.056218155406864
                      Encrypted:false
                      SSDEEP:3:DaL2CWVvIKlMLZ5YVg3+PRV3oyMLwaMFPE2joTNJMwovn:LvKUVt3ofKFPEfpJZyn
                      MD5:FBC31098FD790592113D5AEDCBB55093
                      SHA1:63F45C7B0103861F44A14EF8A0656F55E5811DD4
                      SHA-256:1C0F9EE8714FD3CFE4AF08C1C0A8C0E4764D94BB9D91BCEF5B327364AAE9DA7B
                      SHA-512:FA63554F9D46699EC84A17F55B17C2DFB6BBB72E9BB50C04E5FC6DC6218BD8536AA9A866E4413CCEDAB062F5E3C960DF3DF8E8C85D0507746AA43639F187522E
                      Malicious:false
                      Preview:#This equation is for Hamming Window waveform..#View the wavform with Settings Points:1K, SR:100MS/s....range(0us,10us)..0.08+0.46*(1-cos(w))......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\Window_Hanning.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):135
                      Entropy (8bit):4.886866800848952
                      Encrypted:false
                      SSDEEP:3:DaL2CWVs4ijZ5YVg3+PRV3oyMLwaMFPE27gKWAMwn:LgUVt3ofKFPEfKWAZn
                      MD5:C1BC4F4A76D558434E4EAB64569B6407
                      SHA1:BC8A1D891BC0F3B83885B41301EEA37A8650C472
                      SHA-256:D7AA2ACB1A04A8C22C7E7A057680130178C40E5E66D934CC003305D0BE64A7AB
                      SHA-512:E4B28ED3A93B8217C8136307E33D957D2F8D2ED8C2167B730EE2BBED5AC828E203ABFEFB5EE0A5589E8D14A9AAF6BC71DC4D41150A59312B76C830FBE50C9115
                      Malicious:false
                      Preview:#This equation is for Hanning Window waveform..#View the wavform with Settings Points:1K, SR:100MS/s....range(0us,10us)..(1-cos(w))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\abs.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):143
                      Entropy (8bit):4.954901060891438
                      Encrypted:false
                      SSDEEP:3:DaL4SACR2O0mFsS+fYRV3oflRW5ELv2BPE2nuoxNWMJPQWvy:vyDn3oflR8AuBPEPoLWQP/y
                      MD5:A827071AEEF57E4A3CD5F736D69EE5F1
                      SHA1:FC6EA37AE90AEDF3541FB03D00BF767487671C52
                      SHA-256:8351EADAFE3D0FFF113EFD4826412B76D6DB42816572F35E55647D9214871162
                      SHA-512:2368EAA7F9DC3EFC1797D0ADAB3AFADE32EB74A6766F0691C5726B41DF3E43B3D0E0B3DCDC2246F97B546F22C39C5517576C264A58E3CEFACD7680B884511E47
                      Malicious:false
                      Preview:#This equation gives the Absolute value...#View the waveform with Settings : Points=10K, SR=100MS/s....range(0,100us)..abs(sin(2*pi*x))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\abs44ef.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):143
                      Entropy (8bit):4.954901060891438
                      Encrypted:false
                      SSDEEP:3:DaL4SACR2O0mFsS+fYRV3oflRW5ELv2BPE2nuoxNWMJPQWvy:vyDn3oflR8AuBPEPoLWQP/y
                      MD5:A827071AEEF57E4A3CD5F736D69EE5F1
                      SHA1:FC6EA37AE90AEDF3541FB03D00BF767487671C52
                      SHA-256:8351EADAFE3D0FFF113EFD4826412B76D6DB42816572F35E55647D9214871162
                      SHA-512:2368EAA7F9DC3EFC1797D0ADAB3AFADE32EB74A6766F0691C5726B41DF3E43B3D0E0B3DCDC2246F97B546F22C39C5517576C264A58E3CEFACD7680B884511E47
                      Malicious:false
                      Preview:#This equation gives the Absolute value...#View the waveform with Settings : Points=10K, SR=100MS/s....range(0,100us)..abs(sin(2*pi*x))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\carr44ff.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):385
                      Entropy (8bit):4.981282284643184
                      Encrypted:false
                      SSDEEP:6:m4wrE3BWJ/b10dovHe9Z19AAv62ncLV6fLomvLVt2n3ofGe9:m4wQ3BWhWdEeD1LXcwM2X2nYfN9
                      MD5:687F82FE131A3562EE297A178DC8EFE3
                      SHA1:21718CDDDE193011C2BA61A538A7C63D96108053
                      SHA-256:7532C120CD230097B9E70D5B0DEF8A3B0777ABEA05A9E8299F38D80A09D8E860
                      SHA-512:324A7AF746E09DCB18358E05A9703FE70BC457AC42E7EFA3319753BB997A7249658C431612501990029F4A4AAFB8F8B99E30C182D9D1EA8BC318A812E8B46B0B
                      Malicious:false
                      Preview:#This equation represents a more realistic carrier wave: ..#A 3.579545MHz sine wave with a 1 volt peak amplitude ..#and a 'pi' phase shift.(this delays the wave 180 degrees)..#Change the '3579545' to change the carrier frequency...#Change the '-pi' to change the time delay or phase.....#View the waveform with Settings Points:1K,SR:100MS/s..range(0us,10us)..sin(2*pi*3579545*t-pi)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\carrier.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):385
                      Entropy (8bit):4.981282284643184
                      Encrypted:false
                      SSDEEP:6:m4wrE3BWJ/b10dovHe9Z19AAv62ncLV6fLomvLVt2n3ofGe9:m4wQ3BWhWdEeD1LXcwM2X2nYfN9
                      MD5:687F82FE131A3562EE297A178DC8EFE3
                      SHA1:21718CDDDE193011C2BA61A538A7C63D96108053
                      SHA-256:7532C120CD230097B9E70D5B0DEF8A3B0777ABEA05A9E8299F38D80A09D8E860
                      SHA-512:324A7AF746E09DCB18358E05A9703FE70BC457AC42E7EFA3319753BB997A7249658C431612501990029F4A4AAFB8F8B99E30C182D9D1EA8BC318A812E8B46B0B
                      Malicious:false
                      Preview:#This equation represents a more realistic carrier wave: ..#A 3.579545MHz sine wave with a 1 volt peak amplitude ..#and a 'pi' phase shift.(this delays the wave 180 degrees)..#Change the '3579545' to change the carrier frequency...#Change the '-pi' to change the time delay or phase.....#View the waveform with Settings Points:1K,SR:100MS/s..range(0us,10us)..sin(2*pi*3579545*t-pi)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\cosi450f.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):279
                      Entropy (8bit):4.85074631621121
                      Encrypted:false
                      SSDEEP:6:m4bTdVwJkuWRZWLVN/en1L5R+in3oxkFPEPo8F9:m4bTdZufXen1LWinYaP0h9
                      MD5:4E0704707706BEA9D471A24A9ED106D3
                      SHA1:55A14CF8C3F53DF85DAD62090A3E6364D5F37DB5
                      SHA-256:52037A8178164DFFE80BB1E2218D704913119D549FE5B9C8D630AEABBF7150E5
                      SHA-512:270B9A83967B1F0C46EBF1C99BADEC91F8397090E6FEA994EFD1D3638603093C7E44B9593F1C5E80E8B315BE5642DBBBB7149066BCEA0529B89F60C21DC9FF1C
                      Malicious:false
                      Preview:#This equation represents cosine waveform..#This equation is for 1 cycle cosine wave. ..#Change x to change the number of cycles. For example ..#for a two cycle cosine wave change x to 2x...#View the waveform with Settings:Points:10K,SR:100MS/s....range(0,100us)..cos(2*pi*x)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\cosine wave.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):279
                      Entropy (8bit):4.85074631621121
                      Encrypted:false
                      SSDEEP:6:m4bTdVwJkuWRZWLVN/en1L5R+in3oxkFPEPo8F9:m4bTdZufXen1LWinYaP0h9
                      MD5:4E0704707706BEA9D471A24A9ED106D3
                      SHA1:55A14CF8C3F53DF85DAD62090A3E6364D5F37DB5
                      SHA-256:52037A8178164DFFE80BB1E2218D704913119D549FE5B9C8D630AEABBF7150E5
                      SHA-512:270B9A83967B1F0C46EBF1C99BADEC91F8397090E6FEA994EFD1D3638603093C7E44B9593F1C5E80E8B315BE5642DBBBB7149066BCEA0529B89F60C21DC9FF1C
                      Malicious:false
                      Preview:#This equation represents cosine waveform..#This equation is for 1 cycle cosine wave. ..#Change x to change the number of cycles. For example ..#for a two cycle cosine wave change x to 2x...#View the waveform with Settings:Points:10K,SR:100MS/s....range(0,100us)..cos(2*pi*x)....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\diff.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):338
                      Entropy (8bit):4.866137233372633
                      Encrypted:false
                      SSDEEP:6:SbFJhRrA8eB4ES62hRGNO9De0nAHv7eForLn3ofUKWDEbQbVLQE5adOvoQVLQE0T:qc9BLzHj0AHz1PnYfTWD9bVLyyxLa3Dn
                      MD5:051E0CECD015701398EDD7308BEA3074
                      SHA1:866E048AD98FAD2BBA78EF55B6F94DA775E3916C
                      SHA-256:A09B9784E03FCD979EEAC52B3EAB3AB0881BFA344B7D1C6C902B977FCF79834B
                      SHA-512:3B9DFACD7A8F5C512F786DDDF34FDBEDF997FD3EC1F22CE5BB77D8DFEE27298B664B69E8A44A37674265BBF823124C5A16C6D825F2C1462F59550503D73DE2F6
                      Malicious:false
                      Preview:# This equation is specified with the diff() function...# The Function differentiates the function over the range ..# specified with range()...# The diff() comprises an entire line...# View the waveform with Settings Points:100K,SR:1GS/s....range(0,33us)..-0.5..range(33us,66us)..0.5..range(66us,100us)..-0.5..range(0,100us)..diff()......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\diff450f.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):338
                      Entropy (8bit):4.866137233372633
                      Encrypted:false
                      SSDEEP:6:SbFJhRrA8eB4ES62hRGNO9De0nAHv7eForLn3ofUKWDEbQbVLQE5adOvoQVLQE0T:qc9BLzHj0AHz1PnYfTWD9bVLyyxLa3Dn
                      MD5:051E0CECD015701398EDD7308BEA3074
                      SHA1:866E048AD98FAD2BBA78EF55B6F94DA775E3916C
                      SHA-256:A09B9784E03FCD979EEAC52B3EAB3AB0881BFA344B7D1C6C902B977FCF79834B
                      SHA-512:3B9DFACD7A8F5C512F786DDDF34FDBEDF997FD3EC1F22CE5BB77D8DFEE27298B664B69E8A44A37674265BBF823124C5A16C6D825F2C1462F59550503D73DE2F6
                      Malicious:false
                      Preview:# This equation is specified with the diff() function...# The Function differentiates the function over the range ..# specified with range()...# The diff() comprises an entire line...# View the waveform with Settings Points:100K,SR:1GS/s....range(0,33us)..-0.5..range(33us,66us)..0.5..range(66us,100us)..-0.5..range(0,100us)..diff()......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\expd451e.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):378
                      Entropy (8bit):4.828094443698755
                      Encrypted:false
                      SSDEEP:6:SbFmKA4F1WR0V1WrywWeu5F2XDJknQROLVX0G1LVbUxn3ofyN/WAXK+/:qjA4F1WRu1WryfD2F5O+khcnYfsWA1/
                      MD5:45A471D701C0BD6DA9B5D1F23027D2DC
                      SHA1:9C775920A1CBA363DEEA08F6E04F1022D5F8B608
                      SHA-256:1DD0000061C1276E59D044B3B9D32A97AE67D864194430634DEE0787A820271C
                      SHA-512:52DBFA0909C42D4FC17954200DB883102C3DAA2887AE85B8C1610580F2A3464F24292EDD06D04BEA8A04E7775A707AE2A53E3B07484FC9BBBE7C130D45D85323
                      Malicious:false
                      Preview:# This equation is exponential decay wfm..# Time is shifted to have a value of 1 at t=.1s. ..#The time constant is 10ms ..#The first half second will be filled with 0's)..#Change the '.5' to change the time shift...#Change the '10^-2' to change the time constant ..#View the waveform with Settings Points:1M, SR:1M....range(450ms,1000ms)..k0=1e-1..exp(-(t-0.1)/k0)..............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\expdecay.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):378
                      Entropy (8bit):4.828094443698755
                      Encrypted:false
                      SSDEEP:6:SbFmKA4F1WR0V1WrywWeu5F2XDJknQROLVX0G1LVbUxn3ofyN/WAXK+/:qjA4F1WRu1WryfD2F5O+khcnYfsWA1/
                      MD5:45A471D701C0BD6DA9B5D1F23027D2DC
                      SHA1:9C775920A1CBA363DEEA08F6E04F1022D5F8B608
                      SHA-256:1DD0000061C1276E59D044B3B9D32A97AE67D864194430634DEE0787A820271C
                      SHA-512:52DBFA0909C42D4FC17954200DB883102C3DAA2887AE85B8C1610580F2A3464F24292EDD06D04BEA8A04E7775A707AE2A53E3B07484FC9BBBE7C130D45D85323
                      Malicious:false
                      Preview:# This equation is exponential decay wfm..# Time is shifted to have a value of 1 at t=.1s. ..#The time constant is 10ms ..#The first half second will be filled with 0's)..#Change the '.5' to change the time shift...#Change the '10^-2' to change the time constant ..#View the waveform with Settings Points:1M, SR:1M....range(450ms,1000ms)..k0=1e-1..exp(-(t-0.1)/k0)..............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\have452e.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):271
                      Entropy (8bit):4.838571336778942
                      Encrypted:false
                      SSDEEP:6:8pCIG/nvAEj2AZokvLVwROLVTrAMjf7vUT9tx9Un:tIgvhj2dkvmOxUmf7MZtcn
                      MD5:BDBE839B7596B7DAC6391BFBFADF5D12
                      SHA1:7FBD05F2C286CF6BD4E5F29AC91DF83C75506A84
                      SHA-256:274FEBE5A5FCB59E2DF87D9CE8F4E0D01A85DB9DBA3F01637F0C4DAF3F7F69AA
                      SHA-512:883EE8669B2B6BE788217307999395DDF0986664F518C1CBAC8FB00B28296B929A45E6C62E14C716B7F24C6B47EC95FA5BDDBCC2E33C72FD2AA764A0D0FBDE27
                      Malicious:false
                      Preview:#Haversin wave..#This is a 1Hz cosine wave with a .5V peak ..#with a .5 volt DC offset...#Change the '-.5' to change the voltage...#Change the '.5' to change the DC offset..#View the waveform with the Settings Points:1M,SR:1M....range(0,1s)...-0.5*cos(2*pi*t) + 0.5......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\haversin.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):271
                      Entropy (8bit):4.838571336778942
                      Encrypted:false
                      SSDEEP:6:8pCIG/nvAEj2AZokvLVwROLVTrAMjf7vUT9tx9Un:tIgvhj2dkvmOxUmf7MZtcn
                      MD5:BDBE839B7596B7DAC6391BFBFADF5D12
                      SHA1:7FBD05F2C286CF6BD4E5F29AC91DF83C75506A84
                      SHA-256:274FEBE5A5FCB59E2DF87D9CE8F4E0D01A85DB9DBA3F01637F0C4DAF3F7F69AA
                      SHA-512:883EE8669B2B6BE788217307999395DDF0986664F518C1CBAC8FB00B28296B929A45E6C62E14C716B7F24C6B47EC95FA5BDDBCC2E33C72FD2AA764A0D0FBDE27
                      Malicious:false
                      Preview:#Haversin wave..#This is a 1Hz cosine wave with a .5V peak ..#with a .5 volt DC offset...#Change the '-.5' to change the voltage...#Change the '.5' to change the DC offset..#View the waveform with the Settings Points:1M,SR:1M....range(0,1s)...-0.5*cos(2*pi*t) + 0.5......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\ln.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):190
                      Entropy (8bit):4.858794045853285
                      Encrypted:false
                      SSDEEP:3:DaLqiRNgpsK8ZE+SdAlSKoZXGWZB5+fYR9AMRxyMLwAhwPE2nuotNHo:9NfbNprAMjf1wPEPo/I
                      MD5:947FC384623D49080F2BEE5E023F160F
                      SHA1:479C03E0574AFCB888AFBF863EA325043FBFD180
                      SHA-256:0B863D14990E0757B0CE38517D4A0736705E1C330ACC36A9A362112B96FABE26
                      SHA-512:13FB82597690BE6C30D077F477F617E3BC6DCA7E11761AAA82C137E500F81EDC096A255A7FC9BD6C9A1C6A17237009614EB02F293014978D0EC8E04BD03E28AA
                      Malicious:false
                      Preview:#This equation uses the natural log function. ..#The arguments to the function must be positive..#View the waveform with the Settings Points:1K,SR:10MS/s....range(0,100us)..ln(2*(x+0.2))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\ln452e.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):190
                      Entropy (8bit):4.858794045853285
                      Encrypted:false
                      SSDEEP:3:DaLqiRNgpsK8ZE+SdAlSKoZXGWZB5+fYR9AMRxyMLwAhwPE2nuotNHo:9NfbNprAMjf1wPEPo/I
                      MD5:947FC384623D49080F2BEE5E023F160F
                      SHA1:479C03E0574AFCB888AFBF863EA325043FBFD180
                      SHA-256:0B863D14990E0757B0CE38517D4A0736705E1C330ACC36A9A362112B96FABE26
                      SHA-512:13FB82597690BE6C30D077F477F617E3BC6DCA7E11761AAA82C137E500F81EDC096A255A7FC9BD6C9A1C6A17237009614EB02F293014978D0EC8E04BD03E28AA
                      Malicious:false
                      Preview:#This equation uses the natural log function. ..#The arguments to the function must be positive..#View the waveform with the Settings Points:1K,SR:10MS/s....range(0,100us)..ln(2*(x+0.2))....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\mods453e.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):424
                      Entropy (8bit):5.238697051518086
                      Encrypted:false
                      SSDEEP:12:qF36NerjouvrmpG6juSWQVnYfYwM4kAU0IV7MkbIOyOP:637DCGXSBKYFB4QRNyOP
                      MD5:8867CDCDE1E132F1A2C8FDD7E38EA664
                      SHA1:080B0B4753BB2BDD5D20B1B5B5F85035E6774100
                      SHA-256:78F54A0BE44E2B0EAB89D0402AD0587D902CB34F8B69E72441F868B8345E390B
                      SHA-512:CF20FC2C2B12BD11FDB2E7E6A0B6102DD5BBF109B93EF0D8DFE4B0ACA326DEA5416A2E549EE3DE3193AAA95E701C1AC71BE72931EEFA1A9B9E792613C86957FD
                      Malicious:false
                      Preview:#This is the square of a modulated sine wave...#The '3579545' is the original freq of the carrier wave...#The '.5' controls the amplitude before squaring...#The '146190' is the freq of the signal wave..#View the waveform with Settings Points:1M, SR:50K....range(0,20s)..k0=0.7143 #peak amplitude..k1=0.000037413 #time delay..k2=3579545..k3=146190..k4=0.5*(sin(2*pi*(t-k1)*k3)^2)..k0*((sin((2*pi*(t-k1*k2)-pi))+1)*k4).......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\modsin2.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):424
                      Entropy (8bit):5.238697051518086
                      Encrypted:false
                      SSDEEP:12:qF36NerjouvrmpG6juSWQVnYfYwM4kAU0IV7MkbIOyOP:637DCGXSBKYFB4QRNyOP
                      MD5:8867CDCDE1E132F1A2C8FDD7E38EA664
                      SHA1:080B0B4753BB2BDD5D20B1B5B5F85035E6774100
                      SHA-256:78F54A0BE44E2B0EAB89D0402AD0587D902CB34F8B69E72441F868B8345E390B
                      SHA-512:CF20FC2C2B12BD11FDB2E7E6A0B6102DD5BBF109B93EF0D8DFE4B0ACA326DEA5416A2E549EE3DE3193AAA95E701C1AC71BE72931EEFA1A9B9E792613C86957FD
                      Malicious:false
                      Preview:#This is the square of a modulated sine wave...#The '3579545' is the original freq of the carrier wave...#The '.5' controls the amplitude before squaring...#The '146190' is the freq of the signal wave..#View the waveform with Settings Points:1M, SR:50K....range(0,20s)..k0=0.7143 #peak amplitude..k1=0.000037413 #time delay..k2=3579545..k3=146190..k4=0.5*(sin(2*pi*(t-k1)*k3)^2)..k0*((sin((2*pi*(t-k1*k2)-pi))+1)*k4).......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\rnd.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):286
                      Entropy (8bit):4.740487134019379
                      Encrypted:false
                      SSDEEP:6:SbF22IBcGySxHLz3LDKqenaTZucGTQRA0BrAMjfUKWDEPotIn:qtpsLzHVeKpG0m0BUmfTWD0r
                      MD5:92C93EA068B8AE634D782581444974B2
                      SHA1:92D6B0DDC5A6B209FDFE91DB0859E2D073D5A800
                      SHA-256:520E0A90DCB976BEE3B4DCBD44DABC6FAAE98901E8D5B41A4CA9813594266EB7
                      SHA-512:DAB6D9F7187D6B79D1FB26D787A29CFF264D9EA1A903274684A42C677735EAC69BD93F64A0C39FB6942659E500E907843D2AD23BC1EB80BA9971DE0D71D4DA22
                      Malicious:false
                      Preview:# This Equation uses Random Function rnd ..#When an argument is specified, generates ..#a random number sequence using that argument as the ..#initial value. If the argument is omitted,1 is used...#View the waveform with the Settings Points:100K,SR:1GS/s....range(0,100us)..rnd(2)/3....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\rnd454d.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):286
                      Entropy (8bit):4.740487134019379
                      Encrypted:false
                      SSDEEP:6:SbF22IBcGySxHLz3LDKqenaTZucGTQRA0BrAMjfUKWDEPotIn:qtpsLzHVeKpG0m0BUmfTWD0r
                      MD5:92C93EA068B8AE634D782581444974B2
                      SHA1:92D6B0DDC5A6B209FDFE91DB0859E2D073D5A800
                      SHA-256:520E0A90DCB976BEE3B4DCBD44DABC6FAAE98901E8D5B41A4CA9813594266EB7
                      SHA-512:DAB6D9F7187D6B79D1FB26D787A29CFF264D9EA1A903274684A42C677735EAC69BD93F64A0C39FB6942659E500E907843D2AD23BC1EB80BA9971DE0D71D4DA22
                      Malicious:false
                      Preview:# This Equation uses Random Function rnd ..#When an argument is specified, generates ..#a random number sequence using that argument as the ..#initial value. If the argument is omitted,1 is used...#View the waveform with the Settings Points:100K,SR:1GS/s....range(0,100us)..rnd(2)/3....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sin2.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):133
                      Entropy (8bit):4.999474456256988
                      Encrypted:false
                      SSDEEP:3:DaL2CWV7FjAWYVg3+PRV3oyMLw9FPE2nDhScL8ov:L7FjCVt3ofGFPEOgGx
                      MD5:AC477A374175160FD7AF64ABC72FF82B
                      SHA1:4A6C01EC01AA9BFC138749B8FFDACD741882B977
                      SHA-256:EF199529B39C387E2F1694DC00616822ED267276DEFD7CCB8BCD8E0D1702A743
                      SHA-512:3E226EB5B9E5EDDA373432CC8C2402A5167628768A5E742D9ED6B7EBF57AFF5A27C488CE9AE428E9015484C960F43CC18AC888FE55B389061766A5803D274553
                      Malicious:false
                      Preview:#This equation is for sin^2 waveform..#View the wavform with Settings Points:1K,SR:100MS/s....range(0,10us)..2*sin(2*pi*146190*t)^2..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sin2454d.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):133
                      Entropy (8bit):4.999474456256988
                      Encrypted:false
                      SSDEEP:3:DaL2CWV7FjAWYVg3+PRV3oyMLw9FPE2nDhScL8ov:L7FjCVt3ofGFPEOgGx
                      MD5:AC477A374175160FD7AF64ABC72FF82B
                      SHA1:4A6C01EC01AA9BFC138749B8FFDACD741882B977
                      SHA-256:EF199529B39C387E2F1694DC00616822ED267276DEFD7CCB8BCD8E0D1702A743
                      SHA-512:3E226EB5B9E5EDDA373432CC8C2402A5167628768A5E742D9ED6B7EBF57AFF5A27C488CE9AE428E9015484C960F43CC18AC888FE55B389061766A5803D274553
                      Malicious:false
                      Preview:#This equation is for sin^2 waveform..#View the wavform with Settings Points:1K,SR:100MS/s....range(0,10us)..2*sin(2*pi*146190*t)^2..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine alternate.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):270
                      Entropy (8bit):5.0481030918562855
                      Encrypted:false
                      SSDEEP:6:J8uQOAy/HM//0ZXxFoShJWlYhshqXDXuRucaeg/rAsjf1wPETo5ryn:DQ4HW/0psgWYuqz/cat/UGfyPEUyn
                      MD5:DBD81F1969B73FCD6FD7B7554EE1C7CF
                      SHA1:330C8A19A9269DC7DB0778193C9776C15909B890
                      SHA-256:ECD377D279CB498B5623DAE772C1B26F990A3BCBB236B45F51E4B13DAFC1FE66
                      SHA-512:3EC94AFC8D7216EFF7202B72E9E9A7886F484F569564F00C093FF06A996DFCF2A3E751B98F5ED9650A480A57225839D8DBAC11E5EBEB73E76ADFEDD783E05F29
                      Malicious:false
                      Preview:#10KHz 1 cycle Sine Wave with a 10V pk-pk..#Here w = 2*pi*10^4*t..#The Freq of the equation F= 1/((points/cycle) * clock)..#In this equation Freq is 1/1000*100ns = 10Khz i.e 10^4..#View the waveform with the settings Points:1K,SR:10MS/s....range(0us,100us)..sin(w)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine wave 1 cycle.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):270
                      Entropy (8bit):5.0481030918562855
                      Encrypted:false
                      SSDEEP:6:J8uQOAy/HM//0ZXxFoShJWlYhshqXDXuRucaeg/rAsjf1wPETo5ryn:DQ4HW/0psgWYuqz/cat/UGfyPEUyn
                      MD5:DBD81F1969B73FCD6FD7B7554EE1C7CF
                      SHA1:330C8A19A9269DC7DB0778193C9776C15909B890
                      SHA-256:ECD377D279CB498B5623DAE772C1B26F990A3BCBB236B45F51E4B13DAFC1FE66
                      SHA-512:3EC94AFC8D7216EFF7202B72E9E9A7886F484F569564F00C093FF06A996DFCF2A3E751B98F5ED9650A480A57225839D8DBAC11E5EBEB73E76ADFEDD783E05F29
                      Malicious:false
                      Preview:#10KHz 1 cycle Sine Wave with a 10V pk-pk..#Here w = 2*pi*10^4*t..#The Freq of the equation F= 1/((points/cycle) * clock)..#In this equation Freq is 1/1000*100ns = 10Khz i.e 10^4..#View the waveform with the settings Points:1K,SR:10MS/s....range(0us,100us)..sin(w)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine wave 2cycles.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):301
                      Entropy (8bit):5.066468430482892
                      Encrypted:false
                      SSDEEP:6:J8uQOAy/HLRNFpWVQ//0ZXxFoSnJW3lYhshqXDXuRuEprAMjfxwaUo9g+y:DQ4HLiVC/0ps8kVYuqz/EpUmfGaUoy
                      MD5:DEC4941B6FC9087352120C8635457242
                      SHA1:07FE2F4E7A525B8A92BE60C515CCF54CB15A8CB2
                      SHA-256:D5AC6395EE9FA7A5655DF4BD23E47CFC5FB2E6F6FDECAE508492874571D60988
                      SHA-512:F354AEAB43B64B7D113BA8E8742AEFCE4D94157689109288C66A2D8DF28070928E5A2007CD94197EE612E07880933CEF4FFBF08A1E06C36DA34BA28B72EF8368
                      Malicious:false
                      Preview:#10KHz 1 cycle Sine Wave with a 10V pk-pk..#and with 45 deg offset..#Here w = 2*pi*10^4*t..#The Freq of the equation is..#F= 1/((points/cycle) * clock)..#In this equation Freq is 1/1000*100ns = 10Khz..#View the waveform with the Settings Points:1K, SR:10MS/s......range(0us,100us)..sin(w-pi/4)........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine wave with 45 deg offset.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):301
                      Entropy (8bit):5.066468430482892
                      Encrypted:false
                      SSDEEP:6:J8uQOAy/HLRNFpWVQ//0ZXxFoSnJW3lYhshqXDXuRuEprAMjfxwaUo9g+y:DQ4HLiVC/0ps8kVYuqz/EpUmfGaUoy
                      MD5:DEC4941B6FC9087352120C8635457242
                      SHA1:07FE2F4E7A525B8A92BE60C515CCF54CB15A8CB2
                      SHA-256:D5AC6395EE9FA7A5655DF4BD23E47CFC5FB2E6F6FDECAE508492874571D60988
                      SHA-512:F354AEAB43B64B7D113BA8E8742AEFCE4D94157689109288C66A2D8DF28070928E5A2007CD94197EE612E07880933CEF4FFBF08A1E06C36DA34BA28B72EF8368
                      Malicious:false
                      Preview:#10KHz 1 cycle Sine Wave with a 10V pk-pk..#and with 45 deg offset..#Here w = 2*pi*10^4*t..#The Freq of the equation is..#F= 1/((points/cycle) * clock)..#In this equation Freq is 1/1000*100ns = 10Khz..#View the waveform with the Settings Points:1K, SR:10MS/s......range(0us,100us)..sin(w-pi/4)........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine wave with offset.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):288
                      Entropy (8bit):5.092666818947481
                      Encrypted:false
                      SSDEEP:6:J8MMclEmoe0ZXxZA0TRlYhshqXOuEprAMjf1waEoQpBry:+fe0p40PYuqREpUmfyaElpty
                      MD5:624CB2249BCCDC64EB32441CAADCB784
                      SHA1:BA405EBAB05F008C1BBD3C4EEBE9A0CBA36FDE10
                      SHA-256:846C59A5764D5BBCDCECBCA6C3A6EE5C0575621A247183628AC72D37AA811BE5
                      SHA-512:E73190CED07329ECD0683D8DE36616F6313E29001EE7FCAF6BA6A603659C4979FC52ED489A5BD142EFA530CD5B0BBDAC3E90C46D4CE74DAB7765872019551893
                      Malicious:false
                      Preview:#10KHz Sine Wave with a 2V peak-to-peak amplitude...#The Frequency of the equation is calculated ..#by F= 1/((points/cycle) * clock)..#In this equation Frequency is 1/1000*100ns = 10Khz..#View the waveform with the Settings Points:1K,SR:10MS/s......range(0,100us)..sin(2*pi*1e4*t)........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine wave.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):288
                      Entropy (8bit):5.092666818947481
                      Encrypted:false
                      SSDEEP:6:J8MMclEmoe0ZXxZA0TRlYhshqXOuEprAMjf1waEoQpBry:+fe0p40PYuqREpUmfyaElpty
                      MD5:624CB2249BCCDC64EB32441CAADCB784
                      SHA1:BA405EBAB05F008C1BBD3C4EEBE9A0CBA36FDE10
                      SHA-256:846C59A5764D5BBCDCECBCA6C3A6EE5C0575621A247183628AC72D37AA811BE5
                      SHA-512:E73190CED07329ECD0683D8DE36616F6313E29001EE7FCAF6BA6A603659C4979FC52ED489A5BD142EFA530CD5B0BBDAC3E90C46D4CE74DAB7765872019551893
                      Malicious:false
                      Preview:#10KHz Sine Wave with a 2V peak-to-peak amplitude...#The Frequency of the equation is calculated ..#by F= 1/((points/cycle) * clock)..#In this equation Frequency is 1/1000*100ns = 10Khz..#View the waveform with the Settings Points:1K,SR:10MS/s......range(0,100us)..sin(2*pi*1e4*t)........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine455d.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):270
                      Entropy (8bit):5.0481030918562855
                      Encrypted:false
                      SSDEEP:6:J8uQOAy/HM//0ZXxFoShJWlYhshqXDXuRucaeg/rAsjf1wPETo5ryn:DQ4HW/0psgWYuqz/cat/UGfyPEUyn
                      MD5:DBD81F1969B73FCD6FD7B7554EE1C7CF
                      SHA1:330C8A19A9269DC7DB0778193C9776C15909B890
                      SHA-256:ECD377D279CB498B5623DAE772C1B26F990A3BCBB236B45F51E4B13DAFC1FE66
                      SHA-512:3EC94AFC8D7216EFF7202B72E9E9A7886F484F569564F00C093FF06A996DFCF2A3E751B98F5ED9650A480A57225839D8DBAC11E5EBEB73E76ADFEDD783E05F29
                      Malicious:false
                      Preview:#10KHz 1 cycle Sine Wave with a 10V pk-pk..#Here w = 2*pi*10^4*t..#The Freq of the equation F= 1/((points/cycle) * clock)..#In this equation Freq is 1/1000*100ns = 10Khz i.e 10^4..#View the waveform with the settings Points:1K,SR:10MS/s....range(0us,100us)..sin(w)......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine456c.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):301
                      Entropy (8bit):5.066468430482892
                      Encrypted:false
                      SSDEEP:6:J8uQOAy/HLRNFpWVQ//0ZXxFoSnJW3lYhshqXDXuRuEprAMjfxwaUo9g+y:DQ4HLiVC/0ps8kVYuqz/EpUmfGaUoy
                      MD5:DEC4941B6FC9087352120C8635457242
                      SHA1:07FE2F4E7A525B8A92BE60C515CCF54CB15A8CB2
                      SHA-256:D5AC6395EE9FA7A5655DF4BD23E47CFC5FB2E6F6FDECAE508492874571D60988
                      SHA-512:F354AEAB43B64B7D113BA8E8742AEFCE4D94157689109288C66A2D8DF28070928E5A2007CD94197EE612E07880933CEF4FFBF08A1E06C36DA34BA28B72EF8368
                      Malicious:false
                      Preview:#10KHz 1 cycle Sine Wave with a 10V pk-pk..#and with 45 deg offset..#Here w = 2*pi*10^4*t..#The Freq of the equation is..#F= 1/((points/cycle) * clock)..#In this equation Freq is 1/1000*100ns = 10Khz..#View the waveform with the Settings Points:1K, SR:10MS/s......range(0us,100us)..sin(w-pi/4)........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine457c.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):288
                      Entropy (8bit):5.092666818947481
                      Encrypted:false
                      SSDEEP:6:J8MMclEmoe0ZXxZA0TRlYhshqXOuEprAMjf1waEoQpBry:+fe0p40PYuqREpUmfyaElpty
                      MD5:624CB2249BCCDC64EB32441CAADCB784
                      SHA1:BA405EBAB05F008C1BBD3C4EEBE9A0CBA36FDE10
                      SHA-256:846C59A5764D5BBCDCECBCA6C3A6EE5C0575621A247183628AC72D37AA811BE5
                      SHA-512:E73190CED07329ECD0683D8DE36616F6313E29001EE7FCAF6BA6A603659C4979FC52ED489A5BD142EFA530CD5B0BBDAC3E90C46D4CE74DAB7765872019551893
                      Malicious:false
                      Preview:#10KHz Sine Wave with a 2V peak-to-peak amplitude...#The Frequency of the equation is calculated ..#by F= 1/((points/cycle) * clock)..#In this equation Frequency is 1/1000*100ns = 10Khz..#View the waveform with the Settings Points:1K,SR:10MS/s......range(0,100us)..sin(2*pi*1e4*t)........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine458c.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):356
                      Entropy (8bit):5.058639111235817
                      Encrypted:false
                      SSDEEP:6:J8MMdrEmoe0NZBmoe0ZXxZ6VyTRlYhshqXPRUParUYn3oflTUP/br:1fe0NZBfe0pCaYuq/RUPabnYflTCr
                      MD5:6751B637900F71CB6D8B7B8572F3DA75
                      SHA1:47AC5A7352A8C00D8CF60F8BDD8841DB722DC71D
                      SHA-256:FF43C395A4BDF0716C95D8DCC985DF095FCBBEA9C99F6C0306B2B854811A27F8
                      SHA-512:D34D7430A610B568A81C7FF6000645711915B79ED359B6A6DCDBA665EB9FA85934F28ACA837511C22032CC5B319C77540D33C2B00408D82BA54DEA57DD8CBF36
                      Malicious:false
                      Preview:#10KHz Sine Wave with a 10V peak-to-peak amplitude...#The 5 represents the peak amplitude...#The Frequency of the equation is ..#calculated by F= 1/((points/cycle) * clock)..#In this equation Frequency is 1/1000*100ns..# = 10Khz i.e 10^4 in the equation..#View the waveform with Settings Points:1K,SR=100M......range(0us,10us)..5*sin(2*pi*10^4*t)..........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sine_5V.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):356
                      Entropy (8bit):5.058639111235817
                      Encrypted:false
                      SSDEEP:6:J8MMdrEmoe0NZBmoe0ZXxZ6VyTRlYhshqXPRUParUYn3oflTUP/br:1fe0NZBfe0pCaYuq/RUPabnYflTCr
                      MD5:6751B637900F71CB6D8B7B8572F3DA75
                      SHA1:47AC5A7352A8C00D8CF60F8BDD8841DB722DC71D
                      SHA-256:FF43C395A4BDF0716C95D8DCC985DF095FCBBEA9C99F6C0306B2B854811A27F8
                      SHA-512:D34D7430A610B568A81C7FF6000645711915B79ED359B6A6DCDBA665EB9FA85934F28ACA837511C22032CC5B319C77540D33C2B00408D82BA54DEA57DD8CBF36
                      Malicious:false
                      Preview:#10KHz Sine Wave with a 10V peak-to-peak amplitude...#The 5 represents the peak amplitude...#The Frequency of the equation is ..#calculated by F= 1/((points/cycle) * clock)..#In this equation Frequency is 1/1000*100ns..# = 10Khz i.e 10^4 in the equation..#View the waveform with Settings Points:1K,SR=100M......range(0us,10us)..5*sin(2*pi*10^4*t)..........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sqrt.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):273
                      Entropy (8bit):4.783672427129715
                      Encrypted:false
                      SSDEEP:6:N9oemy3RKikVAbDUc5gyh0UJOn3of1wPEPoPNy:cYKA7n0UJOnYfyP0Cy
                      MD5:F067FC24B20A114EBFB9F7563CA61242
                      SHA1:ACDDDA810662456FFA1F0D5F9082C4CFD1AEDD09
                      SHA-256:7E1C4B37761F81C7A7B9DA687FCF7A5091357E0D0606EB67F4565E6EB901260D
                      SHA-512:C936F0348B7F2E8F574F6335CB70EAAB0EFA91DBBE3802F57F9D908B362A6A0217F2138C36B55EBEB572CF50703510BADD4000FA0C07CE552C2735B58A465CC6
                      Malicious:false
                      Preview:#This Equation uses sqrt function sqrt( ..#which calculates the square root of the argument..#specified In square root function #sqrt( ..#the argument must be a positive value...#View the waveform with Settings Points:1K,SR:10MS/s....range(0,100us)..sqrt(sin(pi*x))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\sqrt458c.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):273
                      Entropy (8bit):4.783672427129715
                      Encrypted:false
                      SSDEEP:6:N9oemy3RKikVAbDUc5gyh0UJOn3of1wPEPoPNy:cYKA7n0UJOnYfyP0Cy
                      MD5:F067FC24B20A114EBFB9F7563CA61242
                      SHA1:ACDDDA810662456FFA1F0D5F9082C4CFD1AEDD09
                      SHA-256:7E1C4B37761F81C7A7B9DA687FCF7A5091357E0D0606EB67F4565E6EB901260D
                      SHA-512:C936F0348B7F2E8F574F6335CB70EAAB0EFA91DBBE3802F57F9D908B362A6A0217F2138C36B55EBEB572CF50703510BADD4000FA0C07CE552C2735B58A465CC6
                      Malicious:false
                      Preview:#This Equation uses sqrt function sqrt( ..#which calculates the square root of the argument..#specified In square root function #sqrt( ..#the argument must be a positive value...#View the waveform with Settings Points:1K,SR:10MS/s....range(0,100us)..sqrt(sin(pi*x))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\squa459b.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):486
                      Entropy (8bit):4.965558101801653
                      Encrypted:false
                      SSDEEP:12:f60A9XSbFYxFfWMu3fezFSrxTeJfk2UmfOowPqptiDQYNw+5WCZyy:y0UdLWJpAvOoffZYf
                      MD5:85C087C9784053E4F8ACEE423986C4B5
                      SHA1:10BB3FDA9E7797322D44182F4DB139FCA44A5943
                      SHA-256:37652223F8586108CA68CBEB929135A13FB27A69929506DA26FB74BA316F9821
                      SHA-512:CBC655756B5E668EEFE9CDE1C67D66EE5DCE5D154C55A14402107981BFDC8673ACFEC255E04461ED30A1BBEA0903A70ACF29687C3D284D7D162CE49BD883AC30
                      Malicious:false
                      Preview:#This is a series expansion which breaks a ..#square wave down into it's component sine waves...#This is only the first 5 members of the series...#The base waveform is a 3Hz sine wave...#Change '3' in all the series members ..#to change the freq of the square wave...#View the waveform with the Settings Points:100K,SR:100KS/s....range(0,1s)..K0 = 0.333*sin(3*(6*t*pi)) ..K1 = 0.2*sin(5*(6*t*pi)) ..K2 = 0 .1428*sin(7*(6*t*pi))..sin(6*t*pi) +K0+ K1+ K2+ 0.111 * sin(9*(6*t*pi))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations\square.eqa (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):486
                      Entropy (8bit):4.965558101801653
                      Encrypted:false
                      SSDEEP:12:f60A9XSbFYxFfWMu3fezFSrxTeJfk2UmfOowPqptiDQYNw+5WCZyy:y0UdLWJpAvOoffZYf
                      MD5:85C087C9784053E4F8ACEE423986C4B5
                      SHA1:10BB3FDA9E7797322D44182F4DB139FCA44A5943
                      SHA-256:37652223F8586108CA68CBEB929135A13FB27A69929506DA26FB74BA316F9821
                      SHA-512:CBC655756B5E668EEFE9CDE1C67D66EE5DCE5D154C55A14402107981BFDC8673ACFEC255E04461ED30A1BBEA0903A70ACF29687C3D284D7D162CE49BD883AC30
                      Malicious:false
                      Preview:#This is a series expansion which breaks a ..#square wave down into it's component sine waves...#This is only the first 5 members of the series...#The base waveform is a 3Hz sine wave...#Change '3' in all the series members ..#to change the freq of the square wave...#View the waveform with the Settings Points:100K,SR:100KS/s....range(0,1s)..K0 = 0.333*sin(3*(6*t*pi)) ..K1 = 0.2*sin(5*(6*t*pi)) ..K2 = 0 .1428*sin(7*(6*t*pi))..sin(6*t*pi) +K0+ K1+ K2+ 0.111 * sin(9*(6*t*pi))........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B001.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2642
                      Entropy (8bit):1.4056439268234804
                      Encrypted:false
                      SSDEEP:24:kMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWksG:uC
                      MD5:CB54F60F48E9C6305C456102D3671E49
                      SHA1:EA9481887A7E4D8C491B2A44C52FBC1B67E8F942
                      SHA-256:59270A8C10740AA75DD7F3F9453295A0D15B9746BDBF3084BE09AD0B8DC712EF
                      SHA-512:1A3043360BB65E74837C54F036ED6C1C7A36D3DD07EF7650FE58894890B368A46BD59BE8C4ECA601188DB81F22A4B2D47C4113131C472670C3E9FEFFBE8ECEEC
                      Malicious:false
                      Preview:MAGIC 1000..#42600...............?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B002.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2642
                      Entropy (8bit):3.3379277006362926
                      Encrypted:false
                      SSDEEP:24:ICiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+8:di+i+i+i+i+i+i+i+i+i+i+i+i6
                      MD5:CCB60DBF400A1E4A9C69BB80324A3862
                      SHA1:96426DF1A14C7363ABAC0794B18090F8FC90A69E
                      SHA-256:0397BC54E8E9A8611E70B43A184E1999A1AAD4329FE90C9E9FEAA4C89D960520
                      SHA-512:B98D1CB5C74E72F1A9DDA67AC31FAFE0A7888B21354DD401BF718119D4CB0151BDF50EC88D5F84BDA6E3CF38380E58DE5BF5DED533EFD668A0F9AF03C873EC87
                      Malicious:false
                      Preview:MAGIC 1000..#42600...?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?.............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B003.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2602
                      Entropy (8bit):3.3259574705386865
                      Encrypted:false
                      SSDEEP:24:mtlQlQlQlQlQlQlQlQlQlQlQlQlQlQlQlUsG:mtaaaaaaaaaaaaaaaQ
                      MD5:BF7B65E32094B1289B21A0F57D752B95
                      SHA1:76E9E409DAF57FA8BEC54B4250EE6E5A74CC3C79
                      SHA-256:6E0B42219EBFD7DD9D71C4AA648FC89203AA1FBA5882E98336059D974693BF3E
                      SHA-512:88B97C9C872D93516FD9E478E8FCCD8541DB0C36C8E64697F2706510CE508DC84E107A9A2F4183B31AEFCFBF229414174644411B584DF3E67B09A28594FF676E
                      Malicious:false
                      Preview:MAGIC 1000..#42560...?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B004.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2602
                      Entropy (8bit):3.3259574705386865
                      Encrypted:false
                      SSDEEP:24:mtlQlQlQlQlQlQlQlQlQlQlQlQlQlQlQlUsG:mtaaaaaaaaaaaaaaaQ
                      MD5:BF7B65E32094B1289B21A0F57D752B95
                      SHA1:76E9E409DAF57FA8BEC54B4250EE6E5A74CC3C79
                      SHA-256:6E0B42219EBFD7DD9D71C4AA648FC89203AA1FBA5882E98336059D974693BF3E
                      SHA-512:88B97C9C872D93516FD9E478E8FCCD8541DB0C36C8E64697F2706510CE508DC84E107A9A2F4183B31AEFCFBF229414174644411B584DF3E67B09A28594FF676E
                      Malicious:false
                      Preview:MAGIC 1000..#42560...?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B005.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2642
                      Entropy (8bit):3.245444941587442
                      Encrypted:false
                      SSDEEP:48:16gS6gS6gS6gS6gS6gS6gS6gS6gS6gS6gS6gS6gK:16gS6gS6gS6gS6gS6gS6gS6gS6gS6gS+
                      MD5:D6CDF559195DCE8122A82405102BBDCE
                      SHA1:AA372CCCEBB95211F0C6143C680989DB3FA4A2E3
                      SHA-256:E4B2474CCEC2501A003D1AC87FEC3003A83B56621094636BC18113F20AEA457F
                      SHA-512:47DAFE41180F5909574E112D83F200B30EF85E0F51E66811C9C233394E7BAAF952F138EB3D62A7F6DD9902349FF3B8736CA0BD06DF91200F06F308E0927D3D5E
                      Malicious:false
                      Preview:MAGIC 1000..#42600...?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V..........................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B006.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2682
                      Entropy (8bit):3.2016404997643333
                      Encrypted:false
                      SSDEEP:48:Rclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7z:RcB9jVcB9jVcB9jVcB9jVcB9jVcB9jV4
                      MD5:C9E88F2A016825FE917DED20867ABD2D
                      SHA1:98853AD648254E822F994F977A7D200B6B40A5DD
                      SHA-256:3098820068D58001FBE5DF458B868AA91FF7DACF12801D9518613C1E9E78F019
                      SHA-512:8F954E9CDF6C9CEF8E697770D29B4F0EE3E291C6D850987FD8C4794149C38E259203B1A0B7B2A74E26879FB97992F36EB012A2F47A506EDF3CA0F146F592323B
                      Malicious:false
                      Preview:MAGIC 1000..#42640...?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B007.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2842
                      Entropy (8bit):3.2935452653247403
                      Encrypted:false
                      SSDEEP:24:jGp/RWGp/RWGp/RWGp/RWGp/RWGp/RWGp/RwsG:jGKGKGKGKGKGKGC
                      MD5:FF218399BE9B424DB7CBA338B2DE2644
                      SHA1:48EB3E1F4F1BA1DD12A04C88AD214404B3EC1165
                      SHA-256:84186AA280A9ADFFD10BFFA7C40152BD30AE5FB981CA0EC965006D96A42A7F31
                      SHA-512:52866B74001DC86B0374B6124B7968D39DB6FFF8A2490469EB5F00D44C99C0BDEDF245788971BFB967D14EC34B9EBDDD2CA35A24A6BB9535086349A4D4EC4965
                      Malicious:false
                      Preview:MAGIC 1000..#42800"..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V............................................"....p..............&..?.p..?...........$...."...."...."...."...."...."....*...."....:...."....$.............."..?.*..?. ..............&............................................ ..................."..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V............................................"....p..............&..?.p..?...........$...."...."...."...."...."...."....*...."....:...."....$.............."..?.*..?. ..............&............................................ ..................."..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V..........................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B008.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2842
                      Entropy (8bit):3.2935452653247403
                      Encrypted:false
                      SSDEEP:24:jGp/RWGp/RWGp/RWGp/RWGp/RWGp/RWGp/RwsG:jGKGKGKGKGKGKGC
                      MD5:FF218399BE9B424DB7CBA338B2DE2644
                      SHA1:48EB3E1F4F1BA1DD12A04C88AD214404B3EC1165
                      SHA-256:84186AA280A9ADFFD10BFFA7C40152BD30AE5FB981CA0EC965006D96A42A7F31
                      SHA-512:52866B74001DC86B0374B6124B7968D39DB6FFF8A2490469EB5F00D44C99C0BDEDF245788971BFB967D14EC34B9EBDDD2CA35A24A6BB9535086349A4D4EC4965
                      Malicious:false
                      Preview:MAGIC 1000..#42800"..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V............................................"....p..............&..?.p..?...........$...."...."...."...."...."...."....*...."....:...."....$.............."..?.*..?. ..............&............................................ ..................."..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V............................................"....p..............&..?.p..?...........$...."...."...."...."...."...."....*...."....:...."....$.............."..?.*..?. ..............&............................................ ..................."..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V..........................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B009.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):3402
                      Entropy (8bit):3.0545033192532207
                      Encrypted:false
                      SSDEEP:96:AsmpEsmpEsmpEsmpEsmpEsmpEsmpEsmp7:AsmpEsmpEsmpEsmpEsmpEsmpEsmpEsmV
                      MD5:466BAF64BD401A0F062787500B09059A
                      SHA1:CC86EAACAD420CBFEB731B929A5DBFAC1E4151A3
                      SHA-256:CC04DDD6A26944ECD197A964B65E8E8091A20762625FDA16E632870A1D6356A7
                      SHA-512:C45B792EAAF474C8AE227FE05E667C7DAAA157F1726B90760EDCE0768138527110ECCE31D8920012614473CAE6A7EDFFD3D9BC6B33F5E710637FC40501D2620F
                      Malicious:false
                      Preview:MAGIC 1000..#43360...............?....D....n.........?.......?.J..?....................................8..................................J.........P......................?....?....?....?....?....?..........................#.......................................................................................?....?....?....?....?....?....?....?....?....?....?....?...............................B......................................................?....D....n.........?.......?.J..?....................................8..................................J.........P......................?....?....?....?....?....?..........................#.......................................................................................?....?....?....?....?....?....?....?....?....?....?....?...............................B......................................................?....D....n.........?.......?.J..?....................................8..................................J.........P...........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B010.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):3402
                      Entropy (8bit):3.0545033192532207
                      Encrypted:false
                      SSDEEP:96:AsmpEsmpEsmpEsmpEsmpEsmpEsmpEsmp7:AsmpEsmpEsmpEsmpEsmpEsmpEsmpEsmV
                      MD5:466BAF64BD401A0F062787500B09059A
                      SHA1:CC86EAACAD420CBFEB731B929A5DBFAC1E4151A3
                      SHA-256:CC04DDD6A26944ECD197A964B65E8E8091A20762625FDA16E632870A1D6356A7
                      SHA-512:C45B792EAAF474C8AE227FE05E667C7DAAA157F1726B90760EDCE0768138527110ECCE31D8920012614473CAE6A7EDFFD3D9BC6B33F5E710637FC40501D2620F
                      Malicious:false
                      Preview:MAGIC 1000..#43360...............?....D....n.........?.......?.J..?....................................8..................................J.........P......................?....?....?....?....?....?..........................#.......................................................................................?....?....?....?....?....?....?....?....?....?....?....?...............................B......................................................?....D....n.........?.......?.J..?....................................8..................................J.........P......................?....?....?....?....?....?..........................#.......................................................................................?....?....?....?....?....?....?....?....?....?....?....?...............................B......................................................?....D....n.........?.......?.J..?....................................8..................................J.........P...........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B011.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2922
                      Entropy (8bit):2.779547698661516
                      Encrypted:false
                      SSDEEP:48:J0H0H0H0H0H0H0H0H0H0H0H0H0H0H0H0/:J0H0H0H0H0H0H0H0H0H0H0H0H0H0H0Hy
                      MD5:181DD37D630D15ED02E94AFACCA1CFF7
                      SHA1:6F2EDA3F35688D2E13BC68C0D2154BE47E4D02E5
                      SHA-256:FA117755915F20FF4FAC3E29E4519887D42146B77076DB4BBD4F8FC1E0BB5641
                      SHA-512:8C835B56B0638E1812CF83B345B6CA4DAD8192B3BD068064B97731B36D7FEE1EA2063F86A9C82B05AFDC2A12E42D9047E88AFAB8C3AD36E1581E7D2537FEEBC5
                      Malicious:false
                      Preview:MAGIC 1000..#42880...............?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B45ab.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2642
                      Entropy (8bit):1.4056439268234804
                      Encrypted:false
                      SSDEEP:24:kMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWksG:uC
                      MD5:CB54F60F48E9C6305C456102D3671E49
                      SHA1:EA9481887A7E4D8C491B2A44C52FBC1B67E8F942
                      SHA-256:59270A8C10740AA75DD7F3F9453295A0D15B9746BDBF3084BE09AD0B8DC712EF
                      SHA-512:1A3043360BB65E74837C54F036ED6C1C7A36D3DD07EF7650FE58894890B368A46BD59BE8C4ECA601188DB81F22A4B2D47C4113131C472670C3E9FEFFBE8ECEEC
                      Malicious:false
                      Preview:MAGIC 1000..#42600...............?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n.........?.............................?....D....n......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B45bb.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2642
                      Entropy (8bit):3.3379277006362926
                      Encrypted:false
                      SSDEEP:24:ICiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+82CiQO6+8:di+i+i+i+i+i+i+i+i+i+i+i+i6
                      MD5:CCB60DBF400A1E4A9C69BB80324A3862
                      SHA1:96426DF1A14C7363ABAC0794B18090F8FC90A69E
                      SHA-256:0397BC54E8E9A8611E70B43A184E1999A1AAD4329FE90C9E9FEAA4C89D960520
                      SHA-512:B98D1CB5C74E72F1A9DDA67AC31FAFE0A7888B21354DD401BF718119D4CB0151BDF50EC88D5F84BDA6E3CF38380E58DE5BF5DED533EFD668A0F9AF03C873EC87
                      Malicious:false
                      Preview:MAGIC 1000..#42600...?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?................b.................?....?......?...................?.......?....?................|.................?.:..?.P.............................L..?....?...........D..............V.......?....?.............

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B45ca.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2602
                      Entropy (8bit):3.3259574705386865
                      Encrypted:false
                      SSDEEP:24:mtlQlQlQlQlQlQlQlQlQlQlQlQlQlQlQlUsG:mtaaaaaaaaaaaaaaaQ
                      MD5:BF7B65E32094B1289B21A0F57D752B95
                      SHA1:76E9E409DAF57FA8BEC54B4250EE6E5A74CC3C79
                      SHA-256:6E0B42219EBFD7DD9D71C4AA648FC89203AA1FBA5882E98336059D974693BF3E
                      SHA-512:88B97C9C872D93516FD9E478E8FCCD8541DB0C36C8E64697F2706510CE508DC84E107A9A2F4183B31AEFCFBF229414174644411B584DF3E67B09A28594FF676E
                      Malicious:false
                      Preview:MAGIC 1000..#42560...?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R..?....?....?.H..?...................................................j.........J...................$..................................V.......?....?....?.H..?.R.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B45da.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2642
                      Entropy (8bit):3.245444941587442
                      Encrypted:false
                      SSDEEP:48:16gS6gS6gS6gS6gS6gS6gS6gS6gS6gS6gS6gS6gK:16gS6gS6gS6gS6gS6gS6gS6gS6gS6gS+
                      MD5:D6CDF559195DCE8122A82405102BBDCE
                      SHA1:AA372CCCEBB95211F0C6143C680989DB3FA4A2E3
                      SHA-256:E4B2474CCEC2501A003D1AC87FEC3003A83B56621094636BC18113F20AEA457F
                      SHA-512:47DAFE41180F5909574E112D83F200B30EF85E0F51E66811C9C233394E7BAAF952F138EB3D62A7F6DD9902349FF3B8736CA0BD06DF91200F06F308E0927D3D5E
                      Malicious:false
                      Preview:MAGIC 1000..#42600...?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V...............................................?....?....?....?....?....?....?....?....?. ..?...............................@.........P.............................L.........R.........D..............V..........................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B45e9.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2682
                      Entropy (8bit):3.2016404997643333
                      Encrypted:false
                      SSDEEP:48:Rclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7Vclf9v7z:RcB9jVcB9jVcB9jVcB9jVcB9jVcB9jV4
                      MD5:C9E88F2A016825FE917DED20867ABD2D
                      SHA1:98853AD648254E822F994F977A7D200B6B40A5DD
                      SHA-256:3098820068D58001FBE5DF458B868AA91FF7DACF12801D9518613C1E9E78F019
                      SHA-512:8F954E9CDF6C9CEF8E697770D29B4F0EE3E291C6D850987FD8C4794149C38E259203B1A0B7B2A74E26879FB97992F36EB012A2F47A506EDF3CA0F146F592323B
                      Malicious:false
                      Preview:MAGIC 1000..#42640...?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?....?....?....?....?....?....?.R..?....?.....................@.........P.........@...................L.........R.........D......................................................................................................?....?....?....?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B45f9.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2842
                      Entropy (8bit):3.2935452653247403
                      Encrypted:false
                      SSDEEP:24:jGp/RWGp/RWGp/RWGp/RWGp/RWGp/RWGp/RwsG:jGKGKGKGKGKGKGC
                      MD5:FF218399BE9B424DB7CBA338B2DE2644
                      SHA1:48EB3E1F4F1BA1DD12A04C88AD214404B3EC1165
                      SHA-256:84186AA280A9ADFFD10BFFA7C40152BD30AE5FB981CA0EC965006D96A42A7F31
                      SHA-512:52866B74001DC86B0374B6124B7968D39DB6FFF8A2490469EB5F00D44C99C0BDEDF245788971BFB967D14EC34B9EBDDD2CA35A24A6BB9535086349A4D4EC4965
                      Malicious:false
                      Preview:MAGIC 1000..#42800"..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V............................................"....p..............&..?.p..?...........$...."...."...."...."...."...."....*...."....:...."....$.............."..?.*..?. ..............&............................................ ..................."..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V............................................"....p..............&..?.p..?...........$...."...."...."...."...."...."....*...."....:...."....$.............."..?.*..?. ..............&............................................ ..................."..?."..?......?...................?.......?....?.p..?."..?."..?....?."..?.$..?.b..?.X..?....?.*..?.@........."...."....$.........p..?."..?................V..........................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B4609.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):3402
                      Entropy (8bit):3.0545033192532207
                      Encrypted:false
                      SSDEEP:96:AsmpEsmpEsmpEsmpEsmpEsmpEsmpEsmp7:AsmpEsmpEsmpEsmpEsmpEsmpEsmpEsmV
                      MD5:466BAF64BD401A0F062787500B09059A
                      SHA1:CC86EAACAD420CBFEB731B929A5DBFAC1E4151A3
                      SHA-256:CC04DDD6A26944ECD197A964B65E8E8091A20762625FDA16E632870A1D6356A7
                      SHA-512:C45B792EAAF474C8AE227FE05E667C7DAAA157F1726B90760EDCE0768138527110ECCE31D8920012614473CAE6A7EDFFD3D9BC6B33F5E710637FC40501D2620F
                      Malicious:false
                      Preview:MAGIC 1000..#43360...............?....D....n.........?.......?.J..?....................................8..................................J.........P......................?....?....?....?....?....?..........................#.......................................................................................?....?....?....?....?....?....?....?....?....?....?....?...............................B......................................................?....D....n.........?.......?.J..?....................................8..................................J.........P......................?....?....?....?....?....?..........................#.......................................................................................?....?....?....?....?....?....?....?....?....?....?....?...............................B......................................................?....D....n.........?.......?.J..?....................................8..................................J.........P...........

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\100BaseT\100B4618.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2922
                      Entropy (8bit):2.779547698661516
                      Encrypted:false
                      SSDEEP:48:J0H0H0H0H0H0H0H0H0H0H0H0H0H0H0H0/:J0H0H0H0H0H0H0H0H0H0H0H0H0H0H0Hy
                      MD5:181DD37D630D15ED02E94AFACCA1CFF7
                      SHA1:6F2EDA3F35688D2E13BC68C0D2154BE47E4D02E5
                      SHA-256:FA117755915F20FF4FAC3E29E4519887D42146B77076DB4BBD4F8FC1E0BB5641
                      SHA-512:8C835B56B0638E1812CF83B345B6CA4DAD8192B3BD068064B97731B36D7FEE1EA2063F86A9C82B05AFDC2A12E42D9047E88AFAB8C3AD36E1581E7D2537FEEBC5
                      Malicious:false
                      Preview:MAGIC 1000..#42880...............?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .........P.........@...................$.........R.........D......................................................?....D....n.........?.......?....?.R..?....?....?.$..?........... .

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Bluetooth\tdho4628.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2880045
                      Entropy (8bit):6.419444630430931
                      Encrypted:false
                      SSDEEP:49152:TCxk3sX9+35taRQTmzSOjKQekZxujpPXSAwL1tjP:OxosX9+3ra+mzSOjKQekzujpfSAwJZP
                      MD5:659EAA2AE7D6C1B83D279C77A1C1728F
                      SHA1:68EB9539DCF20975091F4812F72BC88A098BA56F
                      SHA-256:1C942350DBC023916EB67E82C496DAA41E32FD82B202B13BCC96B59C65B85E6C
                      SHA-512:E196857A15B3848C4D34B567A9704FE279526B71778B079A4E9EA21E4A224C4CD8EF19D0ED46B6462AF95C1486680AB01061917363C5FA034EBD4AC8BA9F771C
                      Malicious:false
                      Preview:MAGIC 1000..#72880000...;... ;........@.........@;....:... ..........:....;...................:....:..............:....:.............................:....:.................. ;....:........ .....:...`;..................`;...@;... ..........:....;....:........ ....@;...`;..................`;....:... ..........:....;...................:....:... .....:...@;........@.....:...`;........`.........`;....:...`.... ....@;...`;..............:....;...................;...@;...`....`.... ;....;...................;....:.............`;... ;...@....`.... ;....;..............:....;...................;... ;........`.....;....;...@..........:....;....:.......@.....;....;.............;....;.............:....<....:.......@.....;....;............. ;....;...................;....:..............;....:..............;...@;..............;....;...`..........:...(<....;...(..........<....<.......@....`;...X<....:...P.........8<....<........8.....;...H<........8....`.....<....;............;....;..............;

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Bluetooth\tdhop1.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2880045
                      Entropy (8bit):6.419444630430931
                      Encrypted:false
                      SSDEEP:49152:TCxk3sX9+35taRQTmzSOjKQekZxujpPXSAwL1tjP:OxosX9+3ra+mzSOjKQekzujpfSAwJZP
                      MD5:659EAA2AE7D6C1B83D279C77A1C1728F
                      SHA1:68EB9539DCF20975091F4812F72BC88A098BA56F
                      SHA-256:1C942350DBC023916EB67E82C496DAA41E32FD82B202B13BCC96B59C65B85E6C
                      SHA-512:E196857A15B3848C4D34B567A9704FE279526B71778B079A4E9EA21E4A224C4CD8EF19D0ED46B6462AF95C1486680AB01061917363C5FA034EBD4AC8BA9F771C
                      Malicious:false
                      Preview:MAGIC 1000..#72880000...;... ;........@.........@;....:... ..........:....;...................:....:..............:....:.............................:....:.................. ;....:........ .....:...`;..................`;...@;... ..........:....;....:........ ....@;...`;..................`;....:... ..........:....;...................:....:... .....:...@;........@.....:...`;........`.........`;....:...`.... ....@;...`;..............:....;...................;...@;...`....`.... ;....;...................;....:.............`;... ;...@....`.... ;....;..............:....;...................;... ;........`.....;....;...@..........:....;....:.......@.....;....;.............;....;.............:....<....:.......@.....;....;............. ;....;...................;....:..............;....:..............;...@;..............;....;...`..........:...(<....;...(..........<....<.......@....`;...X<....:...P.........8<....<........8.....;...H<........8....`.....<....;............;....;..............;

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD.SEQ (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):358
                      Entropy (8bit):4.278391194645534
                      Encrypted:false
                      SSDEEP:6:9ymklHrQLRQLdHrQLeIdQLfRG6fLCGhUuwSyyWatn:PklHrMRMdLMeIdMfosmGhUu8at
                      MD5:2472784FE3012B2002DBCF08E4AAE054
                      SHA1:5EAFC2D4BE652A99F97988E5ABBEA733DD4AA400
                      SHA-256:3457F9E78FDEC94B0BF5F48FDAF8FB949BAA0D446C74A59FF99180CA29801A81
                      SHA-512:F8443D1144F539090FDF156FB333DDE17929A45084819ACFA5A98646D3E518695C2C06F4418C9AD9C254901B0EDC449976A674E1FE9BD81263E8444A43A28DD8
                      Malicious:false
                      Preview:MAGIC 3003..LINES 4.."CCD_002.wfm", "CCD_001.wfm", "", 10000, 0, 0, 0.."CCD_004.wfm", "CCD_003.wfm", "", 10000, 0, 0, 0.."CCD_008.wfm", "CCD_007.wfm", "", 10000, 0, 0, 0.."CCD_006.wfm", "CCD_005.wfm", "", 10000, 0, 0, 0..TABLE_JUMP 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ..LOGIC_JUMP -1, -1, -1, -1, ..JUMP_MODE TABLE..JUMP_TIMING ASYNC ..STROBE 0..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD.set (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1490
                      Entropy (8bit):5.250807936085089
                      Encrypted:false
                      SSDEEP:24:aDC1DXUe83voUjH7ima2vyYXTB+49huZVts6l1qrpSt873N:aDaEeoN7iH2vyYVz2vtl1qrpSk9
                      MD5:D65AD52B64E52B00CD4A275239E8E243
                      SHA1:E90FCC67CCC0DBD1EEE3F5E944285CB553234174
                      SHA-256:FE53055675DC109921DA589B4D4EB07F29E152D2B37F3BCEA7A813FFDBD8D40F
                      SHA-512:DEFF9F76184C879F42A108F0E5642AC7AC1D4AD0D606D7796774B459096E7D155DCB912E117DD2B7363B1E43D5779BF76D4AFEC63B82E755FB9F0B4BD19BCFFF
                      Malicious:false
                      Preview:MAGIC 4000..Version 3..Instrument 400..Ch1Add Off..Ch1Noise -1.3000000000e+02..Ch1SkewAdjust 0.0000000000e+00..Ch1WaveformSequence "CCD_002.wfm"..Ch1Filter Through..Ch1Amplitude 5.0000000000e-01..Ch1Offset 0.0000000000e+00..Ch1DirectOutput False..Ch2Add Noise..Ch2Noise -1.3000000000e+02..Ch2SkewAdjust 0.0000000000e+00..Ch2WaveformSequence "CCD_001.wfm"..Ch2Filter Through..Ch2Amplitude 1.0000000000e+00..Ch2Offset 5.0000000000e-01..Ch2DirectOutput False..Clock 1.0000000000e+07..ClockReference Internal..ClockSource Internal..RunMode Continuous..TriggerSource External..TriggerSlope Positive..TriggerPolarity Positive..TriggerLevel 1.4000000000e+00..TriggerImpedance 1kohm..TriggerInterval 1.0000000000e-01..LCDBackLight Enabled..HilightColor 0..HardcopyFormat BMP..HardcopyDrive Main..KeyboardType ASCII..KnobDirection Forward..RemoteControl Network..GpibConfiguration Talk/Listen..GpibAddress 30..DHCPClient Disabled..IPAddress 172.17.24.197..SubnetMask 255.255.240.0..Gateway1Address ..Gateway1N

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD46b5.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):358
                      Entropy (8bit):4.278391194645534
                      Encrypted:false
                      SSDEEP:6:9ymklHrQLRQLdHrQLeIdQLfRG6fLCGhUuwSyyWatn:PklHrMRMdLMeIdMfosmGhUu8at
                      MD5:2472784FE3012B2002DBCF08E4AAE054
                      SHA1:5EAFC2D4BE652A99F97988E5ABBEA733DD4AA400
                      SHA-256:3457F9E78FDEC94B0BF5F48FDAF8FB949BAA0D446C74A59FF99180CA29801A81
                      SHA-512:F8443D1144F539090FDF156FB333DDE17929A45084819ACFA5A98646D3E518695C2C06F4418C9AD9C254901B0EDC449976A674E1FE9BD81263E8444A43A28DD8
                      Malicious:false
                      Preview:MAGIC 3003..LINES 4.."CCD_002.wfm", "CCD_001.wfm", "", 10000, 0, 0, 0.."CCD_004.wfm", "CCD_003.wfm", "", 10000, 0, 0, 0.."CCD_008.wfm", "CCD_007.wfm", "", 10000, 0, 0, 0.."CCD_006.wfm", "CCD_005.wfm", "", 10000, 0, 0, 0..TABLE_JUMP 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ..LOGIC_JUMP -1, -1, -1, -1, ..JUMP_MODE TABLE..JUMP_TIMING ASYNC ..STROBE 0..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD46d4.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1490
                      Entropy (8bit):5.250807936085089
                      Encrypted:false
                      SSDEEP:24:aDC1DXUe83voUjH7ima2vyYXTB+49huZVts6l1qrpSt873N:aDaEeoN7iH2vyYVz2vtl1qrpSk9
                      MD5:D65AD52B64E52B00CD4A275239E8E243
                      SHA1:E90FCC67CCC0DBD1EEE3F5E944285CB553234174
                      SHA-256:FE53055675DC109921DA589B4D4EB07F29E152D2B37F3BCEA7A813FFDBD8D40F
                      SHA-512:DEFF9F76184C879F42A108F0E5642AC7AC1D4AD0D606D7796774B459096E7D155DCB912E117DD2B7363B1E43D5779BF76D4AFEC63B82E755FB9F0B4BD19BCFFF
                      Malicious:false
                      Preview:MAGIC 4000..Version 3..Instrument 400..Ch1Add Off..Ch1Noise -1.3000000000e+02..Ch1SkewAdjust 0.0000000000e+00..Ch1WaveformSequence "CCD_002.wfm"..Ch1Filter Through..Ch1Amplitude 5.0000000000e-01..Ch1Offset 0.0000000000e+00..Ch1DirectOutput False..Ch2Add Noise..Ch2Noise -1.3000000000e+02..Ch2SkewAdjust 0.0000000000e+00..Ch2WaveformSequence "CCD_001.wfm"..Ch2Filter Through..Ch2Amplitude 1.0000000000e+00..Ch2Offset 5.0000000000e-01..Ch2DirectOutput False..Clock 1.0000000000e+07..ClockReference Internal..ClockSource Internal..RunMode Continuous..TriggerSource External..TriggerSlope Positive..TriggerPolarity Positive..TriggerLevel 1.4000000000e+00..TriggerImpedance 1kohm..TriggerInterval 1.0000000000e-01..LCDBackLight Enabled..HilightColor 0..HardcopyFormat BMP..HardcopyDrive Main..KeyboardType ASCII..KnobDirection Forward..RemoteControl Network..GpibConfiguration Talk/Listen..GpibAddress 30..DHCPClient Disabled..IPAddress 172.17.24.197..SubnetMask 255.255.240.0..Gateway1Address ..Gateway1N

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_001.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):4.433661745438711
                      Encrypted:false
                      SSDEEP:96:egT6Jr9BwNAG18xnY7zqPbYoaqMXaNtlaGqdGtfYNy00DHS:zT6JpiN3SY60q7NijVy0Yy
                      MD5:BB580B2A437C0944DE4C2E1804FF9DEB
                      SHA1:B6C09D426E53A8C31C2562A5CEE5D5D61B96AD0E
                      SHA-256:92B553CCEEB030080FBB5C78B35CD255986F4D1BEAB6462B343F3D5844343131
                      SHA-512:DA28D52E0148E40BFAFC5501B8299683B5A2EA9D831C1FDD97982E2E9964531AC054CCB955B62944965DCF1D5C27B7D6B587E7E42E66088E1E429917CE772B25
                      Malicious:false
                      Preview:MAGIC 1000..#45115.................~.......`.}....... .|........~{........~z.......`~y....... ~x........}w........}v......._}u........}t........|s........|r......._|q........|p........{o........{n......._{m........{l........zk........zj......._zi........zh........yg........yf.......^ye........yd........xc........xb.......^xa........x`........w_........w^.......^w]........w\........v[........vZ.......^vY........vX........uW........uV.......]uU........uT........tS........tR.......]tQ........tP........sO........sN.......]sM........sL........rK........rJ.......\rI........rH........qG........qF.......\qE........qD........pC........pB.......\pA........p@........o?........o>.......\o=........o<........n;........n:.......\n9........n8........m7........m6.......\m5........m4........l3........l2.......[l1........l0........k/........k........[k-........k,........j+........j*.......Zj)........j(........i'........i&.......Zi%........i$........h#........h".......Zh!........h ........g.........g.....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_002.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.015852203614612
                      Encrypted:false
                      SSDEEP:48:rZaCr6FGuozwN64loAc4DQoWBYyqeIH6YtXdNPiMceLYKD+i:HrFucwJu4OXqeYvdNPdrjD+i
                      MD5:C545F70498D75E9146B689D7A3D070B9
                      SHA1:44062780B34D8E279A9B6E1B14D7C7EA3E6ED0F0
                      SHA-256:2453CC77BD6E0322CAF11C189D1825CA764BD1CE2818FD80F1B0B936EA115CF9
                      SHA-512:CCC293CDC2154DF463EBB4CE0F9C7DF1C85B631F771A26B85C3CB35A05737EC85396E753AC3B0388979D6CA641920D55904F4460B372998342CCBB6C304459D8
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?....... ......?.......(......?....... ......?.......,0.....?.......8`.....?......."......?.......(......?..............?.......4.....?.......:.....?....... ......?.......#......?.......&......?.......)$.....?.......,0.....?......./<.....?.......2H.....?.......5T.....?.......8`.....?.......;l.....?.......>x.....?....... ......?......."......?.......#......?.......%......?.......&......?.......(......?.......)......?.......+......?.......,......?..............?......./......?.......1.....?.......2.....?.......4.....?.......5.....?.......7.....?.......8.....?.......:.....?.......;.....?.......=......?.......>......?....... ......?....... ......?.......!......?......I"......?.......#......?.......#......?.......$......?......I%......?.......&......?.......&......?.......'......?......J(!.....?.......)$.....?.......)'.....?.......**.....?......K+-.....?.......,0.....?.......,3.....?.......-6.....?......L.9.....?......./<.....?......./?.....?.......0B.....?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_003.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.04468170000289
                      Encrypted:false
                      SSDEEP:48:Na3CiWNAS5I25bRYqGlONCmiTZj7DGk/JFyLdXFkFZPpKZ9cXD9XqCQRwt+fSvWO:E3ChvrFlWPj/XmdoZPpKEp6XObt
                      MD5:AC08EFC98BADFBDA5CB93B7365E96054
                      SHA1:6A08B9D98CF1E0B121EC0825D6D8E558073FD60D
                      SHA-256:5446C8083349345A4F3E2165D577ED3B4DFDC84841C5FC627CDFFCD57BA9E4DB
                      SHA-512:3F705D71E35A2061FF04D1587B4C1044FC49E7281E6C6072247F7AB891FEE1158A6ABDCBE603D8A53728EEB6A309C39F93A8ECFC8E8F81AEDF4789DCC85CABAD
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?.......A.....?........{.....?.......<.....?.......V......?........0.....?......q.U.....?......:j{.....?.............?......LY......?......E&......?......H......?............?.......s.....?......@.......?..............?......[I......?..............?........%.....?.......</.....?........8.....?........A.....?......f.K.....?......NIT.....?........].....?........f.....?........o.....?........y.....?......S.......?......q.......?.......3......?.............?.......B......?.............?......~E......?..............?......n:......?..............?.......!......?..............?......t.......?......B^......?..............?.............?.......v.....?.............?......S......?......Ih.....?.............?......2......?......./.....?.......h.....?.............?......k......?.............?......C.......?......,8......?.......Q......?.............?.............?......-.......?..............?..............?......c.......?.............?..............?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_004.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.04468170000289
                      Encrypted:false
                      SSDEEP:48:Na3CiWNAS5I25bRYqGlONCmiTZj7DGk/JFyLdXFkFZPpKZ9cXD9XqCQRwt+fSvWO:E3ChvrFlWPj/XmdoZPpKEp6XObt
                      MD5:AC08EFC98BADFBDA5CB93B7365E96054
                      SHA1:6A08B9D98CF1E0B121EC0825D6D8E558073FD60D
                      SHA-256:5446C8083349345A4F3E2165D577ED3B4DFDC84841C5FC627CDFFCD57BA9E4DB
                      SHA-512:3F705D71E35A2061FF04D1587B4C1044FC49E7281E6C6072247F7AB891FEE1158A6ABDCBE603D8A53728EEB6A309C39F93A8ECFC8E8F81AEDF4789DCC85CABAD
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?.......A.....?........{.....?.......<.....?.......V......?........0.....?......q.U.....?......:j{.....?.............?......LY......?......E&......?......H......?............?.......s.....?......@.......?..............?......[I......?..............?........%.....?.......</.....?........8.....?........A.....?......f.K.....?......NIT.....?........].....?........f.....?........o.....?........y.....?......S.......?......q.......?.......3......?.............?.......B......?.............?......~E......?..............?......n:......?..............?.......!......?..............?......t.......?......B^......?..............?.............?.......v.....?.............?......S......?......Ih.....?.............?......2......?......./.....?.......h.....?.............?......k......?.............?......C.......?......,8......?.......Q......?.............?.............?......-.......?..............?..............?......c.......?.............?..............?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_005.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):4.433661745438711
                      Encrypted:false
                      SSDEEP:96:j2N1DvE+mWWjpAaD0Jp96v0mb4bo+BQzOb8gREgcaxqQCsy:ijDv8V4JG3oPQ4REBKqQCP
                      MD5:F23301918A230D01FDF1DE6E9CC96AF4
                      SHA1:AEC74E395764D77801F4E6CBC343604D6C97633D
                      SHA-256:5185BEC4A3E7EFB9C73B6027EB4C905A9665B400717887CB8C64CB9BF3B3E44B
                      SHA-512:107D64AE07E1C3C276876BC10E6D9C0A2E4AD891367A23C752390E883A25AD5E200665BBA0A16C086BBB842150CB43DA363CDD4C63C7805E8031F461D3915F78
                      Malicious:false
                      Preview:MAGIC 1000..#45115.......~?........}?......@.|?........{?........z?........y?......@.x?........w?........v?........u?......@.t?........s?........r?........q?......@.p?........o?........n?......~.m?......>.l?........k?........j?......~.i?......>.h?........g?........f?......~.e?......>.d?........c?........b?......~.a?......>.`?........_?........^?......~.]?......>.\?........[?........Z?......~.Y?......>.X?........W?........V?......~.U?......>.T?........S?........R?......~.Q?......>.P?........O?........N?......|.M?......<.L?........K?........J?......|.I?......<.H?........G?........F?......|.E?......<.D?........C?........B?......|.A?......<.@?........??........>?......|.=?......<.<?........;?........:?......|.9?......<.8?........7?........6?......|.5?......<.4?........3?........2?......|.1?......<.0?......../?.........?......z.-?......:.,?........+?........*?......z.)?......:.(?........'?........&?......z.%?......:.$?........#?........"?......z.!?......:. ?.........?.........?......z..?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_006.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.05943574978778
                      Encrypted:false
                      SSDEEP:96:TalglMKA/StW/ly5fcIbilhJldWCu+iArnF3DjR3:TuglRtW/lmbGhB7u5Anr3
                      MD5:5C37B6542CEC0E9C2164BC918A0ABDDC
                      SHA1:186DC0B30E2BAA3E4E45039527D6E9F774564789
                      SHA-256:D833B88B90CD8BB59B92F0AB8F97FAC158DD91353152EB71C1FF12A21BBD3D82
                      SHA-512:E6FA5E50B7ABB449E15CCEC05F20800646D179D5FF88E592429AA35303E60B754CCA0E0EA50731F8EB5378E77A4B8165E67B5E13033F0435342ABE40D540F43D
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?..............?......`.~.....?........}.....?.......>}.....?......?~|.....?.......{.....?........z.....?.......=z.....?.......|y.....?......^.x.....?........w.....?.......;w.....?......>{v.....?.......u.....?......}.t.....?.......:t.....?.......ys.....?......].r.....?........q.....?.......8q.....?......<xp.....?.......o.....?......|.n.....?.......7n.....?.......vm.....?......[.l.....?........k.....?.......5k.....?......;uj.....?.......i.....?......z.h.....?.......4h.....?.......sg.....?......Z.f.....?........e.....?.......2e.....?......9rd.....?.......c.....?......y.b.....?.......1b.....?.......pa.....?......X.`.....?........_.....?......./_.....?......8o^.....?.......].....?......w.\.....?........\.....?.......m[.....?......W.Z.....?........Y.....?.......,Y.....?......6lX.....?.......W.....?......v.V.....?.......+V.....?.......jU.....?......U.T.....?........S.....?.......)S.....?......5iR.....?.......Q.....?......t.P.....?.......(P.....?.......gO.....?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_007.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.0280036523495037
                      Encrypted:false
                      SSDEEP:48:Z8+Xh9hoWqXkmyAvF6NZNNTSERash0l6DQOb8UDwvs/MBAezJFSPteffaroUV5ZE:5hENIZNNBanAedguLa5Fk5
                      MD5:37B23504AFB53E951D328D701F133221
                      SHA1:FBD52D34087E10F168678498F30EE6312526F472
                      SHA-256:42901DD3CD26BF98295852AAA2FB59AAB117F05EB5FE4F4F876441BF194835B2
                      SHA-512:092047793169955CD5F6E797BAC40ADFF6381F054D47A02793A5CB5A84471050C55E5CD6B745C79D6729F1C5AA1B1C52F8083826DE693AB2CD5CFB0E23A8E0D9
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?......|m~.....?........|.....?........y.....?.......Zw.....?......@.t.....?......).r.....?......\Ip.....?........m.....?.......k.....?......8;i.....?........f.....?........d.....?.......1b.....?......0._.....?........].....?.......-[.....?........X.....?......V.V.....?.......0T.....?........Q.....?......;.O.....?.......<M.....?........J.....?........H.....?.......RF.....?........D.....?.......A.....?.......s?.....?......H,=.....?......,.:.....?........8.....?.......^6.....?........4.....?......A.1.....?......&./.....?.......b-.....?......8(+.....?........(.....?........&.....?.......$.....?.......P".....?....... .....?......8.......?..............?..............?.......q......?.......K......?......2(......?..............?..............?..............?..............?......J.......?..............?......^s......?.......c......?......0W......?......x.......?......2.......?..............?............?.............?......:......?......t......?............?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_008.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.0280036523495037
                      Encrypted:false
                      SSDEEP:48:Z8+Xh9hoWqXkmyAvF6NZNNTSERash0l6DQOb8UDwvs/MBAezJFSPteffaroUV5ZE:5hENIZNNBanAedguLa5Fk5
                      MD5:37B23504AFB53E951D328D701F133221
                      SHA1:FBD52D34087E10F168678498F30EE6312526F472
                      SHA-256:42901DD3CD26BF98295852AAA2FB59AAB117F05EB5FE4F4F876441BF194835B2
                      SHA-512:092047793169955CD5F6E797BAC40ADFF6381F054D47A02793A5CB5A84471050C55E5CD6B745C79D6729F1C5AA1B1C52F8083826DE693AB2CD5CFB0E23A8E0D9
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?......|m~.....?........|.....?........y.....?.......Zw.....?......@.t.....?......).r.....?......\Ip.....?........m.....?.......k.....?......8;i.....?........f.....?........d.....?.......1b.....?......0._.....?........].....?.......-[.....?........X.....?......V.V.....?.......0T.....?........Q.....?......;.O.....?.......<M.....?........J.....?........H.....?.......RF.....?........D.....?.......A.....?.......s?.....?......H,=.....?......,.:.....?........8.....?.......^6.....?........4.....?......A.1.....?......&./.....?.......b-.....?......8(+.....?........(.....?........&.....?.......$.....?.......P".....?....... .....?......8.......?..............?..............?.......q......?.......K......?......2(......?..............?..............?..............?..............?......J.......?..............?......^s......?.......c......?......0W......?......x.......?......2.......?..............?............?.............?......:......?......t......?............?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_46d4.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):4.433661745438711
                      Encrypted:false
                      SSDEEP:96:egT6Jr9BwNAG18xnY7zqPbYoaqMXaNtlaGqdGtfYNy00DHS:zT6JpiN3SY60q7NijVy0Yy
                      MD5:BB580B2A437C0944DE4C2E1804FF9DEB
                      SHA1:B6C09D426E53A8C31C2562A5CEE5D5D61B96AD0E
                      SHA-256:92B553CCEEB030080FBB5C78B35CD255986F4D1BEAB6462B343F3D5844343131
                      SHA-512:DA28D52E0148E40BFAFC5501B8299683B5A2EA9D831C1FDD97982E2E9964531AC054CCB955B62944965DCF1D5C27B7D6B587E7E42E66088E1E429917CE772B25
                      Malicious:false
                      Preview:MAGIC 1000..#45115.................~.......`.}....... .|........~{........~z.......`~y....... ~x........}w........}v......._}u........}t........|s........|r......._|q........|p........{o........{n......._{m........{l........zk........zj......._zi........zh........yg........yf.......^ye........yd........xc........xb.......^xa........x`........w_........w^.......^w]........w\........v[........vZ.......^vY........vX........uW........uV.......]uU........uT........tS........tR.......]tQ........tP........sO........sN.......]sM........sL........rK........rJ.......\rI........rH........qG........qF.......\qE........qD........pC........pB.......\pA........p@........o?........o>.......\o=........o<........n;........n:.......\n9........n8........m7........m6.......\m5........m4........l3........l2.......[l1........l0........k/........k........[k-........k,........j+........j*.......Zj)........j(........i'........i&.......Zi%........i$........h#........h".......Zh!........h ........g.........g.....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_46e3.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.015852203614612
                      Encrypted:false
                      SSDEEP:48:rZaCr6FGuozwN64loAc4DQoWBYyqeIH6YtXdNPiMceLYKD+i:HrFucwJu4OXqeYvdNPdrjD+i
                      MD5:C545F70498D75E9146B689D7A3D070B9
                      SHA1:44062780B34D8E279A9B6E1B14D7C7EA3E6ED0F0
                      SHA-256:2453CC77BD6E0322CAF11C189D1825CA764BD1CE2818FD80F1B0B936EA115CF9
                      SHA-512:CCC293CDC2154DF463EBB4CE0F9C7DF1C85B631F771A26B85C3CB35A05737EC85396E753AC3B0388979D6CA641920D55904F4460B372998342CCBB6C304459D8
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?....... ......?.......(......?....... ......?.......,0.....?.......8`.....?......."......?.......(......?..............?.......4.....?.......:.....?....... ......?.......#......?.......&......?.......)$.....?.......,0.....?......./<.....?.......2H.....?.......5T.....?.......8`.....?.......;l.....?.......>x.....?....... ......?......."......?.......#......?.......%......?.......&......?.......(......?.......)......?.......+......?.......,......?..............?......./......?.......1.....?.......2.....?.......4.....?.......5.....?.......7.....?.......8.....?.......:.....?.......;.....?.......=......?.......>......?....... ......?....... ......?.......!......?......I"......?.......#......?.......#......?.......$......?......I%......?.......&......?.......&......?.......'......?......J(!.....?.......)$.....?.......)'.....?.......**.....?......K+-.....?.......,0.....?.......,3.....?.......-6.....?......L.9.....?......./<.....?......./?.....?.......0B.....?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_46f3.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.04468170000289
                      Encrypted:false
                      SSDEEP:48:Na3CiWNAS5I25bRYqGlONCmiTZj7DGk/JFyLdXFkFZPpKZ9cXD9XqCQRwt+fSvWO:E3ChvrFlWPj/XmdoZPpKEp6XObt
                      MD5:AC08EFC98BADFBDA5CB93B7365E96054
                      SHA1:6A08B9D98CF1E0B121EC0825D6D8E558073FD60D
                      SHA-256:5446C8083349345A4F3E2165D577ED3B4DFDC84841C5FC627CDFFCD57BA9E4DB
                      SHA-512:3F705D71E35A2061FF04D1587B4C1044FC49E7281E6C6072247F7AB891FEE1158A6ABDCBE603D8A53728EEB6A309C39F93A8ECFC8E8F81AEDF4789DCC85CABAD
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?.......A.....?........{.....?.......<.....?.......V......?........0.....?......q.U.....?......:j{.....?.............?......LY......?......E&......?......H......?............?.......s.....?......@.......?..............?......[I......?..............?........%.....?.......</.....?........8.....?........A.....?......f.K.....?......NIT.....?........].....?........f.....?........o.....?........y.....?......S.......?......q.......?.......3......?.............?.......B......?.............?......~E......?..............?......n:......?..............?.......!......?..............?......t.......?......B^......?..............?.............?.......v.....?.............?......S......?......Ih.....?.............?......2......?......./.....?.......h.....?.............?......k......?.............?......C.......?......,8......?.......Q......?.............?.............?......-.......?..............?..............?......c.......?.............?..............?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_4703.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):4.433661745438711
                      Encrypted:false
                      SSDEEP:96:j2N1DvE+mWWjpAaD0Jp96v0mb4bo+BQzOb8gREgcaxqQCsy:ijDv8V4JG3oPQ4REBKqQCP
                      MD5:F23301918A230D01FDF1DE6E9CC96AF4
                      SHA1:AEC74E395764D77801F4E6CBC343604D6C97633D
                      SHA-256:5185BEC4A3E7EFB9C73B6027EB4C905A9665B400717887CB8C64CB9BF3B3E44B
                      SHA-512:107D64AE07E1C3C276876BC10E6D9C0A2E4AD891367A23C752390E883A25AD5E200665BBA0A16C086BBB842150CB43DA363CDD4C63C7805E8031F461D3915F78
                      Malicious:false
                      Preview:MAGIC 1000..#45115.......~?........}?......@.|?........{?........z?........y?......@.x?........w?........v?........u?......@.t?........s?........r?........q?......@.p?........o?........n?......~.m?......>.l?........k?........j?......~.i?......>.h?........g?........f?......~.e?......>.d?........c?........b?......~.a?......>.`?........_?........^?......~.]?......>.\?........[?........Z?......~.Y?......>.X?........W?........V?......~.U?......>.T?........S?........R?......~.Q?......>.P?........O?........N?......|.M?......<.L?........K?........J?......|.I?......<.H?........G?........F?......|.E?......<.D?........C?........B?......|.A?......<.@?........??........>?......|.=?......<.<?........;?........:?......|.9?......<.8?........7?........6?......|.5?......<.4?........3?........2?......|.1?......<.0?......../?.........?......z.-?......:.,?........+?........*?......z.)?......:.(?........'?........&?......z.%?......:.$?........#?........"?......z.!?......:. ?.........?.........?......z..?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_4712.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.05943574978778
                      Encrypted:false
                      SSDEEP:96:TalglMKA/StW/ly5fcIbilhJldWCu+iArnF3DjR3:TuglRtW/lmbGhB7u5Anr3
                      MD5:5C37B6542CEC0E9C2164BC918A0ABDDC
                      SHA1:186DC0B30E2BAA3E4E45039527D6E9F774564789
                      SHA-256:D833B88B90CD8BB59B92F0AB8F97FAC158DD91353152EB71C1FF12A21BBD3D82
                      SHA-512:E6FA5E50B7ABB449E15CCEC05F20800646D179D5FF88E592429AA35303E60B754CCA0E0EA50731F8EB5378E77A4B8165E67B5E13033F0435342ABE40D540F43D
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?..............?......`.~.....?........}.....?.......>}.....?......?~|.....?.......{.....?........z.....?.......=z.....?.......|y.....?......^.x.....?........w.....?.......;w.....?......>{v.....?.......u.....?......}.t.....?.......:t.....?.......ys.....?......].r.....?........q.....?.......8q.....?......<xp.....?.......o.....?......|.n.....?.......7n.....?.......vm.....?......[.l.....?........k.....?.......5k.....?......;uj.....?.......i.....?......z.h.....?.......4h.....?.......sg.....?......Z.f.....?........e.....?.......2e.....?......9rd.....?.......c.....?......y.b.....?.......1b.....?.......pa.....?......X.`.....?........_.....?......./_.....?......8o^.....?.......].....?......w.\.....?........\.....?.......m[.....?......W.Z.....?........Y.....?.......,Y.....?......6lX.....?.......W.....?......v.V.....?.......+V.....?.......jU.....?......U.T.....?........S.....?.......)S.....?......5iR.....?.......Q.....?......t.P.....?.......(P.....?.......gO.....?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CCD\CCD_4722.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5157
                      Entropy (8bit):3.0280036523495037
                      Encrypted:false
                      SSDEEP:48:Z8+Xh9hoWqXkmyAvF6NZNNTSERash0l6DQOb8UDwvs/MBAezJFSPteffaroUV5ZE:5hENIZNNBanAedguLa5Fk5
                      MD5:37B23504AFB53E951D328D701F133221
                      SHA1:FBD52D34087E10F168678498F30EE6312526F472
                      SHA-256:42901DD3CD26BF98295852AAA2FB59AAB117F05EB5FE4F4F876441BF194835B2
                      SHA-512:092047793169955CD5F6E797BAC40ADFF6381F054D47A02793A5CB5A84471050C55E5CD6B745C79D6729F1C5AA1B1C52F8083826DE693AB2CD5CFB0E23A8E0D9
                      Malicious:false
                      Preview:MAGIC 1000..#45115...?......|m~.....?........|.....?........y.....?.......Zw.....?......@.t.....?......).r.....?......\Ip.....?........m.....?.......k.....?......8;i.....?........f.....?........d.....?.......1b.....?......0._.....?........].....?.......-[.....?........X.....?......V.V.....?.......0T.....?........Q.....?......;.O.....?.......<M.....?........J.....?........H.....?.......RF.....?........D.....?.......A.....?.......s?.....?......H,=.....?......,.:.....?........8.....?.......^6.....?........4.....?......A.1.....?......&./.....?.......b-.....?......8(+.....?........(.....?........&.....?.......$.....?.......P".....?....... .....?......8.......?..............?..............?.......q......?.......K......?......2(......?..............?..............?..............?..............?......J.......?..............?......^s......?.......c......?......0W......?......x.......?......2.......?..............?............?.............?......:......?......t......?............?...

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CD ROM\CDRO4732.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):250044
                      Entropy (8bit):5.374978832096472
                      Encrypted:false
                      SSDEEP:768:t4my8vfFbN7HB/f0xL2XXglKX2L324v+kntKfgLVS5R/eQ2UdJB2SX02sXumCB/o:b34jHx00lRzca1Sw
                      MD5:B41182B484E688CBBCA8A2CAACDC06A6
                      SHA1:9FF6E65AA7AF76FD0B74B945B9B78FDA114C50A2
                      SHA-256:603CB9FFBA10C502494DE3CD9404352A99C56E4825F471B409B5A02472C612F0
                      SHA-512:B7BF97801E69C0EEE213207CD3F16B0BD6159065B2B2E4613C998D7CD31D25270E1A708E9B78C18297DD79D151139A37F3A1E1CF58109475ECA42FD2B9E88B5A
                      Malicious:false
                      Preview:MAGIC 1000..#6250000...<.B..<...x..>...._./...o...o.......0....0...................................8....H.#..H.#..(....(....8....8....H.#..8....8....8....(.........8....H.#..H.#..8....8....8....(...................(....(....8....H.#..8....8....(.........(....8....(....(....(....(..................................................P.....o....O....O.._./.._./..>.......;.B..<.B..<.!..=..p=..A.=.1A.=.QA.=..A.=..A.=..!.>.8!.>.X!,>.h!4>..!D>..!L>..!T>..!d>..!l>..!t>....>....>.$..>....>.$..>.$..>.4..>.D..>.<..>.<..>.D..>.D..>.L..>.L..>.T..>.T..>.\..>.T..>.\..>.d..>.\..>.\..>.\..>.L..>.L..>.L..>.T..>.\..>.\..>.T..>.\..>.T..>.L..>.L..>.T..>.T..>.d..>.\..>.T..>.T..>.L..>.L..>.\..>.T..>.<..>.4..>.<..>.<..>.<..>.,..>....>....>....>....>....>..!t>..!d>..!d>..!d>..!\>..!D>.X!,>.(!.>..!.>..!.>..A.=..A.=.QA.=..A.=..p=.a.0=.!..=....<...x..|.>..>....>........_./........o...o....O....O...o..0....0..........o...o....O....O.._./......>....|.>....B<.B..<....<.!..=.a.0=..p=.QA.=..A.=..A.=.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\CD ROM\CDROM.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):250044
                      Entropy (8bit):5.374978832096472
                      Encrypted:false
                      SSDEEP:768:t4my8vfFbN7HB/f0xL2XXglKX2L324v+kntKfgLVS5R/eQ2UdJB2SX02sXumCB/o:b34jHx00lRzca1Sw
                      MD5:B41182B484E688CBBCA8A2CAACDC06A6
                      SHA1:9FF6E65AA7AF76FD0B74B945B9B78FDA114C50A2
                      SHA-256:603CB9FFBA10C502494DE3CD9404352A99C56E4825F471B409B5A02472C612F0
                      SHA-512:B7BF97801E69C0EEE213207CD3F16B0BD6159065B2B2E4613C998D7CD31D25270E1A708E9B78C18297DD79D151139A37F3A1E1CF58109475ECA42FD2B9E88B5A
                      Malicious:false
                      Preview:MAGIC 1000..#6250000...<.B..<...x..>...._./...o...o.......0....0...................................8....H.#..H.#..(....(....8....8....H.#..8....8....8....(.........8....H.#..H.#..8....8....8....(...................(....(....8....H.#..8....8....(.........(....8....(....(....(....(..................................................P.....o....O....O.._./.._./..>.......;.B..<.B..<.!..=..p=..A.=.1A.=.QA.=..A.=..A.=..!.>.8!.>.X!,>.h!4>..!D>..!L>..!T>..!d>..!l>..!t>....>....>.$..>....>.$..>.$..>.4..>.D..>.<..>.<..>.D..>.D..>.L..>.L..>.T..>.T..>.\..>.T..>.\..>.d..>.\..>.\..>.\..>.L..>.L..>.L..>.T..>.\..>.\..>.T..>.\..>.T..>.L..>.L..>.T..>.T..>.d..>.\..>.T..>.T..>.L..>.L..>.\..>.T..>.<..>.4..>.<..>.<..>.<..>.,..>....>....>....>....>....>..!t>..!d>..!d>..!d>..!\>..!D>.X!,>.(!.>..!.>..!.>..A.=..A.=.QA.=..A.=..p=.a.0=.!..=....<...x..|.>..>....>........_./........o...o....O....O...o..0....0..........o...o....O....O.._./......>....|.>....B<.B..<....<.!..=.a.0=..p=.QA.=..A.=..A.=.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4760.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2363245
                      Entropy (8bit):6.734092682549553
                      Encrypted:false
                      SSDEEP:49152:IcCrMW3XVkmU8uUuThhGMhA089SyCCjlUH8jNVXB+ZUWlUP/kL9BtlN/731:IvrPXVkmUrZVEMhM9SyCCjlZrXwUnkLz
                      MD5:595344B3A798D47B42B85C1B647160D4
                      SHA1:9B18A14F2CD20E1035293C1583AC2D795FF63F62
                      SHA-256:C42CB0CB557165FE2BFA25A5B74D013669846295E04EDAC1D92781570610B484
                      SHA-512:3E886AF27DFCB6DC80001528431C6ACE418CD1F178FBB5F75EF26B1368AE316DB23CFE1A5CEAC6BE010D3C7FF27CB1C2DA745B47DECCCA774C89521280D62C6E
                      Malicious:false
                      Preview:MAGIC 1000..#72363200.G;:.d..:..G.9.D#-7..f...X.2..>.s...\....^...%.H.......a_8..V.:..Wz:...:..{.:.&..:...f:..d.9.^.>......I.;....^..g.\..>K;...................8.g.49..{X9.7SN9..19...49.(.J9.Jzv9.f..9..@.9.;..9...9...K9.=..7.'.J...]...M*....R..=._....J........x...(.J9.8..9.Mo.:... :.O6.:....9....8......).J...:c...Z........c..9....9.o.9....9....9.Wk........HJ...pX....+...z... ..7....9..[M9..._9...49..e.8.i.^...K...Vc....'....c..O.v8....9....9....8......Z..........''..b+6..."......T_.....9..3-:...W:...X:..K6:....9..n9.!.+..Z.1......%.}..J./....x...}'8...8....8.L.P...F1.......nl...i._..z.X....*9....9."".:..=':....:.`..9.b..9...|... ....q..W....:.z..cV=......._......+.8...,9..2L9.Q.h9....9.X..9.z..9..a#:.y.@:.seL:..$;:..i.9...|..K<....F..7@|...6.....\..7........xT.9...B:.d'.:....:..:.&9L:.e..9.....g(...A2....R....U..."A..4........e2............E..8..O;9.#y.9.lc.9....:.fv :.#..:..Z.9.]..9.s/#8..2i......\q#...w6....,...J...]....3.....H.9.Z..:..C;:.jx5:....:....9

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge47fd.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4726445
                      Entropy (8bit):6.734035575668014
                      Encrypted:false
                      SSDEEP:98304:g+YGyl8m8c8VZsr6W5zDPR+zXjnxA93XyNKfi:HyGc8zsr6wB+zTnxAZyj
                      MD5:34AD40B313E49F9E9963D43C803ABA12
                      SHA1:6F8B7767F5CC14C9330B9D3F7F1F243DB3A696CD
                      SHA-256:6F3FD934EA4E88D776530BAA2EB84655757936D5E5351C030C95DF3989111B8A
                      SHA-512:F2254DAA9929D36184D51F0B4D3209E724C7B3194895656DA2E67255F59A16B7B74A39194B745121B7E23D9F9707666EEABEC0A9816C892C3A5A66FCF5399A07
                      Malicious:false
                      Preview:MAGIC 1000..#74726400.G;:....:."..9....7............T..@.k..c._....-......1 7.L8.9..\@:...~:....:..^.:...E:....9..a-......._.d..=..........;...d.]..h...j[.8..?.:...:..).:....:.!..:..l:....9......,Y.....h......+..N`.....<... ...y.6.Xk.9..(!:...I:...Q:.\K;:.\..:..q.9..;s8..H0................7...9......}.......&Ud....8..E.9..4$9.l.19.Z.A9.(.J9...O9.T.L9...<9....9...8...Q7.q...(.J..9w...........h....b.....K....S..).J9....9..{.:...+:..B-:.=o.:....9....8.(.J...K...V.B....i...p..n.R.......`.>..(.J9..Y.:..5<:...P:.._B:.Ko.:.YZ.9.\.v8.(.J...=..R..........Q...C..._...jv.8.).J9.M.9..9.9..tT9...8....S.....#D..(.J...........E..8...i9...9...9.O&.9..Y)9.j..7.....P.P..M|...{.....(a........n....G.8.Ve.9.pGF9...G9.t..9..|.8.L.#...D...W(....H....;...:....W/...r8... 9...j9....9.V.w9...09..8......K..|..y.|..d.@.......@k..1.S8...8..qs8.mR.4.~......)...vd..+.n....;..........8.'..9.|..9..#.:..{.:.,..9..=.9....8...`.........=...._...._...^:.....KD.....9...3:.(.i:.9[x:

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4916.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):147744
                      Entropy (8bit):6.3112913177786565
                      Encrypted:false
                      SSDEEP:1536:bOdyFbqwevQWPT7RDgdwf/kAvEr9PbNEozHEYtNuFdwnAXDTYOruuQ6aazL9u:qdWqb/gHg2aoz+FdLHY6sJW9u
                      MD5:F8C8283A7AD0CBB27734000D779D5C52
                      SHA1:AAD6AC2847EB45F6E91644413CA9B9F30DCF7311
                      SHA-256:17067621294F6B6AE2339CE56AFDF5B579D9532F597FAB72FEDC83785B2FA4CA
                      SHA-512:0F204DDA497F190B8911B1206F91B8255571C955050BAC13B00A579CC1B0FADA40FF789D57CADEE4ECC8E346B2DB66587BEA8634FA0E540199DCB4C0E851BC6B
                      Malicious:false
                      Preview:MAGIC 1000..#6147700.G;:....:.9p19..3......9...K.....9...Q........G;:....9...:..G;:..3...s.A....K..9p19...Q...3...L....G;:..3....a...s.A..L.....:....9....9..G;:.9p19...Q....Q...3...9p19.s.A...G.:.9p19...:.9p19...K....Q....:..3....3.....j:..3.....K..L.....Q..s.A...3.....Q...G;:...:...Q..9p19...K...G;:...K..s.A....Q....Q....:..G.:..G;:.L.....Q....Q..s.A..L...L...L.....Q.....:..G;:..3.....K..Z{q....K.....9...:.L...s.A..9p19....9...K...3....G;:..3......9.L....3...Z{q.....:...K..s.A....K..{...9p19...j:..3....G;:.Z{q...3...9p19.......3......9..3.....:..G;:..G;:.s.A....K....K..9p19...Q..L.....j:....9...j:.........9...Q..s.A....:..G;:.L.....K...3......9...j:....9..a.....:....:...Q....K....:..G.:..a.....Q....Q..9p19..G.:...:.9p19...Q....:..G;:.Z{q...3...{...9p19.9p19.s.A..9p19.Z{q..9p19.Z{q...3......:.s.A...G;:...Q..L...9p19...j:.L......9...Q....:.L...Z{q....:...Q.....9....9.9p19...:..G;:.s.A...3....a...9p19.9p19...K.....9....9..G;:...K....j:....9...K....:...K..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4926.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2363245
                      Entropy (8bit):6.730212234194968
                      Encrypted:false
                      SSDEEP:49152:lfaFy3vCev0+ndNKFWBt9xrr0YE4RkOAFSgampZ:wMz0+njKF+xrrdEgUamZ
                      MD5:2C56302341352CFC4F86D4B22B369405
                      SHA1:E8B84BCF2DDE571213B24BF4148830337EE293F6
                      SHA-256:1A54CC22E66B8BB053E505F5FA2B446FCA8861D49212D07DBEDEFB05E6176107
                      SHA-512:E27E757EEBAB7C51FDE2DC45FDE365CE6A587674F8E92941BBADBC93ECC9145F71EC2997CB245220A6BF89C033F2C06BD055ED845098A89B05F3C3BA647B5920
                      Malicious:false
                      Preview:MAGIC 1000..#72363200.G;:.l6D:..%M:...V:.e._:...g:...p:._.y:..^.:...:.-M.:...:..;.:.)..:.~*.:...:.&..:.<,.:..=.:..N.:.B`.:.2.p:..._:..(M:.>K;:..m):....:.J..:...9.O..9..6.9...x9..19....9.)k.8.BH.8.2.Q....r.............K...C{..Es....E...........L.....F........BV...R... ...Y..........c....(........C...h)7..E.8.J..9..;=9...x9.<*.9.o.9..+.9..N.9.@q.9..'a9.:m=9....9....8..z.8...:8..,7......r.......~"...!.'...K....(...P....,....ns..D.....)7..P98....8....8.%..9..>=9.k.`9..Z.9.X7.9....9...9.S .9.r7.9..N.9..e.9...x9..'a9..VI9.Z.19....9....9.)..8..z.8.C.i8.;g.8..,7.L.P..B.........,>c...Y...\.........D...""...t.#....5....G..h.Y...tk...R}.......W..........e....G..o%*..=_....2........2L...3......8....9.G..9....9..1.9..^.:..$;:.JZ5:..e/:.iq):..|#:....:....:....:.7..:...:....9...9...9....9.'..9.F..9.e..9...9....9.~..9....9._..9...9.@..9....9.!..9....9..y.9.rm.9...:.*..:.b..:....:...:....:.C..:.{..:....:..|.:.$w :.\q#:..k&:..e):..`,:.=Z/:.uT2:..N5:..H8:..C;:...&:.3..:.S..9

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4a10.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4726445
                      Entropy (8bit):6.730381218428854
                      Encrypted:false
                      SSDEEP:98304:iP1XeXrO9w5h1yCJfdhLSs0p3WbrgoPdJ76tWCy85LXZ0bX13fsCPClYN:iP1XeX2A1yCl10pGooVJ7EWCxOhf7iQ
                      MD5:A8D37CC38E8F2C4110F7B55E60EE9825
                      SHA1:A59236912AED5AD93498EFE4C6472A9C76D1B886
                      SHA-256:169176A834F21293883E84770E6E5B5433E2824DB8F6C2003EA930840222CBA1
                      SHA-512:D35159A72994004976DB011F997DE05D9EEF2D13224A6066B21A0053C23AF646AFD66A766B05ABD57ADDB5C5D86CBA1F0AB0F6630777D502B1988E3502AA81AB
                      Malicious:false
                      Preview:MAGIC 1000..#74726400.G;:...?:.k6D:...H:..%M:.g.Q:...V:...Z:.c._:..yc:...g:._hl:...p:..Wu:.[.y:..E~:..^.:.+..:...:....:.)M.:...:.}.:.'..:..;.:.{w.:.%..:...:.y*.:.#f.:...:.w.:.!..:....:.F,.:..:..=.:.J.:..N.:...:.N`.:...y:.L.p:...g:..._:.T.V:..(M:..:D:.\K;:..\2:..n):.c. :....:....:.k..:....9.7..9....9....9.F..9..6.9..Y.9...x9..>U9.l.19.E..9....9....8..l.8...i8..J.8.@.,7...Q........r..z.........)...}....>.3....K...pc..~B{........r....[....D....-.......`...@... ........pQ....E...P:.............uV................. ..q=...YZ...Aw...(..........c....E....(..`I..._....y...;.C......Y)7..o!8..C.8.E..8.S..9..t.9..:=9...[9...x9..F.9..).9....9...9....9.3,.9..=.9..N.9.;`.9..q.9...s9..(a9.5KO9..m=9...+9.E..9....9.J..8..6.8..|.8.i..8...:8..0.7.@.,7.........<+...r.......:........!........].'....9....K....9..\.(.../....Q.......7.....s....qs....+......\...T.)7....7..M98.ka.8....8....8.L..8....9.F..9..`+9..==9.7.O9...`9...r9..Y.9.<H.9..6.9..%.9.4..9....9...9....9.. .9.3,.9

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4d8b.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):147744
                      Entropy (8bit):6.3143930682292115
                      Encrypted:false
                      SSDEEP:1536:y6bKCjx2T/a/EnfwN4D1jYC4yLRLRFdwvnK/7KM+xapkmZuvj39oIYA03mRSWgwV:tOCjxOfU4pY+bFGEsap9Oj9oZ3OgwV
                      MD5:B58DE594F86A498D8C950865F506190E
                      SHA1:2082C944A01A90D147F2784576D28AD5121D3376
                      SHA-256:2A5F375A61BA71E31FD8C3FDF399729AB9B3F3921AD97BACAA104BBACAB081BE
                      SHA-512:DA27C05462ADDCABA3C9F9C8A9084FBB01910777D3650F7D185158581257EA64CA7028E9DF1BCE2FC53609474CF331D6E7406516B4DA585B0B139BE2B7483A7E
                      Malicious:false
                      Preview:MAGIC 1000..#6147700..9.S)#:.?2....Y....8...9.......9...8.S)#:....:.]....]....?2..?2..?2..+\...]......8.?2..?2...Q*..+\...+\...]....+\...:.R:....9...8.S)#:.?2........8...9...9...9...9.?2..S)#:.?2....Y...Q*...Q*..]....?2.....:...9.]......8...8...8.....?2....8...9....:...Y...8.:.+\.........8..8.:...Y....9.+\.....8.:.R:....9....9.+\......:...Y..].....8.:.]......8.+\....8.:.......9.:.R:...8....:....9.S)#:...8.]....]....:.R:.?2........9....9......Q*..+\...?2..?2..]......Y....8...9.]....:.R:.w.:.?2..]....w.:..Q*....Y....8...8.QR.:.:.R:.+\...j..:.+\....8.:....9.S)#:.].....8.:.+\...:.R:..Q*.....9.+\......9....:.].......9...Y....9...9...8.S)#:...Y....Y...Q*..S)#:.QR.:.:.R:.:.R:....:...9.......8...8.].....Q*..?2....9..Q*..:.R:.+\...S)#:.......8....9.]....]....S)#:..Q*..?2....9...9...9.S)#:.]....S)#:.]......8...9...8...8.+\....8.:.]......8...8...8.?2..:.R:...8......8.:....9.+\...S)#:...Y..]......8...8.]......9....9.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4daa.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2363245
                      Entropy (8bit):6.731822669451422
                      Encrypted:false
                      SSDEEP:49152:yQbPO3gFxoSwAYXJtq2BHHirzdL3OxWJCL1A4v:TbPO3gFGSwAuJt7pHiHJ3OxbAc
                      MD5:369DA59226FF78AA0E8E82505637962E
                      SHA1:DFC3EE7F547D9FE8160F004E5F6D2D9CB278382C
                      SHA-256:5323A42EA86705305548FB5599FECFC8249AC02E6892F79CCCCD73A21D7FC79D
                      SHA-512:E09884565D6DB0631C6067F6B1B98E14373739A4C7CE9396547A293F1F3FAE00E6617952A0EB1D962B24AEDD31A97A1B66C1C425B542BFC5083B98FE09704A6E
                      Malicious:false
                      Preview:MAGIC 1000..#72363200..9..9...9..}.9..f.9.pO.9.P8.9.1!.9....9....9....9.[b.:..V.:.;K.:..?.:..4.:..(#:..A.:..Y.:.y..9....9..<.9.4k.9.r..9...9..._9.YH09...9....8.9w.8.W[d...w..y...@0.....L..Hw|..f....(..........mT.........{....d....M*...66..|.B..].N..>.Y....K...5<..fR-..Mo...4......................l9...r.X...Z...S.........Y.7....8.V..8....8..U.8...9..|.9..e.9.pN$9.Q709.2 <9...H9...S9..._9...k9...w9...9.,..9. ^<9....8....7.O.v..z.....xd..d..w....I..O|....S!..b+6....K..u._....t........t...._..o#K...K6..\t!..........}...j,.....d.........x..-..7....8...;9....9...9.+.w9.J.k9.i._9...T9...H9..2<9..I09..a$9.$x.9.C..9.b..9..{.8.@..8.~.8....8....8..F.9.;.<9.._9.@..9....9..u.9.4S.9..0.9....9.)..9.z..9..R.:..A.:.70.:...#:...,:.1.4:...=:...F:.+.O:..X:.}.a:.&.j:..s:.wq|:....:.d'.:....:....:.a..:....:..1.:.>H.:...j:...R:.6.;:.tI#:..w.:..K.9.\..9....9...09.E..8.R.\...$..tYL..>...]....]....]....]....]....]....]....]....]....]....]....]....]....]....]....]....7)....4...V@..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge4e75.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4726445
                      Entropy (8bit):6.73131511607227
                      Encrypted:false
                      SSDEEP:98304:r68Tm8U/6h4QF5UP0zelWvIFJ9uXqwDTCVKgXxA/2E:rzTm8tvSMSAvEJGqwKwyxA/7
                      MD5:506BFBF1647C22944558FB960A021116
                      SHA1:27E51D7AE2C3B69D15EB5A50EED1CFA2300BCDA0
                      SHA-256:48CD443524D6891B51069588DDB73B2387B53EF0E38313E468884E4AC68488FB
                      SHA-512:BB7C7BC2623E8487B8A451E043E139176EBBDF02B740CB80D9C343086ABEE68DC2BE8C80233EE52B3DDC1B186FC8F0978A6EB6847C8052C7B5CCD4B7235E1629
                      Malicious:false
                      Preview:MAGIC 1000..#74726400..9.{..9..9.[..9...9.;..9..}.9..r.9..f.9..Z.9.kO.9..C.9.L8.9..,.9.,!.9....9....9.|..9....9.\..9....9..h.:.Vb.:..\.:..V.:..P.:.6K.:.nE.:..?.:..9.:..4.:.N. :..(#:.}6.:..B.:..M.:.,Y.:..d.:....9....9....9..%.9..=.9.8T.9.Xk.9.x..9....9....9...9..w9./._9.o.H9..H09..v.9./..9...8.]..8...d8..x.8....7.&Ud..J\...K.w..&u........^..../.....5..T.L....d...v|..J$...*.........................k...Kk..+T.............f.....{...Fp....d...&Y$...M*...B0..v66...*<..V.B....H..6.N....S....Y..W.R....K..?.C...5<..'.4...R-....%...o........j.........R.....o..t...\...D...,.............9.....v..f.X..6!;...[....)...J.............F.....P.7.0AL8....8...8..8...8....8..l.8.kU.8.K>.8....9....9.v|.9..p.9.Ve.9..Y.9.6N$9..B*9..709..+69...<9.f.B9...H9.F.M9...S9.&.Y9..._9...e9.v.k9..q9.V.w9..}9...9...9....9...f9.._<9...9....8..K}8....7..Z.....v.............:...vd.......h.......y....q...H........{........US!....+...*6....@..e.K..)nU...._...Ej..u.t..:.........>.....t..Jgj.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_16if.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2363245
                      Entropy (8bit):6.734092682549553
                      Encrypted:false
                      SSDEEP:49152:IcCrMW3XVkmU8uUuThhGMhA089SyCCjlUH8jNVXB+ZUWlUP/kL9BtlN/731:IvrPXVkmUrZVEMhM9SyCCjlZrXwUnkLz
                      MD5:595344B3A798D47B42B85C1B647160D4
                      SHA1:9B18A14F2CD20E1035293C1583AC2D795FF63F62
                      SHA-256:C42CB0CB557165FE2BFA25A5B74D013669846295E04EDAC1D92781570610B484
                      SHA-512:3E886AF27DFCB6DC80001528431C6ACE418CD1F178FBB5F75EF26B1368AE316DB23CFE1A5CEAC6BE010D3C7FF27CB1C2DA745B47DECCCA774C89521280D62C6E
                      Malicious:false
                      Preview:MAGIC 1000..#72363200.G;:.d..:..G.9.D#-7..f...X.2..>.s...\....^...%.H.......a_8..V.:..Wz:...:..{.:.&..:...f:..d.9.^.>......I.;....^..g.\..>K;...................8.g.49..{X9.7SN9..19...49.(.J9.Jzv9.f..9..@.9.;..9...9...K9.=..7.'.J...]...M*....R..=._....J........x...(.J9.8..9.Mo.:... :.O6.:....9....8......).J...:c...Z........c..9....9.o.9....9....9.Wk........HJ...pX....+...z... ..7....9..[M9..._9...49..e.8.i.^...K...Vc....'....c..O.v8....9....9....8......Z..........''..b+6..."......T_.....9..3-:...W:...X:..K6:....9..n9.!.+..Z.1......%.}..J./....x...}'8...8....8.L.P...F1.......nl...i._..z.X....*9....9."".:..=':....:.`..9.b..9...|... ....q..W....:.z..cV=......._......+.8...,9..2L9.Q.h9....9.X..9.z..9..a#:.y.@:.seL:..$;:..i.9...|..K<....F..7@|...6.....\..7........xT.9...B:.d'.:....:..:.&9L:.e..9.....g(...A2....R....U..."A..4........e2............E..8..O;9.#y.9.lc.9....:.fv :.#..:..Z.9.]..9.s/#8..2i......\q#...w6....,...J...]....3.....H.9.Z..:..C;:.jx5:....:....9

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_32if.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4726445
                      Entropy (8bit):6.734035575668014
                      Encrypted:false
                      SSDEEP:98304:g+YGyl8m8c8VZsr6W5zDPR+zXjnxA93XyNKfi:HyGc8zsr6wB+zTnxAZyj
                      MD5:34AD40B313E49F9E9963D43C803ABA12
                      SHA1:6F8B7767F5CC14C9330B9D3F7F1F243DB3A696CD
                      SHA-256:6F3FD934EA4E88D776530BAA2EB84655757936D5E5351C030C95DF3989111B8A
                      SHA-512:F2254DAA9929D36184D51F0B4D3209E724C7B3194895656DA2E67255F59A16B7B74A39194B745121B7E23D9F9707666EEABEC0A9816C892C3A5A66FCF5399A07
                      Malicious:false
                      Preview:MAGIC 1000..#74726400.G;:....:."..9....7............T..@.k..c._....-......1 7.L8.9..\@:...~:....:..^.:...E:....9..a-......._.d..=..........;...d.]..h...j[.8..?.:...:..).:....:.!..:..l:....9......,Y.....h......+..N`.....<... ...y.6.Xk.9..(!:...I:...Q:.\K;:.\..:..q.9..;s8..H0................7...9......}.......&Ud....8..E.9..4$9.l.19.Z.A9.(.J9...O9.T.L9...<9....9...8...Q7.q...(.J..9w...........h....b.....K....S..).J9....9..{.:...+:..B-:.=o.:....9....8.(.J...K...V.B....i...p..n.R.......`.>..(.J9..Y.:..5<:...P:.._B:.Ko.:.YZ.9.\.v8.(.J...=..R..........Q...C..._...jv.8.).J9.M.9..9.9..tT9...8....S.....#D..(.J...........E..8...i9...9...9.O&.9..Y)9.j..7.....P.P..M|...{.....(a........n....G.8.Ve.9.pGF9...G9.t..9..|.8.L.#...D...W(....H....;...:....W/...r8... 9...j9....9.V.w9...09..8......K..|..y.|..d.@.......@k..1.S8...8..qs8.mR.4.~......)...vd..+.n....;..........8.'..9.|..9..#.:..{.:.,..9..=.9....8...`.........=...._...._...^:.....KD.....9...3:.(.i:.9[x:

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_i.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):147744
                      Entropy (8bit):6.3112913177786565
                      Encrypted:false
                      SSDEEP:1536:bOdyFbqwevQWPT7RDgdwf/kAvEr9PbNEozHEYtNuFdwnAXDTYOruuQ6aazL9u:qdWqb/gHg2aoz+FdLHY6sJW9u
                      MD5:F8C8283A7AD0CBB27734000D779D5C52
                      SHA1:AAD6AC2847EB45F6E91644413CA9B9F30DCF7311
                      SHA-256:17067621294F6B6AE2339CE56AFDF5B579D9532F597FAB72FEDC83785B2FA4CA
                      SHA-512:0F204DDA497F190B8911B1206F91B8255571C955050BAC13B00A579CC1B0FADA40FF789D57CADEE4ECC8E346B2DB66587BEA8634FA0E540199DCB4C0E851BC6B
                      Malicious:false
                      Preview:MAGIC 1000..#6147700.G;:....:.9p19..3......9...K.....9...Q........G;:....9...:..G;:..3...s.A....K..9p19...Q...3...L....G;:..3....a...s.A..L.....:....9....9..G;:.9p19...Q....Q...3...9p19.s.A...G.:.9p19...:.9p19...K....Q....:..3....3.....j:..3.....K..L.....Q..s.A...3.....Q...G;:...:...Q..9p19...K...G;:...K..s.A....Q....Q....:..G.:..G;:.L.....Q....Q..s.A..L...L...L.....Q.....:..G;:..3.....K..Z{q....K.....9...:.L...s.A..9p19....9...K...3....G;:..3......9.L....3...Z{q.....:...K..s.A....K..{...9p19...j:..3....G;:.Z{q...3...9p19.......3......9..3.....:..G;:..G;:.s.A....K....K..9p19...Q..L.....j:....9...j:.........9...Q..s.A....:..G;:.L.....K...3......9...j:....9..a.....:....:...Q....K....:..G.:..a.....Q....Q..9p19..G.:...:.9p19...Q....:..G;:.Z{q...3...{...9p19.9p19.s.A..9p19.Z{q..9p19.Z{q...3......:.s.A...G;:...Q..L...9p19...j:.L......9...Q....:.L...Z{q....:...Q.....9....9.9p19...:..G;:.s.A...3....a...9p19.9p19...K.....9....9..G;:...K....j:....9...K....:...K..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_i2.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2363245
                      Entropy (8bit):6.730212234194968
                      Encrypted:false
                      SSDEEP:49152:lfaFy3vCev0+ndNKFWBt9xrr0YE4RkOAFSgampZ:wMz0+njKF+xrrdEgUamZ
                      MD5:2C56302341352CFC4F86D4B22B369405
                      SHA1:E8B84BCF2DDE571213B24BF4148830337EE293F6
                      SHA-256:1A54CC22E66B8BB053E505F5FA2B446FCA8861D49212D07DBEDEFB05E6176107
                      SHA-512:E27E757EEBAB7C51FDE2DC45FDE365CE6A587674F8E92941BBADBC93ECC9145F71EC2997CB245220A6BF89C033F2C06BD055ED845098A89B05F3C3BA647B5920
                      Malicious:false
                      Preview:MAGIC 1000..#72363200.G;:.l6D:..%M:...V:.e._:...g:...p:._.y:..^.:...:.-M.:...:..;.:.)..:.~*.:...:.&..:.<,.:..=.:..N.:.B`.:.2.p:..._:..(M:.>K;:..m):....:.J..:...9.O..9..6.9...x9..19....9.)k.8.BH.8.2.Q....r.............K...C{..Es....E...........L.....F........BV...R... ...Y..........c....(........C...h)7..E.8.J..9..;=9...x9.<*.9.o.9..+.9..N.9.@q.9..'a9.:m=9....9....8..z.8...:8..,7......r.......~"...!.'...K....(...P....,....ns..D.....)7..P98....8....8.%..9..>=9.k.`9..Z.9.X7.9....9...9.S .9.r7.9..N.9..e.9...x9..'a9..VI9.Z.19....9....9.)..8..z.8.C.i8.;g.8..,7.L.P..B.........,>c...Y...\.........D...""...t.#....5....G..h.Y...tk...R}.......W..........e....G..o%*..=_....2........2L...3......8....9.G..9....9..1.9..^.:..$;:.JZ5:..e/:.iq):..|#:....:....:....:.7..:...:....9...9...9....9.'..9.F..9.e..9...9....9.~..9....9._..9...9.@..9....9.!..9....9..y.9.rm.9...:.*..:.b..:....:...:....:.C..:.{..:....:..|.:.$w :.\q#:..k&:..e):..`,:.=Z/:.uT2:..N5:..H8:..C;:...&:.3..:.S..9

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_i4.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4726445
                      Entropy (8bit):6.730381218428854
                      Encrypted:false
                      SSDEEP:98304:iP1XeXrO9w5h1yCJfdhLSs0p3WbrgoPdJ76tWCy85LXZ0bX13fsCPClYN:iP1XeX2A1yCl10pGooVJ7EWCxOhf7iQ
                      MD5:A8D37CC38E8F2C4110F7B55E60EE9825
                      SHA1:A59236912AED5AD93498EFE4C6472A9C76D1B886
                      SHA-256:169176A834F21293883E84770E6E5B5433E2824DB8F6C2003EA930840222CBA1
                      SHA-512:D35159A72994004976DB011F997DE05D9EEF2D13224A6066B21A0053C23AF646AFD66A766B05ABD57ADDB5C5D86CBA1F0AB0F6630777D502B1988E3502AA81AB
                      Malicious:false
                      Preview:MAGIC 1000..#74726400.G;:...?:.k6D:...H:..%M:.g.Q:...V:...Z:.c._:..yc:...g:._hl:...p:..Wu:.[.y:..E~:..^.:.+..:...:....:.)M.:...:.}.:.'..:..;.:.{w.:.%..:...:.y*.:.#f.:...:.w.:.!..:....:.F,.:..:..=.:.J.:..N.:...:.N`.:...y:.L.p:...g:..._:.T.V:..(M:..:D:.\K;:..\2:..n):.c. :....:....:.k..:....9.7..9....9....9.F..9..6.9..Y.9...x9..>U9.l.19.E..9....9....8..l.8...i8..J.8.@.,7...Q........r..z.........)...}....>.3....K...pc..~B{........r....[....D....-.......`...@... ........pQ....E...P:.............uV................. ..q=...YZ...Aw...(..........c....E....(..`I..._....y...;.C......Y)7..o!8..C.8.E..8.S..9..t.9..:=9...[9...x9..F.9..).9....9...9....9.3,.9..=.9..N.9.;`.9..q.9...s9..(a9.5KO9..m=9...+9.E..9....9.J..8..6.8..|.8.i..8...:8..0.7.@.,7.........<+...r.......:........!........].'....9....K....9..\.(.../....Q.......7.....s....qs....+......\...T.)7....7..M98.ka.8....8....8.L..8....9.F..9..`+9..==9.7.O9...`9...r9..Y.9.<H.9..6.9..%.9.4..9....9...9....9.. .9.3,.9

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_q.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):147744
                      Entropy (8bit):6.3143930682292115
                      Encrypted:false
                      SSDEEP:1536:y6bKCjx2T/a/EnfwN4D1jYC4yLRLRFdwvnK/7KM+xapkmZuvj39oIYA03mRSWgwV:tOCjxOfU4pY+bFGEsap9Oj9oZ3OgwV
                      MD5:B58DE594F86A498D8C950865F506190E
                      SHA1:2082C944A01A90D147F2784576D28AD5121D3376
                      SHA-256:2A5F375A61BA71E31FD8C3FDF399729AB9B3F3921AD97BACAA104BBACAB081BE
                      SHA-512:DA27C05462ADDCABA3C9F9C8A9084FBB01910777D3650F7D185158581257EA64CA7028E9DF1BCE2FC53609474CF331D6E7406516B4DA585B0B139BE2B7483A7E
                      Malicious:false
                      Preview:MAGIC 1000..#6147700..9.S)#:.?2....Y....8...9.......9...8.S)#:....:.]....]....?2..?2..?2..+\...]......8.?2..?2...Q*..+\...+\...]....+\...:.R:....9...8.S)#:.?2........8...9...9...9...9.?2..S)#:.?2....Y...Q*...Q*..]....?2.....:...9.]......8...8...8.....?2....8...9....:...Y...8.:.+\.........8..8.:...Y....9.+\.....8.:.R:....9....9.+\......:...Y..].....8.:.]......8.+\....8.:.......9.:.R:...8....:....9.S)#:...8.]....]....:.R:.?2........9....9......Q*..+\...?2..?2..]......Y....8...9.]....:.R:.w.:.?2..]....w.:..Q*....Y....8...8.QR.:.:.R:.+\...j..:.+\....8.:....9.S)#:.].....8.:.+\...:.R:..Q*.....9.+\......9....:.].......9...Y....9...9...8.S)#:...Y....Y...Q*..S)#:.QR.:.:.R:.:.R:....:...9.......8...8.].....Q*..?2....9..Q*..:.R:.+\...S)#:.......8....9.]....]....S)#:..Q*..?2....9...9...9.S)#:.]....S)#:.]......8...9...8...8.+\....8.:.]......8...8...8.?2..:.R:...8......8.:....9.+\...S)#:...Y..]......8...8.]......9....9.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_q2.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):2363245
                      Entropy (8bit):6.731822669451422
                      Encrypted:false
                      SSDEEP:49152:yQbPO3gFxoSwAYXJtq2BHHirzdL3OxWJCL1A4v:TbPO3gFGSwAuJt7pHiHJ3OxbAc
                      MD5:369DA59226FF78AA0E8E82505637962E
                      SHA1:DFC3EE7F547D9FE8160F004E5F6D2D9CB278382C
                      SHA-256:5323A42EA86705305548FB5599FECFC8249AC02E6892F79CCCCD73A21D7FC79D
                      SHA-512:E09884565D6DB0631C6067F6B1B98E14373739A4C7CE9396547A293F1F3FAE00E6617952A0EB1D962B24AEDD31A97A1B66C1C425B542BFC5083B98FE09704A6E
                      Malicious:false
                      Preview:MAGIC 1000..#72363200..9..9...9..}.9..f.9.pO.9.P8.9.1!.9....9....9....9.[b.:..V.:.;K.:..?.:..4.:..(#:..A.:..Y.:.y..9....9..<.9.4k.9.r..9...9..._9.YH09...9....8.9w.8.W[d...w..y...@0.....L..Hw|..f....(..........mT.........{....d....M*...66..|.B..].N..>.Y....K...5<..fR-..Mo...4......................l9...r.X...Z...S.........Y.7....8.V..8....8..U.8...9..|.9..e.9.pN$9.Q709.2 <9...H9...S9..._9...k9...w9...9.,..9. ^<9....8....7.O.v..z.....xd..d..w....I..O|....S!..b+6....K..u._....t........t...._..o#K...K6..\t!..........}...j,.....d.........x..-..7....8...;9....9...9.+.w9.J.k9.i._9...T9...H9..2<9..I09..a$9.$x.9.C..9.b..9..{.8.@..8.~.8....8....8..F.9.;.<9.._9.@..9....9..u.9.4S.9..0.9....9.)..9.z..9..R.:..A.:.70.:...#:...,:.1.4:...=:...F:.+.O:..X:.}.a:.&.j:..s:.wq|:....:.d'.:....:....:.a..:....:..1.:.>H.:...j:...R:.6.;:.tI#:..w.:..K.9.\..9....9...09.E..8.R.\...$..tYL..>...]....]....]....]....]....]....]....]....]....]....]....]....]....]....]....]....7)....4...V@..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Edge GSM\edge_gsm_q4.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):4726445
                      Entropy (8bit):6.73131511607227
                      Encrypted:false
                      SSDEEP:98304:r68Tm8U/6h4QF5UP0zelWvIFJ9uXqwDTCVKgXxA/2E:rzTm8tvSMSAvEJGqwKwyxA/7
                      MD5:506BFBF1647C22944558FB960A021116
                      SHA1:27E51D7AE2C3B69D15EB5A50EED1CFA2300BCDA0
                      SHA-256:48CD443524D6891B51069588DDB73B2387B53EF0E38313E468884E4AC68488FB
                      SHA-512:BB7C7BC2623E8487B8A451E043E139176EBBDF02B740CB80D9C343086ABEE68DC2BE8C80233EE52B3DDC1B186FC8F0978A6EB6847C8052C7B5CCD4B7235E1629
                      Malicious:false
                      Preview:MAGIC 1000..#74726400..9.{..9..9.[..9...9.;..9..}.9..r.9..f.9..Z.9.kO.9..C.9.L8.9..,.9.,!.9....9....9.|..9....9.\..9....9..h.:.Vb.:..\.:..V.:..P.:.6K.:.nE.:..?.:..9.:..4.:.N. :..(#:.}6.:..B.:..M.:.,Y.:..d.:....9....9....9..%.9..=.9.8T.9.Xk.9.x..9....9....9...9..w9./._9.o.H9..H09..v.9./..9...8.]..8...d8..x.8....7.&Ud..J\...K.w..&u........^..../.....5..T.L....d...v|..J$...*.........................k...Kk..+T.............f.....{...Fp....d...&Y$...M*...B0..v66...*<..V.B....H..6.N....S....Y..W.R....K..?.C...5<..'.4...R-....%...o........j.........R.....o..t...\...D...,.............9.....v..f.X..6!;...[....)...J.............F.....P.7.0AL8....8...8..8...8....8..l.8.kU.8.K>.8....9....9.v|.9..p.9.Ve.9..Y.9.6N$9..B*9..709..+69...<9.f.B9...H9.F.M9...S9.&.Y9..._9...e9.v.k9..q9.V.w9..}9...9...9....9...f9.._<9...9....8..K}8....7..Z.....v.............:...vd.......h.......y....q...H........{........US!....+...*6....@..e.K..)nU...._...Ej..u.t..:.........>.....t..Jgj.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\FM.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):375044
                      Entropy (8bit):5.544636915042466
                      Encrypted:false
                      SSDEEP:1536:GvuvY14lVvBmdv2xvsYhK3v1YDaWvgFDvXMvX3Q52yvovK3vfvjPOIjv0jJr5+Gg:yciN1gRNyNAdNLeUhXuVZ3pQfH3q9TL
                      MD5:2222518F269F93472F3B7D5C26E1B3B9
                      SHA1:39DE445E75C80E1033CBF180CF49744B2482AA49
                      SHA-256:46B361D5DCABF89DBD027CB6401ABF12E2CEF18DE82AB8DCC1E9C01CFB8B06BE
                      SHA-512:2AD747E5ADF365A412090F686D8F31A3A94C695C890FB98C491C151ADD7C9B59F1A72BA9A325B352553DAF330C2F7372A89F95159AA972931ECAEE40351D067A
                      Malicious:false
                      Preview:MAGIC 1000..#6375000w]W..9.c..9.c..z.g..>.s....o..>.s....o..>.s....k..>.s....k..z.g..9.c...}_...<O...,K....>..-.2....*...y...%I... .........,........(...7.c..+."..)....#....1.C=.7..=...2>."..>..i.>...>.4M.>....>..(.?..i.?.*."?...?...:?..,K?..<O?.w]W?..m[?.z.g?...k?...o?...w?.>.s?.>.s?...w?.>.s?.>.s?.>.s?.>.s?...k?.z.g?.9.c?.w]W?..<O?..,K?.m.6?...?.*."?.fY.?..(.?....>..m.>...>..i.>.:.s>...2>.7..=. ..=......1...+."..:.s...i........4M......c....%I...*."....*....:..1.C...,K..w]W...m[..9.c..z.g....o....k..>.s....o..>.s....o....k....k..z.g...}_...}_..w]W...,K..1.C....:..-.2..j.&..fY...c.........7......%I...:.s..+."....... ....#..<.)..=."I.>.7.c>..(.>...>..m.>.7..>.c..?..8.?.*."?...*?.m.6?.1.C?..,K?.4MS?..}_?.9.c?...k?...k?...o?...o?.>.s?.>.s?...w?...o?.>.s?.>.s?...o?...k?.9.c?..m[?..<O?..,K?...>?...:?...?.*."?..8.?. ..?....>.4M.>...>.%I.>.4MS>."I.>.1..=.#..<.!....7...4MS.."....(.....,...m........(....i...j.&........:..r.G...<O...m[...}_...}_....k..>.s....o....o..>.s....w..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\FM4f7f.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):375044
                      Entropy (8bit):5.544636915042466
                      Encrypted:false
                      SSDEEP:1536:GvuvY14lVvBmdv2xvsYhK3v1YDaWvgFDvXMvX3Q52yvovK3vfvjPOIjv0jJr5+Gg:yciN1gRNyNAdNLeUhXuVZ3pQfH3q9TL
                      MD5:2222518F269F93472F3B7D5C26E1B3B9
                      SHA1:39DE445E75C80E1033CBF180CF49744B2482AA49
                      SHA-256:46B361D5DCABF89DBD027CB6401ABF12E2CEF18DE82AB8DCC1E9C01CFB8B06BE
                      SHA-512:2AD747E5ADF365A412090F686D8F31A3A94C695C890FB98C491C151ADD7C9B59F1A72BA9A325B352553DAF330C2F7372A89F95159AA972931ECAEE40351D067A
                      Malicious:false
                      Preview:MAGIC 1000..#6375000w]W..9.c..9.c..z.g..>.s....o..>.s....o..>.s....k..>.s....k..z.g..9.c...}_...<O...,K....>..-.2....*...y...%I... .........,........(...7.c..+."..)....#....1.C=.7..=...2>."..>..i.>...>.4M.>....>..(.?..i.?.*."?...?...:?..,K?..<O?.w]W?..m[?.z.g?...k?...o?...w?.>.s?.>.s?...w?.>.s?.>.s?.>.s?.>.s?...k?.z.g?.9.c?.w]W?..<O?..,K?.m.6?...?.*."?.fY.?..(.?....>..m.>...>..i.>.:.s>...2>.7..=. ..=......1...+."..:.s...i........4M......c....%I...*."....*....:..1.C...,K..w]W...m[..9.c..z.g....o....k..>.s....o..>.s....o....k....k..z.g...}_...}_..w]W...,K..1.C....:..-.2..j.&..fY...c.........7......%I...:.s..+."....... ....#..<.)..=."I.>.7.c>..(.>...>..m.>.7..>.c..?..8.?.*."?...*?.m.6?.1.C?..,K?.4MS?..}_?.9.c?...k?...k?...o?...o?.>.s?.>.s?...w?...o?.>.s?.>.s?...o?...k?.9.c?..m[?..<O?..,K?...>?...:?...?.*."?..8.?. ..?....>.4M.>...>.%I.>.4MS>."I.>.1..=.#..<.!....7...4MS.."....(.....,...m........(....i...j.&........:..r.G...<O...m[...}_...}_....k..>.s....o....o..>.s....w..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\PRBS4fcd.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):10263
                      Entropy (8bit):0.9780016951624251
                      Encrypted:false
                      SSDEEP:24:hr444444144D4e9DD44E49t4g44V494t4D4U44r444gAD4DDgQ4D444r449Ug4rh:haaam
                      MD5:91F0064113F8F59597425670AF90869D
                      SHA1:B701044A530CFAEE7FA9CB8FF6D2200C6DEA20A0
                      SHA-256:5432A31E92FCFB0AA203739F79453AA59DF67E545D9455B3F7934517E15137F0
                      SHA-512:7C6E71521599E55E17E005AF4AC1FBDB6503726FCB7D4044118EFD81E38A2D6C550737FED30D46DA64C8E8A296DC0BAE073E76394810CECA347917839E03451E
                      Malicious:false
                      Preview:MAGIC 1000..#510220...?....?....?....?....?....?....?....?....?........................?....?....?....?.........?....?....?........................?.........?....?..............?....?.........?....?.........?....?....?....?.........?........................?....?....?..............?....?........................?..............?...................?.........?.........?....?....?.........?.........?....?....?....?..............?..............?.........?....?....?..............?....?....?..................................?....?....?.........?....?....?.........?..............?....?....?....?.........?.........?..............?.........?..................................?.........?.........?.........?.........?....?....?....?....?.........?.........?....?.........?.............................?....?.........?....?....?.........?....?.........?....?.........?.........?....?.............................?.........?....?....?.........?....?....?....?....?...................?....?....?....?.......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\PRBS9.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):10263
                      Entropy (8bit):0.9780016951624251
                      Encrypted:false
                      SSDEEP:24:hr444444144D4e9DD44E49t4g44V494t4D4U44r444gAD4DDgQ4D444r449Ug4rh:haaam
                      MD5:91F0064113F8F59597425670AF90869D
                      SHA1:B701044A530CFAEE7FA9CB8FF6D2200C6DEA20A0
                      SHA-256:5432A31E92FCFB0AA203739F79453AA59DF67E545D9455B3F7934517E15137F0
                      SHA-512:7C6E71521599E55E17E005AF4AC1FBDB6503726FCB7D4044118EFD81E38A2D6C550737FED30D46DA64C8E8A296DC0BAE073E76394810CECA347917839E03451E
                      Malicious:false
                      Preview:MAGIC 1000..#510220...?....?....?....?....?....?....?....?....?........................?....?....?....?.........?....?....?........................?.........?....?..............?....?.........?....?.........?....?....?....?.........?........................?....?....?..............?....?........................?..............?...................?.........?.........?....?....?.........?.........?....?....?....?..............?..............?.........?....?....?..............?....?....?..................................?....?....?.........?....?....?.........?..............?....?....?....?.........?.........?..............?.........?..................................?.........?.........?.........?.........?....?....?....?....?.........?.........?....?.........?.............................?....?.........?....?....?.........?....?.........?....?.........?.........?....?.............................?.........?....?....?.........?....?....?....?....?...................?....?....?....?.......

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\PWM.WFM (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):160044
                      Entropy (8bit):1.7207414370044587
                      Encrypted:false
                      SSDEEP:24:y1WNNNNNNNNNNNNNNNNNNNNNNNN4z4z4z4z4z4z4z4z4z4z4z4z4z4z4z4z4z4zR:y4v
                      MD5:E22ABE5022F935B3BBE977B75A221F89
                      SHA1:9FECCE887D2450BE45206A433C58758F76F83EA1
                      SHA-256:B8AA2E7F1B8F67E6497B2D6BB0E8D25FEF652C95C8B81401A726DD4FB091FEF8
                      SHA-512:31655CA947534696E87BCFD84ED62DD34A1EEEA03FE4EEC9AF981D311292B8E7555B1EA9450E285CCB7019A1C3A5680C6076322475235AF22F239FDC7DAE03F2
                      Malicious:false
                      Preview:MAGIC 1000..#6160000...?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?...............................................................................?....?....?....?.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\PWM4fec.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):160044
                      Entropy (8bit):1.7207414370044587
                      Encrypted:false
                      SSDEEP:24:y1WNNNNNNNNNNNNNNNNNNNNNNNN4z4z4z4z4z4z4z4z4z4z4z4z4z4z4z4z4z4zR:y4v
                      MD5:E22ABE5022F935B3BBE977B75A221F89
                      SHA1:9FECCE887D2450BE45206A433C58758F76F83EA1
                      SHA-256:B8AA2E7F1B8F67E6497B2D6BB0E8D25FEF652C95C8B81401A726DD4FB091FEF8
                      SHA-512:31655CA947534696E87BCFD84ED62DD34A1EEEA03FE4EEC9AF981D311292B8E7555B1EA9450E285CCB7019A1C3A5680C6076322475235AF22F239FDC7DAE03F2
                      Malicious:false
                      Preview:MAGIC 1000..#6160000...?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....................................................................................?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?....?...............................................................................?....?....?....?.

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\k28_501b.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5042
                      Entropy (8bit):2.771122244913468
                      Encrypted:false
                      SSDEEP:24:c47t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7w:m
                      MD5:25A1AB37C167A73A441AADB6ABC51BD7
                      SHA1:7E257C7EAADD0E457BEE02D3AD4FA07A61F6F541
                      SHA-256:97ED857ECE366B2ECAA3645758B3BA813A6AFF8B9468A13BF7AE03E991B9F1E3
                      SHA-512:BB41FA1C4BCC576C0B33CEDDA1E706876B9411DF67260C16DF1B86DE8F019CDF4798C9C85474C82B607FD20E6369FA8EA6F6A9787FBA1AFB316E6214E7E8EEBF
                      Malicious:false
                      Preview:MAGIC 1000..#45000..@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@...................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms\Misc\k28_5emp.wfm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):5042
                      Entropy (8bit):2.771122244913468
                      Encrypted:false
                      SSDEEP:24:c47t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7t7w:m
                      MD5:25A1AB37C167A73A441AADB6ABC51BD7
                      SHA1:7E257C7EAADD0E457BEE02D3AD4FA07A61F6F541
                      SHA-256:97ED857ECE366B2ECAA3645758B3BA813A6AFF8B9468A13BF7AE03E991B9F1E3
                      SHA-512:BB41FA1C4BCC576C0B33CEDDA1E706876B9411DF67260C16DF1B86DE8F019CDF4798C9C85474C82B607FD20E6369FA8EA6F6A9787FBA1AFB316E6214E7E8EEBF
                      Malicious:false
                      Preview:MAGIC 1000..#45000..@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@........................@?...@....@?...@.........@?....>....>....>....>...@....@?...@....@?....>...@...................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\App.ico (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows icon resource - 6 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                      Category:dropped
                      Size (bytes):10134
                      Entropy (8bit):2.725839820837408
                      Encrypted:false
                      SSDEEP:48:dm+cPmXxDDDDDDDFDRjDjTDDDDDDDDDB7HPptoHLnz:dmvPmYLnz
                      MD5:B5F4B7747CE892F9DFC884691FC40C8D
                      SHA1:1116614DBD9AA85D97B9CA0FB02A20E09F263B71
                      SHA-256:2FA7AC85D608C3D3A9CA7B7AEAC23819BDBC36610DC9C80259FA20A2BB2CDE72
                      SHA-512:651644C8C79F796091B8324566DDCB4567B938102989375A3068B2AE264E1BEB55AE7AE87946D91996BEF9DEDB4603A7782D1182B25B31B043BD7411ED32B2C5
                      Malicious:false
                      Preview:......00......h...f... ......................(.......00.............. ......................h...."..(...0...`....................................................................................................................................................................................................................................................................................................wwwwwwwwwwwwwwp........wDDDDDDDDDDDDDDw........tB""""""""""""$G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........tz......z......G........t..............G........t.z......z.....G........t..............G........t..z......z....G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G......

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\App5153.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows icon resource - 6 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                      Category:dropped
                      Size (bytes):10134
                      Entropy (8bit):2.725839820837408
                      Encrypted:false
                      SSDEEP:48:dm+cPmXxDDDDDDDFDRjDjTDDDDDDDDDB7HPptoHLnz:dmvPmYLnz
                      MD5:B5F4B7747CE892F9DFC884691FC40C8D
                      SHA1:1116614DBD9AA85D97B9CA0FB02A20E09F263B71
                      SHA-256:2FA7AC85D608C3D3A9CA7B7AEAC23819BDBC36610DC9C80259FA20A2BB2CDE72
                      SHA-512:651644C8C79F796091B8324566DDCB4567B938102989375A3068B2AE264E1BEB55AE7AE87946D91996BEF9DEDB4603A7782D1182B25B31B043BD7411ED32B2C5
                      Malicious:false
                      Preview:......00......h...f... ......................(.......00.............. ......................h...."..(...0...`....................................................................................................................................................................................................................................................................................................wwwwwwwwwwwwwwp........wDDDDDDDDDDDDDDw........tB""""""""""""$G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........tz......z......G........t..............G........t.z......z.....G........t..............G........t..z......z....G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G........t..............G......

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbC1fa5.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):169472
                      Entropy (8bit):5.783231724742427
                      Encrypted:false
                      SSDEEP:3072:bv84RASBNvWMdaoTP0Yt4fscMcGP+MBpXh:x2vMdx0nc
                      MD5:F3C12BC2AD56585937D74506C9D62F96
                      SHA1:5F5F4CF8F928025B67FDFCB881056ECF20926DB0
                      SHA-256:069127301E179C688800EE5B6FFCC1724CB8478F913B99A4A0790B341C23047B
                      SHA-512:C5E366371F5031F19CDF854B4B3CC4163282410861EE9AAA9BF7BB2288DCCD240DBDA0271CD9FCC22A8616E19330E2C87B289E39EFBA47898BC7247C16135B44
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0.............Z.... ........... ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................<.......H.......tk...?............................................................s....}M.... ....."...}P....(....*.*. ^...*B.r...pQ.r...pQ.*..*.r...p*...*..*:.(......}\...*..{\...*"..}\...*V.(......}].....}^...*..{]...*"..}]...*..{^...*"..}^...*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..(........(..

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):169472
                      Entropy (8bit):5.783231724742427
                      Encrypted:false
                      SSDEEP:3072:bv84RASBNvWMdaoTP0Yt4fscMcGP+MBpXh:x2vMdx0nc
                      MD5:F3C12BC2AD56585937D74506C9D62F96
                      SHA1:5F5F4CF8F928025B67FDFCB881056ECF20926DB0
                      SHA-256:069127301E179C688800EE5B6FFCC1724CB8478F913B99A4A0790B341C23047B
                      SHA-512:C5E366371F5031F19CDF854B4B3CC4163282410861EE9AAA9BF7BB2288DCCD240DBDA0271CD9FCC22A8616E19330E2C87B289E39EFBA47898BC7247C16135B44
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0.............Z.... ........... ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................<.......H.......tk...?............................................................s....}M.... ....."...}P....(....*.*. ^...*B.r...pQ.r...pQ.*..*.r...p*...*..*:.(......}\...*..{\...*"..}\...*V.(......}].....}^...*..{]...*"..}]...*..{^...*"..}^...*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..(........(..

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE240a.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):2762752
                      Entropy (8bit):6.56038820893923
                      Encrypted:false
                      SSDEEP:24576:mWz56k1bil6jdidLwgYqD8dSKtwdDLdZ4UBwduBorvAESsTLx08pS9fSu0+BK2:N0k1bJjiwqQjSr65sYLx088V
                      MD5:E145BA544D06D6438EC711C3D18F5EBF
                      SHA1:BCB89697ECB7962A6A39E70C93731D5C6482DCDA
                      SHA-256:888EC69186ED917AF7BE5195ECE83EDF22C5E6813BF5CB3CB1554AF48A6BBD83
                      SHA-512:0888C4BDB780B1B67019054338EB58B3907A4D6FFC441E35A17537B8124AEA256B340AAF87EAAEE255EF0EE310FD2F181440BB622C226C5F511D4BD66A6CFDFC
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 1%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Oe._.........."...0...)..>........*.. ... *...... ........................*.......+...`...................................*.O.... *..:...................`*...................................................... ............... ..H............text...4.).. ....)................. ..`.rsrc....:... *..<....).............@..@.reloc.......`*......&*.............@..B..................*.....H........2...............7................................................(!...*j.(....&.............(....*"..}....*..{....*.0..4.........r...p(".....1.....3...........(.....+.....(......*"..(....*....0..1.........1.....3................(....*............(....*>.........(....*F...........(....*2......(....*j........#.......@[..(....*:........(....*...0.............().....&r]..p(".....*.................0...............(3.....&r]..p(".....*...................0.............(+...

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5163.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):358912
                      Entropy (8bit):6.719986198651759
                      Encrypted:false
                      SSDEEP:6144:wUDVaFYgLBFvkrF3vAu3Ox1eYvK5iqnIhyeK8ZsXhAOJc8:hVaFYgLBFkrF3vAuI1nvK5iqnesh/F
                      MD5:0B6D7A6C657284D1EF16B692610BADC5
                      SHA1:F8FD8A06C221D158E82C679F6FCF51CA14139C5B
                      SHA-256:600108EC4719975CF69ADE459842724027FF6CC52019967A462BB1E7FFEDFA44
                      SHA-512:F0F9B19E94BB9C7C23F511D1617CE40D75CBD4E758EB85519C5DC25E16EB0FC33617FE279E2C48E9734BFA0E80300BE02034BDF37C28CEFD9C96126077A0E147
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...)...m...)......)...[.......P.......C.......^...)...O...L...........N.......M..... .M.......M...RichL...................PE..L....d._...........!.....D...........=.......`............................................@.........................PP..d....P..(...............................X'...@..T............................A..@............`..D............................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data...Pi...`.......B..............@....rsrc................P..............@..@.reloc..X'.......(...R..............@..B................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51a1.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):404480
                      Entropy (8bit):6.6495348583868195
                      Encrypted:false
                      SSDEEP:12288:NfVjjIFPH1O5SELWHc59pLkdOAnwexmv8ct1:NfZLWHcHpLkJwexI
                      MD5:292FAA2899E764BA099B254301BFCFA7
                      SHA1:9A019BEE4FA6D0D31D9EABD632D1D28C00946233
                      SHA-256:DFB9B827FB67E8827CB8846BFE174830355139962AFC24AC94E7477F94BA1A1C
                      SHA-512:E278039BA9894AE4D31CB1256AD5C0B7C5990564E280EE927E66621A2D7C7F135E41D903E607E47B92C2B13EE5E71BCB20250934D4F4793D4667D56A4BF2AE11
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 1%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...br..br..br.....ir......r.....pr..0..~r..0..rr..0..pr.....gr..br..r.....`r......cr......cr.....cr..Richbr..........................PE..L....d._...........!.....N..........F8.......`............................................@.....................................<....P.......................`..t'..@...T...............................@............`...............................text....M.......N.................. ..`.rdata..<....`.......R..............@..@.data....?..........................@....rsrc........P......................@..@.reloc..t'...`...(..................@..B........................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE51e0.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows HtmlHelp Data
                      Category:dropped
                      Size (bytes):10408283
                      Entropy (8bit):7.998831189389843
                      Encrypted:true
                      SSDEEP:196608:MC9p/bRCTyL7tTjqoLn2b9bW+OR4+w8vFdRf5p9Vsmj:MsbgTm7tTmE2ZaTJw8BH
                      MD5:A0916AD1AFE3032E79D157DA16B34450
                      SHA1:C8740B27306CF7EFA79E80B89572CEAC684318B7
                      SHA-256:CC9BC94FC33B72C6D10A11C258B8D552EFFA3C905D4D621471BFC1C33F603372
                      SHA-512:515B87E14F68592C1324FC938D44EFDB9D0AC3548DEB370CEE8EFCF8F42284AC4F0896CC41F9C654909F56A3FD46A4B314A90D392EF8301835E4825E1F66970C
                      Malicious:false
                      Preview:ITSF....`..................|.{.......".....|.{......."..`...............x.......T@.......@..............[..............ITSP....T...........................................j..].!......."..T...............PMGLK................/..../#IDXHDR....n.../#ITBITS..../#STRINGS....".i./#SYSTEM..^.G./#TOPICS....n.p./#URLSTR......../#URLTBL....^.4./#WINDOWS....Y.L./$FIftiMain....~..p./$OBJINST....?.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property....;../$WWKeywordLinks/..../$WWKeywordLinks/BTree....%..L./$WWKeywordLinks/Data....q.p./$WWKeywordLinks/Map....a:./$WWKeywordLinks/Property..... ./A003_1134.png....U..6./A003_1135.png........./A003_1136.png......4./A003_1137.png....R.3./A003_1138.png........./A003_1139.png.......i./A003_1140.png....m..../A003_1141.png.......3./A003_1142.png...4..`./A003_1143.png......../A003_1144.png.......!./A003_1145.png...9..W./A003_1146.png.......I./A003_1147.png...Y..A./A003_1148.png.......t./A003_1149.png.......f./A003_1150.png....t..Q./A003_1151.png....E

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbE5347.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):562
                      Entropy (8bit):4.928664272192018
                      Encrypted:false
                      SSDEEP:12:TMG1cOUNTbxVH43UZ/R+4pxy/4p3UelGc4phm/4plpUelFP4pxelzm3xT:3qNBBTvSnxOCsr
                      MD5:35D3E7D8FD5302F9EAFAEF982BA494DF
                      SHA1:2ED034FE8A8B52BD7E4F58A4CBBC76D249C359ED
                      SHA-256:0CD375E62A7B4BF4FC7C07D9FF16878777FB32F8ADED269BDB53F8A7A89C55D7
                      SHA-512:6D1F53EF9DEF3BBA4201CC0BC926F335866E46788A0E06775C916EDB843AFC19E5EE671F8A1870BC7B4C9CD74600069AC1FE544EB050E7A326ABDD2C6DAA8A21
                      Malicious:false
                      Preview:<?xml version="1.0"?>..<configuration>.. <appSettings>.. User application and configured property settings go here.-->.. Example: <add key="settingName" value="settingValue"/> -->.. <add key="toolBarButton_Cursor.Pushed" value="True" />.. <add key="toolBarButton_Cursor.ToolTipText" value="Cursor" />.. <add key="toolBarButton_Marker.Pushed" value="True" />.. <add key="toolBarButton_Marker.ToolTipText" value="Marker" />.. <add key="toolBarButton_PT_Draw.ToolTipText" value="Point Draw" />.. </appSettings>..</configuration>

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEqu.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):358912
                      Entropy (8bit):6.719986198651759
                      Encrypted:false
                      SSDEEP:6144:wUDVaFYgLBFvkrF3vAu3Ox1eYvK5iqnIhyeK8ZsXhAOJc8:hVaFYgLBFkrF3vAuI1nvK5iqnesh/F
                      MD5:0B6D7A6C657284D1EF16B692610BADC5
                      SHA1:F8FD8A06C221D158E82C679F6FCF51CA14139C5B
                      SHA-256:600108EC4719975CF69ADE459842724027FF6CC52019967A462BB1E7FFEDFA44
                      SHA-512:F0F9B19E94BB9C7C23F511D1617CE40D75CBD4E758EB85519C5DC25E16EB0FC33617FE279E2C48E9734BFA0E80300BE02034BDF37C28CEFD9C96126077A0E147
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L...L...L...)...m...)......)...[.......P.......C.......^...)...O...L...........N.......M..... .M.......M...RichL...................PE..L....d._...........!.....D...........=.......`............................................@.........................PP..d....P..(...............................X'...@..T............................A..@............`..D............................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data...Pi...`.......B..............@....rsrc................P..............@..@.reloc..X'.......(...R..............@..B................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbEther.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):404480
                      Entropy (8bit):6.6495348583868195
                      Encrypted:false
                      SSDEEP:12288:NfVjjIFPH1O5SELWHc59pLkdOAnwexmv8ct1:NfZLWHcHpLkJwexI
                      MD5:292FAA2899E764BA099B254301BFCFA7
                      SHA1:9A019BEE4FA6D0D31D9EABD632D1D28C00946233
                      SHA-256:DFB9B827FB67E8827CB8846BFE174830355139962AFC24AC94E7477F94BA1A1C
                      SHA-512:E278039BA9894AE4D31CB1256AD5C0B7C5990564E280EE927E66621A2D7C7F135E41D903E607E47B92C2B13EE5E71BCB20250934D4F4793D4667D56A4BF2AE11
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 1%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...br..br..br.....ir......r.....pr..0..~r..0..rr..0..pr.....gr..br..r.....`r......cr......cr.....cr..Richbr..........................PE..L....d._...........!.....N..........F8.......`............................................@.....................................<....P.......................`..t'..@...T...............................@............`...............................text....M.......N.................. ..`.rdata..<....`.......R..............@..@.data....?..........................@....rsrc........P......................@..@.reloc..t'...`...(..................@..B........................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.chm (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows HtmlHelp Data
                      Category:dropped
                      Size (bytes):10408283
                      Entropy (8bit):7.998831189389843
                      Encrypted:true
                      SSDEEP:196608:MC9p/bRCTyL7tTjqoLn2b9bW+OR4+w8vFdRf5p9Vsmj:MsbgTm7tTmE2ZaTJw8BH
                      MD5:A0916AD1AFE3032E79D157DA16B34450
                      SHA1:C8740B27306CF7EFA79E80B89572CEAC684318B7
                      SHA-256:CC9BC94FC33B72C6D10A11C258B8D552EFFA3C905D4D621471BFC1C33F603372
                      SHA-512:515B87E14F68592C1324FC938D44EFDB9D0AC3548DEB370CEE8EFCF8F42284AC4F0896CC41F9C654909F56A3FD46A4B314A90D392EF8301835E4825E1F66970C
                      Malicious:false
                      Preview:ITSF....`..................|.{.......".....|.{......."..`...............x.......T@.......@..............[..............ITSP....T...........................................j..].!......."..T...............PMGLK................/..../#IDXHDR....n.../#ITBITS..../#STRINGS....".i./#SYSTEM..^.G./#TOPICS....n.p./#URLSTR......../#URLTBL....^.4./#WINDOWS....Y.L./$FIftiMain....~..p./$OBJINST....?.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property....;../$WWKeywordLinks/..../$WWKeywordLinks/BTree....%..L./$WWKeywordLinks/Data....q.p./$WWKeywordLinks/Map....a:./$WWKeywordLinks/Property..... ./A003_1134.png....U..6./A003_1135.png........./A003_1136.png......4./A003_1137.png....R.3./A003_1138.png........./A003_1139.png.......i./A003_1140.png....m..../A003_1141.png.......3./A003_1142.png...4..`./A003_1143.png......../A003_1144.png.......!./A003_1145.png...9..W./A003_1146.png.......I./A003_1147.png...Y..A./A003_1148.png.......t./A003_1149.png.......f./A003_1150.png....t..Q./A003_1151.png....E

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):2762752
                      Entropy (8bit):6.56038820893923
                      Encrypted:false
                      SSDEEP:24576:mWz56k1bil6jdidLwgYqD8dSKtwdDLdZ4UBwduBorvAESsTLx08pS9fSu0+BK2:N0k1bJjiwqQjSr65sYLx088V
                      MD5:E145BA544D06D6438EC711C3D18F5EBF
                      SHA1:BCB89697ECB7962A6A39E70C93731D5C6482DCDA
                      SHA-256:888EC69186ED917AF7BE5195ECE83EDF22C5E6813BF5CB3CB1554AF48A6BBD83
                      SHA-512:0888C4BDB780B1B67019054338EB58B3907A4D6FFC441E35A17537B8124AEA256B340AAF87EAAEE255EF0EE310FD2F181440BB622C226C5F511D4BD66A6CFDFC
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 1%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Oe._.........."...0...)..>........*.. ... *...... ........................*.......+...`...................................*.O.... *..:...................`*...................................................... ............... ..H............text...4.).. ....)................. ..`.rsrc....:... *..<....).............@..@.reloc.......`*......&*.............@..B..................*.....H........2...............7................................................(!...*j.(....&.............(....*"..}....*..{....*.0..4.........r...p(".....1.....3...........(.....+.....(......*"..(....*....0..1.........1.....3................(....*............(....*>.........(....*F...........(....*2......(....*j........#.......@[..(....*:........(....*...0.............().....&r]..p(".....*.................0...............(3.....&r]..p(".....*...................0.............(+...

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe.config (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):562
                      Entropy (8bit):4.928664272192018
                      Encrypted:false
                      SSDEEP:12:TMG1cOUNTbxVH43UZ/R+4pxy/4p3UelGc4phm/4plpUelFP4pxelzm3xT:3qNBBTvSnxOCsr
                      MD5:35D3E7D8FD5302F9EAFAEF982BA494DF
                      SHA1:2ED034FE8A8B52BD7E4F58A4CBBC76D249C359ED
                      SHA-256:0CD375E62A7B4BF4FC7C07D9FF16878777FB32F8ADED269BDB53F8A7A89C55D7
                      SHA-512:6D1F53EF9DEF3BBA4201CC0BC926F335866E46788A0E06775C916EDB843AFC19E5EE671F8A1870BC7B4C9CD74600069AC1FE544EB050E7A326ABDD2C6DAA8A21
                      Malicious:false
                      Preview:<?xml version="1.0"?>..<configuration>.. <appSettings>.. User application and configured property settings go here.-->.. Example: <add key="settingName" value="settingValue"/> -->.. <add key="toolBarButton_Cursor.Pushed" value="True" />.. <add key="toolBarButton_Cursor.ToolTipText" value="Cursor" />.. <add key="toolBarButton_Marker.Pushed" value="True" />.. <add key="toolBarButton_Marker.ToolTipText" value="Marker" />.. <add key="toolBarButton_PT_Draw.ToolTipText" value="Point Draw" />.. </appSettings>..</configuration>

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbF5357.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):412672
                      Entropy (8bit):6.652589061894945
                      Encrypted:false
                      SSDEEP:12288:zh6QnWFCk5KQS5mUnq+kx675P7wn+aSX9GfE7A12Bin:FHxmUnq3x6758+aG9GMMwB
                      MD5:69624B1AB275E5AEA277EC8A011F40BC
                      SHA1:3198AE6438ECF0F02004984D0D0A2F675FF12AF0
                      SHA-256:CA22DBD05D69653FEBEFD40FA801B85914FACC1596CE73425E471C8C6A03342D
                      SHA-512:4988CAC32BD47D17398F97847F94A7C43C2511D8A519267ACCEBDABC305BF47E6739D093FDDBCB65D5BE78CFCC4A9A8A025BBCB80A6A3BA0F146ACEE224621D9
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@U.]!;.]!;.]!;.8G8.V!;.8G>..!;.8G?.O!;....X!;..I>.A!;..I?.R!;..I8.I!;.8G:.X!;.]!:..!;..H?.^!;..H;.\!;..H..\!;..H9.\!;.Rich]!;.........PE..L....d._...........!.....|..........P.....................................................@.................................H...<....`.......................p..\(..`...T...............................@...............P............................text....{.......|.................. ..`.rdata.............................@..@.data........0......................@....rsrc........`....... ..............@..@.reloc..\(...p...*..."..............@..B................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbFile.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):412672
                      Entropy (8bit):6.652589061894945
                      Encrypted:false
                      SSDEEP:12288:zh6QnWFCk5KQS5mUnq+kx675P7wn+aSX9GfE7A12Bin:FHxmUnq3x6758+aG9GMMwB
                      MD5:69624B1AB275E5AEA277EC8A011F40BC
                      SHA1:3198AE6438ECF0F02004984D0D0A2F675FF12AF0
                      SHA-256:CA22DBD05D69653FEBEFD40FA801B85914FACC1596CE73425E471C8C6A03342D
                      SHA-512:4988CAC32BD47D17398F97847F94A7C43C2511D8A519267ACCEBDABC305BF47E6739D093FDDBCB65D5BE78CFCC4A9A8A025BBCB80A6A3BA0F146ACEE224621D9
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@U.]!;.]!;.]!;.8G8.V!;.8G>..!;.8G?.O!;....X!;..I>.A!;..I?.R!;..I8.I!;.8G:.X!;.]!:..!;..H?.^!;..H;.\!;..H..\!;..H9.\!;.Rich]!;.........PE..L....d._...........!.....|..........P.....................................................@.................................H...<....`.......................p..\(..`...T...............................@...............P............................text....{.......|.................. ..`.rdata.............................@..@.data........0......................@....rsrc........`....... ..............@..@.reloc..\(...p...*..."..............@..B................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbL2be9.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):57344
                      Entropy (8bit):5.824030017832848
                      Encrypted:false
                      SSDEEP:768:7Rb78Xc4V1SQpSQAIb1YgBKxv9TcUvVIxa7Y4+Bt9TIMLsp2Tj:l81SQpSQAIb1UmUvD7Y4UTIY
                      MD5:AA30619BF3CBDD793907028F0DA0136D
                      SHA1:5116C3697915B581116E54FE1299929AAED9C834
                      SHA-256:2C1742A27FC5A1A00AFF1CAA1360D70DB38BA6D875DC64E9C21C037C285CD432
                      SHA-512:3D475FFD06F7CA827246C5FED05EE4F4683E606E0016B4AA21BCF71F38CE4729CE78E39958F7692AB6591178C8D03C5F3351FE8AB8D1D3DBB499A0B319B93DEE
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0.................. ........... .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........n...j............................................................{....*"..}....*....0..+.........(}......(.....}.....s....}.....s....}......(.....%....(.........%. .....3.(.........%..3.3.(.........%...3.(.........%...3.f(.........%... ....(.........%..3.3 ....(.........%..3.3.3(.........%. ......(.........%.. .....f.(.........%.. .... .....(.........%... .....(.........%... .... ....(.........%.... ....(.........%...f.f ....(.........%.. .... .... ....(.........%..

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):57344
                      Entropy (8bit):5.824030017832848
                      Encrypted:false
                      SSDEEP:768:7Rb78Xc4V1SQpSQAIb1YgBKxv9TcUvVIxa7Y4+Bt9TIMLsp2Tj:l81SQpSQAIb1UmUvD7Y4UTIY
                      MD5:AA30619BF3CBDD793907028F0DA0136D
                      SHA1:5116C3697915B581116E54FE1299929AAED9C834
                      SHA-256:2C1742A27FC5A1A00AFF1CAA1360D70DB38BA6D875DC64E9C21C037C285CD432
                      SHA-512:3D475FFD06F7CA827246C5FED05EE4F4683E606E0016B4AA21BCF71F38CE4729CE78E39958F7692AB6591178C8D03C5F3351FE8AB8D1D3DBB499A0B319B93DEE
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0.................. ........... .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........n...j............................................................{....*"..}....*....0..+.........(}......(.....}.....s....}.....s....}......(.....%....(.........%. .....3.(.........%..3.3.(.........%...3.(.........%...3.f(.........%... ....(.........%..3.3 ....(.........%..3.3.3(.........%. ......(.........%.. .....f.(.........%.. .... .....(.........%... .....(.........%... .... ....(.........%.... ....(.........%...f.f ....(.........%.. .... .... ....(.........%..

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\DevC1043.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):5128192
                      Entropy (8bit):5.997356061291721
                      Encrypted:false
                      SSDEEP:49152:ZfbOajjp+gmHkx9IiNIsIC4QrWAAJKbXRebxjWIUPHaoe2DRNzxfItzUB1WoiQsK:UajjAHkxu+AJKbXRebxjWIU
                      MD5:548D695FF96BD80167A8F6A3EDC2FC93
                      SHA1:E1D27D5AFC4725BCAE772EB8B838737CCF3FEEB1
                      SHA-256:AA53F75FD1B83F562735FCBBE2A093A6B6C24ADCB21128741613B6E9EDFFAC4F
                      SHA-512:21A54CEA47B9C5157B4AA978BC3C92F171D525DCDAE0A0DF304E4ED50742BD691432C5403E8E038A912ACEDC381047861A75A45182A8EC0E4907FDA9DDEAF682
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!......N.........,.N.. ... N...... ........................N...........@..................................@N.(.....N......................`N......................................................@N.............. ..H............textxc.2.M.. ....M................. ..`.datax....... N.......N.............@....idata..V....@N.......N.............@..@.reloc.......`N...... N.............@..B.rsrc.........N......0N.............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):5128192
                      Entropy (8bit):5.997356061291721
                      Encrypted:false
                      SSDEEP:49152:ZfbOajjp+gmHkx9IiNIsIC4QrWAAJKbXRebxjWIUPHaoe2DRNzxfItzUB1WoiQsK:UajjAHkxu+AJKbXRebxjWIU
                      MD5:548D695FF96BD80167A8F6A3EDC2FC93
                      SHA1:E1D27D5AFC4725BCAE772EB8B838737CCF3FEEB1
                      SHA-256:AA53F75FD1B83F562735FCBBE2A093A6B6C24ADCB21128741613B6E9EDFFAC4F
                      SHA-512:21A54CEA47B9C5157B4AA978BC3C92F171D525DCDAE0A0DF304E4ED50742BD691432C5403E8E038A912ACEDC381047861A75A45182A8EC0E4907FDA9DDEAF682
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................!......N.........,.N.. ... N...... ........................N...........@..................................@N.(.....N......................`N......................................................@N.............. ..H............textxc.2.M.. ....M................. ..`.datax....... N.......N.............@....idata..V....@N.......N.............@..@.reloc.......`N...... N.............@..B.rsrc.........N......0N.............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\Disp3196.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):182272
                      Entropy (8bit):5.086848744037299
                      Encrypted:false
                      SSDEEP:3072:AtBSl8IUajyvROAgNWU/cbDxZhy4lxdR9:AWKIUqyvROfWU/
                      MD5:9D1AF7AEC60748436B67D6691C79B5FB
                      SHA1:58EDD817BE56455B98E713FDE7D537A5A52A1FA3
                      SHA-256:883E8A37DD8930AE34B19519A319050E5E0D0BE6D4928624777BB7C9576B6F1F
                      SHA-512:C2B7B8DEAA3923988347E9093DB30E0515FF99CFD7C5D0DDE85C636732DCA039A5105A94AF65B2264CA64E3B1D0A412E0378C6DDAF618E38618DFC4513118B92
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0.................. ........... ....................... ............@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......<O..................P............................................0............}......j}......j}.....#........}.....#........}.....#........}.....#........}.....#........}.......H...}.......I...}.......I...}.....(....}......}......}.....s....}......}....*z..}......}......}.......}....*>..}......}....*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*...

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):182272
                      Entropy (8bit):5.086848744037299
                      Encrypted:false
                      SSDEEP:3072:AtBSl8IUajyvROAgNWU/cbDxZhy4lxdR9:AWKIUqyvROfWU/
                      MD5:9D1AF7AEC60748436B67D6691C79B5FB
                      SHA1:58EDD817BE56455B98E713FDE7D537A5A52A1FA3
                      SHA-256:883E8A37DD8930AE34B19519A319050E5E0D0BE6D4928624777BB7C9576B6F1F
                      SHA-512:C2B7B8DEAA3923988347E9093DB30E0515FF99CFD7C5D0DDE85C636732DCA039A5105A94AF65B2264CA64E3B1D0A412E0378C6DDAF618E38618DFC4513118B92
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0.................. ........... ....................... ............@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......<O..................P............................................0............}......j}......j}.....#........}.....#........}.....#........}.....#........}.....#........}.......H...}.......I...}.......I...}.....(....}......}......}.....s....}......}....*z..}......}......}.......}....*>..}......}....*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*...

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\MakW53a5.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):360448
                      Entropy (8bit):6.752206735920315
                      Encrypted:false
                      SSDEEP:6144:XQtpiangFXqlc6U+oYWjgvAumyN+2k66efojmhDbcLsRwAp93AOdY9GeXCG:AtzgFXq9U+oYWjgvAuZOvefoYbcCsLCG
                      MD5:FBDD8074DC7A093DED2BDEB34FDA3055
                      SHA1:E039FFCFE4645872AAFCA03CB9828C2AA082A21C
                      SHA-256:BFFCC5092409371C6181E3109645C5C0A06BAA8948039E3B6C9940910000015F
                      SHA-512:9F71F07E089BCFC113000E7ACB94E867BD2B119784202EA73A5AF4253B590A733C713104C0F06975A042F3B22C71D76E9CA6068B5D49256DF5BCDFDD64940C8C
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........IS..(=..(=..(=..N>.(=..N8..(=..N9.(=..@8.(=..@9..(=..@>.(=..N<..(=..(<..(=..A9..(=..A=..(=..A...(=..A?..(=.Rich.(=.........PE..L....d._...........!.....T...B.......D.......p............................................@..........................U......lW..(...............................T%...E..T...........................8F..@............p..D............................text...~R.......T.................. ..`.rdata.......p.......X..............@..@.data...."...`.......H..............@..._RDATA...............R..............@..@.rsrc................X..............@..@.reloc..T%.......&...Z..............@..B................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\MakWfm.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):360448
                      Entropy (8bit):6.752206735920315
                      Encrypted:false
                      SSDEEP:6144:XQtpiangFXqlc6U+oYWjgvAumyN+2k66efojmhDbcLsRwAp93AOdY9GeXCG:AtzgFXq9U+oYWjgvAuZOvefoYbcCsLCG
                      MD5:FBDD8074DC7A093DED2BDEB34FDA3055
                      SHA1:E039FFCFE4645872AAFCA03CB9828C2AA082A21C
                      SHA-256:BFFCC5092409371C6181E3109645C5C0A06BAA8948039E3B6C9940910000015F
                      SHA-512:9F71F07E089BCFC113000E7ACB94E867BD2B119784202EA73A5AF4253B590A733C713104C0F06975A042F3B22C71D76E9CA6068B5D49256DF5BCDFDD64940C8C
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 2%
                      • Antivirus: Virustotal, Detection: 0%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........IS..(=..(=..(=..N>.(=..N8..(=..N9.(=..@8.(=..@9..(=..@>.(=..N<..(=..(<..(=..A9..(=..A=..(=..A...(=..A?..(=.Rich.(=.........PE..L....d._...........!.....T...B.......D.......p............................................@..........................U......lW..(...............................T%...E..T...........................8F..@............p..D............................text...~R.......T.................. ..`.rdata.......p.......X..............@..@.data...."...`.......H..............@..._RDATA...............R..............@..@.rsrc................X..............@..@.reloc..T%.......&...Z..............@..B................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\Prev39a5.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):23040
                      Entropy (8bit):5.2310276785053915
                      Encrypted:false
                      SSDEEP:384:xK/Hf/ke1HVbswQYmtZUS8JM2WK1ubDkRYr45KVQbP:xgHEw5swMtZX8WTQKV0
                      MD5:516FB4A8F0FE44FC539C563200F5F95F
                      SHA1:E7236C2601B29267E690A2EFA04DE17F59870CBF
                      SHA-256:37C51DAE2D502130EE9AD8A270EB4598961F0526DD592338FAD69D3196CE33F4
                      SHA-512:B8465D77DB5A37D8251A322DAD0A36231EA53DBE999734C67EBAD885216537569CF1DEAE3736AE4077176E186DF7AB7AF734F6CA36912B1BD206B1050D9BD1AC
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0..P...........n... ........... ....................................@..................................n..O.................................................................................... ............... ..H............text....O... ...P.................. ..`.rsrc................R..............@..@.reloc...............X..............@..B.................n......H........F...&...........m.. .............................................(....*.0...........|.....{3...l}o....|.....{4...l}p....|......(....j}q....|......(......(....Xj}r....|......(....j}h....|......(....j}i....|.....{5...}o....|.....{6...}p....|......(....j}q....|......(......(....Xj}r....|......(....j}h....|......(....j}i...*f..sS...}......sS...}....*.*:.|.....l}o...*:.|.....l}p...*6.|.....}q...*6.|.....}r...*f.|.....}h....|.....}i...*6.|.....}o...*6.|.....}p...*6.|.....}

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):23040
                      Entropy (8bit):5.2310276785053915
                      Encrypted:false
                      SSDEEP:384:xK/Hf/ke1HVbswQYmtZUS8JM2WK1ubDkRYr45KVQbP:xgHEw5swMtZX8WTQKV0
                      MD5:516FB4A8F0FE44FC539C563200F5F95F
                      SHA1:E7236C2601B29267E690A2EFA04DE17F59870CBF
                      SHA-256:37C51DAE2D502130EE9AD8A270EB4598961F0526DD592338FAD69D3196CE33F4
                      SHA-512:B8465D77DB5A37D8251A322DAD0A36231EA53DBE999734C67EBAD885216537569CF1DEAE3736AE4077176E186DF7AB7AF734F6CA36912B1BD206B1050D9BD1AC
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0..P...........n... ........... ....................................@..................................n..O.................................................................................... ............... ..H............text....O... ...P.................. ..`.rsrc................R..............@..@.reloc...............X..............@..B.................n......H........F...&...........m.. .............................................(....*.0...........|.....{3...l}o....|.....{4...l}p....|......(....j}q....|......(......(....Xj}r....|......(....j}h....|......(....j}i....|.....{5...}o....|.....{6...}p....|......(....j}q....|......(......(....Xj}r....|......(....j}h....|......(....j}i...*f..sS...}......sS...}....*.*:.|.....l}o...*:.|.....l}p...*6.|.....}q...*6.|.....}r...*f.|.....}h....|.....}i...*6.|.....}o...*6.|.....}p...*6.|.....}

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\Scop3dbc.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):213504
                      Entropy (8bit):6.615215945438717
                      Encrypted:false
                      SSDEEP:3072:ggx9jYicV0NV+8GNVW2BNVEgHvNVINVINVANVG:F9EV0Nc8GNzBNlPNaNqNON
                      MD5:D3DCAB11FC0EFBFABE6C0BBA035A6A83
                      SHA1:416D9CF1055E0EC0790746FC95566A692E6C846B
                      SHA-256:A99F27DD5502AC102E58B018A39016BF06CC001173F858C0384330354B3601DF
                      SHA-512:470D81E9713EB58FAF28DF445D36F5E13C1500E1CB002FEDF46BC0D08270DA52A58E9ED73C5EA2D4C13974FE72AE9C1879F92854D6A319DE7C20B8499D115B27
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0..8..........VW... ...`....... ....................................@..................................W..O....`............................................................................... ............... ..H............text...\7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................8W......H.......H....d..............._...........................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..(.....(.....{.....{....o.....o....o.....{....o....*z.,..{....,..{....o......(....*....0...........j...}.....{.....o.....{.....o.....{....o.....{.....o.....{....o.....{.....o.....Yj..{......( ...o!....{....r...po!.....j}......}......&..*..................0..o............("...s#.....s$...}.....s%..

                      C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):213504
                      Entropy (8bit):6.615215945438717
                      Encrypted:false
                      SSDEEP:3072:ggx9jYicV0NV+8GNVW2BNVEgHvNVINVINVANVG:F9EV0Nc8GNzBNlPNaNqNON
                      MD5:D3DCAB11FC0EFBFABE6C0BBA035A6A83
                      SHA1:416D9CF1055E0EC0790746FC95566A692E6C846B
                      SHA-256:A99F27DD5502AC102E58B018A39016BF06CC001173F858C0384330354B3601DF
                      SHA-512:470D81E9713EB58FAF28DF445D36F5E13C1500E1CB002FEDF46BC0D08270DA52A58E9ED73C5EA2D4C13974FE72AE9C1879F92854D6A319DE7C20B8499D115B27
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d._...........!..0..8..........VW... ...`....... ....................................@..................................W..O....`............................................................................... ............... ..H............text...\7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................8W......H.......H....d..............._...........................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*..(.....(.....{.....{....o.....o....o.....{....o....*z.,..{....,..{....o......(....*....0...........j...}.....{.....o.....{.....o.....{....o.....{.....o.....{....o.....{.....o.....Yj..{......( ...o!....{....r...po!.....j}......}......&..*..................0..o............("...s#.....s$...}.....s%..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbE502a.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):245760
                      Entropy (8bit):5.61589919429097
                      Encrypted:false
                      SSDEEP:3072:vwCBlibuTbRIBSOM/frKBFYYgv3t8U6nNdsAQrpKlZ:IwpIBvM/frKBFPgv3t8UULQs
                      MD5:E26CCFA18EBD19EECF29A84426CF3FDB
                      SHA1:5F5B6E6E1670932945CB4EF35979D7AF8956CC0D
                      SHA-256:69C621F6E9D355734E3DCB94A92654B0B4997BDD607ACB35BEEE587DCCB897C1
                      SHA-512:652B347AC7D66EBCEB51B03BC180C70DB69A355E737A04AE5703C3C0A3757A83B693901E62313E407FA1A35F159440D6435F89D530B44F6B221C7FF8C996AF9C
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........".S.L.S.L.S.L.@.%.R.L.V.,.T.L.V.C.J.L.S.M.:.L....V.L.V....L.V...R.L.V...R.L.RichS.L.........PE..L.....WA...........!.................v.......................................`..........................................e.... ..<............................0..,....P..............................................."..P............................textbss.Y...............................text........p...................... ..`.rdata..._...P...`..................@..@.data...Lg.......0...P..............@....idata..y.... ......................@....reloc...%...0...0..................@..B................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\ArbEther.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):245760
                      Entropy (8bit):5.61589919429097
                      Encrypted:false
                      SSDEEP:3072:vwCBlibuTbRIBSOM/frKBFYYgv3t8U6nNdsAQrpKlZ:IwpIBvM/frKBFPgv3t8UULQs
                      MD5:E26CCFA18EBD19EECF29A84426CF3FDB
                      SHA1:5F5B6E6E1670932945CB4EF35979D7AF8956CC0D
                      SHA-256:69C621F6E9D355734E3DCB94A92654B0B4997BDD607ACB35BEEE587DCCB897C1
                      SHA-512:652B347AC7D66EBCEB51B03BC180C70DB69A355E737A04AE5703C3C0A3757A83B693901E62313E407FA1A35F159440D6435F89D530B44F6B221C7FF8C996AF9C
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........".S.L.S.L.S.L.@.%.R.L.V.,.T.L.V.C.J.L.S.M.:.L....V.L.V....L.V...R.L.V...R.L.RichS.L.........PE..L.....WA...........!.................v.......................................`..........................................e.... ..<............................0..,....P..............................................."..P............................textbss.Y...............................text........p...................... ..`.rdata..._...P...`..................@..@.data...Lg.......0...P..............@....idata..y.... ......................@....reloc...%...0...0..................@..B................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\Clos5059.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):667
                      Entropy (8bit):7.379803385778967
                      Encrypted:false
                      SSDEEP:12:zknebb8jfnPm9oPm4WuWm61KkneySyxVSScifKPhml9bzcIcI0VcRR2aQva2lgND:BS0SSc/PsQIRRRQNgDkXjU5mFB7ZXxm
                      MD5:20CAA1CBD01D6A2199813EEBB53464A7
                      SHA1:ABDB5D0EE17605B578CFB765DA58320D4FFA2BA0
                      SHA-256:7702965D43AF4F58900DFE65CD941F2E765A2DD381734E4CC17E723EB4548915
                      SHA-512:07EE9B93BAB2BAA7BDB1C49190EA3F3D9EC1D717B6D8B69696F70D1B5CCA5004E3975059D3CA0C7F2981C59D434AFF89AB7CA92392E75138BE5A154FC445B08A
                      Malicious:false
                      Preview:.P-file 2.4......................$...8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....CloseSession...n.4....&..B....G. ..^8..]2k\..*... .F.3."...~'......?.B...n...\?..m.B...^.&.......2k6..w.u.._..I."...>..%.s..v?~}............/..B..&!.....;...].k...7.5.CPa.....H9~.7..-Q.....K.)....n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?0..K..n.tU..t..t.B...2.K......Akk.w{u..N..I."...>..$.>..v?2}............./..B.h.......(...].k[..7.5.CPa.....N9~.k...fQ.....K.)....#..oblmB;f......S....T]...I.7T5..Ua.ODM..y~.......?....<.nW ..c4..._-a.G.G....C....+....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\CloseSession.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):667
                      Entropy (8bit):7.379803385778967
                      Encrypted:false
                      SSDEEP:12:zknebb8jfnPm9oPm4WuWm61KkneySyxVSScifKPhml9bzcIcI0VcRR2aQva2lgND:BS0SSc/PsQIRRRQNgDkXjU5mFB7ZXxm
                      MD5:20CAA1CBD01D6A2199813EEBB53464A7
                      SHA1:ABDB5D0EE17605B578CFB765DA58320D4FFA2BA0
                      SHA-256:7702965D43AF4F58900DFE65CD941F2E765A2DD381734E4CC17E723EB4548915
                      SHA-512:07EE9B93BAB2BAA7BDB1C49190EA3F3D9EC1D717B6D8B69696F70D1B5CCA5004E3975059D3CA0C7F2981C59D434AFF89AB7CA92392E75138BE5A154FC445B08A
                      Malicious:false
                      Preview:.P-file 2.4......................$...8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....CloseSession...n.4....&..B....G. ..^8..]2k\..*... .F.3."...~'......?.B...n...\?..m.B...^.&.......2k6..w.u.._..I."...>..%.s..v?~}............/..B..&!.....;...].k...7.5.CPa.....H9~.7..-Q.....K.)....n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?0..K..n.tU..t..t.B...2.K......Akk.w{u..N..I."...>..$.>..v?2}............./..B.h.......(...].k[..7.5.CPa.....N9~.k...fQ.....K.)....#..oblmB;f......S....T]...I.7T5..Ua.ODM..y~.......?....<.nW ..c4..._-a.G.G....C....+....

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\Load5069.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):754
                      Entropy (8bit):7.444170612377388
                      Encrypted:false
                      SSDEEP:12:5fvknebb8jfnPm9oPm4WuWm6lHVebb8jo9K/yH7NFWRS1QckTrtwa5ATSZtOM601:589UU7NFWRSKckTrtwa2Tqcl0/nRdvSu
                      MD5:8534A70D175530F2E1F4E99AFEB96629
                      SHA1:0C25AB3A4C5F2FC074E03C4339F631E225845913
                      SHA-256:460EF62215FA463E50668D430661696BE3BF864475AB5DDF250D2DB43CCDD3C0
                      SHA-512:CC6E6A95F5641A8E767C1E8CEF554824CA9B432BA00EC5F01EDB943FF0C0CADB8031A3B7AFA6CBD4C1D2823E170917C4409A32796F56F26A0DA9FE8A6AE3BE31
                      Malicious:false
                      Preview:.P-file 2.4..0...........-...........8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....LoadWfm...n.6....&..B.h..G.E..`1V_.]2k9g..G..we.F._.Co..3T.....LU.|...n.#3g...../....^.".......2k&..w]u../..N."...>.%.s?...w}...VQh...../..B.j...........].k[..7.5.CUa.....I9~....BQ.....K.)....#..&/....M......S....y]...I.7S5..ua.OWM..y~.K.....?....<.nW6..cu....-.....G`.........+]....j..!..."[..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?;..K..n.tU..t..b.B...1.E.....2kF..w.u.....L.k...>..%.s..v?:}.........../..B.`.......#...].kX..7.5.CVa..c...9~.Z...Q.....K.(.....#..&/,mB;n......S....\]...I.7\5..Qa.OKM..y~.......?....T..WU..c....A-..o..G

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\LoadWfm.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):754
                      Entropy (8bit):7.444170612377388
                      Encrypted:false
                      SSDEEP:12:5fvknebb8jfnPm9oPm4WuWm6lHVebb8jo9K/yH7NFWRS1QckTrtwa5ATSZtOM601:589UU7NFWRSKckTrtwa2Tqcl0/nRdvSu
                      MD5:8534A70D175530F2E1F4E99AFEB96629
                      SHA1:0C25AB3A4C5F2FC074E03C4339F631E225845913
                      SHA-256:460EF62215FA463E50668D430661696BE3BF864475AB5DDF250D2DB43CCDD3C0
                      SHA-512:CC6E6A95F5641A8E767C1E8CEF554824CA9B432BA00EC5F01EDB943FF0C0CADB8031A3B7AFA6CBD4C1D2823E170917C4409A32796F56F26A0DA9FE8A6AE3BE31
                      Malicious:false
                      Preview:.P-file 2.4..0...........-...........8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....LoadWfm...n.6....&..B.h..G.E..`1V_.]2k9g..G..we.F._.Co..3T.....LU.|...n.#3g...../....^.".......2k&..w]u../..N."...>.%.s?...w}...VQh...../..B.j...........].k[..7.5.CUa.....I9~....BQ.....K.)....#..&/....M......S....y]...I.7S5..ua.OWM..y~.K.....?....<.nW6..cu....-.....G`.........+]....j..!..."[..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?;..K..n.tU..t..b.B...1.E.....2kF..w.u.....L.k...>..%.s..v?:}.........../..B.`.......#...].kX..7.5.CVa..c...9~.Z...Q.....K.(.....#..&/,mB;n......S....\]...I.7\5..Qa.OKM..y~.......?....T..WU..c....A-..o..G

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\NewS5098.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):725
                      Entropy (8bit):7.4041572376422105
                      Encrypted:false
                      SSDEEP:12:x7knebb8jfnPm9oPm4WuWm6Uebb8sVH7tkGdYnSSsP9Tg93/ewJI0VcRR2aQvade:xjk/SSsKFmwCRRQUDka8djU5mNNbp7As
                      MD5:4F84BD8B9B92D5F7445372D2935CEAD2
                      SHA1:19AA37D972D6BB53062485D1481539B817390F8F
                      SHA-256:564B848A7689C280171DB31FC34AB7ABCD75B17011ADF2E557D2A1687C313B56
                      SHA-512:768565F09D6BB623B0C894292990DCCCD24CF7F6BF38C5A336B947E0728AF1F2999404A542D05A8720E3A9D44856DCDEBF8D02A1872CB158F2FC67E30ECB006A
                      Malicious:false
                      Preview:.P-file 2.4..........................8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....NewSession...n.6....&..B.h..G.E..`1V_.3Ak.l..}...C.'{A.E....i......?:..K..n.JU..O..S.B...^.".....cb.S..w..<_..M."...>..%.s..v?.}........../..B.h....... ...].kg..7.5.CVa..G.....!...Q.....K.)....#..&/#mB;a......S....^]...I.7g5..wa.OHM..y~.#.....?....<.nW1..c..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?6..K..n.tU..t..x.B...;.S.....[kw.w.u..N..I."...>..$.>..v?2}............./..B.h.......(...].k[..7.5.CPa.....N9~.k...fQ.....K.)....#..oblmB;f......S....T]...I.7T5..Ua.ODM..y~.......?....<.nW:..c....B-l.M.G....g..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\NewSession.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):725
                      Entropy (8bit):7.4041572376422105
                      Encrypted:false
                      SSDEEP:12:x7knebb8jfnPm9oPm4WuWm6Uebb8sVH7tkGdYnSSsP9Tg93/ewJI0VcRR2aQvade:xjk/SSsKFmwCRRQUDka8djU5mNNbp7As
                      MD5:4F84BD8B9B92D5F7445372D2935CEAD2
                      SHA1:19AA37D972D6BB53062485D1481539B817390F8F
                      SHA-256:564B848A7689C280171DB31FC34AB7ABCD75B17011ADF2E557D2A1687C313B56
                      SHA-512:768565F09D6BB623B0C894292990DCCCD24CF7F6BF38C5A336B947E0728AF1F2999404A542D05A8720E3A9D44856DCDEBF8D02A1872CB158F2FC67E30ECB006A
                      Malicious:false
                      Preview:.P-file 2.4..........................8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....NewSession...n.6....&..B.h..G.E..`1V_.3Ak.l..}...C.'{A.E....i......?:..K..n.JU..O..S.B...^.".....cb.S..w..<_..M."...>..%.s..v?.}........../..B.h....... ...].kg..7.5.CVa..G.....!...Q.....K.)....#..&/#mB;a......S....^]...I.7g5..wa.OHM..y~.#.....?....<.nW1..c..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?6..K..n.tU..t..x.B...;.S.....[kw.w.u..N..I."...>..$.>..v?2}............./..B.h.......(...].k[..7.5.CPa.....N9~.k...fQ.....K.)....#..oblmB;f......S....T]...I.7T5..Ua.ODM..y~.......?....<.nW:..c....B-l.M.G....g..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\Tran50a7.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):798
                      Entropy (8bit):7.507477236171556
                      Encrypted:false
                      SSDEEP:24:5ny2LIJVNCB6zODF0SonRRQECDk9ijU5mNNbp7A0L:5nnLIIYzrSoRa1DPQaNe0L
                      MD5:22E1D474F34AF7E63E8C15B2951C04E1
                      SHA1:EF7CF40D316C6118362F50D4D5C728F4F04308EB
                      SHA-256:E1B860CD1474E828CCD16D12AF718231F2BEB3727C06DC82319E1444C1E0638E
                      SHA-512:F3B46A100DBE26886BFE94F3E2397848A25EEDD81B679BBBDC718D4F4865C7B4D4079C7EC09CF2994B0BD42626DCB62FD4C4C99917FDDE0D785F20F4E0062976
                      Malicious:false
                      Preview:.P-file 2.4..P...........H...........8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....TransferWfm...n.6....&..B.h..G.E..`1V_.]2kX..u...C.'{y."....S..W...?o.a8...0U..'.....'...*.$......H....w.u.....D."...>..%.s..v?.}.........../....#...Bz..o...].kX..7.5.CPa..?..f9~....OQ.....K.)....#..&/.mB;W......S.....]....q.q5..Ka.OJM..y~.......?....#.nW<..cU...7-..!..G+...).....+].....j..!..."[.y..@..3....[.R.}...s....../....n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?7..K..n.tU..t..z.B...,.E......@kO.wyu..N..I."...>..$.>..v?2}............./..B.h.......(...].k[..7.5.CPa.....N9~.k...fQ.....K.)....#..oblmB;f......S....T]...I.7T5..Ua.ODM..y~.......?....<.nW:..c....B-f._.G....g..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\TransferWfm.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):798
                      Entropy (8bit):7.507477236171556
                      Encrypted:false
                      SSDEEP:24:5ny2LIJVNCB6zODF0SonRRQECDk9ijU5mNNbp7A0L:5nnLIIYzrSoRa1DPQaNe0L
                      MD5:22E1D474F34AF7E63E8C15B2951C04E1
                      SHA1:EF7CF40D316C6118362F50D4D5C728F4F04308EB
                      SHA-256:E1B860CD1474E828CCD16D12AF718231F2BEB3727C06DC82319E1444C1E0638E
                      SHA-512:F3B46A100DBE26886BFE94F3E2397848A25EEDD81B679BBBDC718D4F4865C7B4D4079C7EC09CF2994B0BD42626DCB62FD4C4C99917FDDE0D785F20F4E0062976
                      Malicious:false
                      Preview:.P-file 2.4..P...........H...........8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....TransferWfm...n.6....&..B.h..G.E..`1V_.]2kX..u...C.'{y."....S..W...?o.a8...0U..'.....'...*.$......H....w.u.....D."...>..%.s..v?.}.........../....#...Bz..o...].kX..7.5.CPa..?..f9~....OQ.....K.)....#..&/.mB;W......S.....]....q.q5..Ka.OJM..y~.......?....#.nW<..cU...7-..!..G+...).....+].....j..!..."[.y..@..3....[.R.}...s....../....n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?7..K..n.tU..t..z.B...,.E......@kO.wyu..N..I."...>..$.>..v?2}............./..B.h.......(...].k[..7.5.CPa.....N9~.k...fQ.....K.)....#..oblmB;f......S....T]...I.7T5..Ua.ODM..y~.......?....<.nW:..c....B-f._.G....g..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata504a.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):13824
                      Entropy (8bit):5.939485823387047
                      Encrypted:false
                      SSDEEP:384:0v6LKwf3gC/F+R30W27Ce+TDRAiO069Xj:RN1M0r7V+pvO/
                      MD5:72EDD5449D4C965F0E131C5625911A16
                      SHA1:4ADDD4D198BB26BB4F199E8E53F0675E93E3053C
                      SHA-256:2918EF52AB0D4F8F6DDA4B2B7D5ED3723AB5332ADB006A337665863FE4F09880
                      SHA-512:EC0F74E5268FA305BB6FE1AD07E7BF73F7F1DD35EC69D6519FA8233055D0D60F3211D3D092BA3ED59E8CD1F0D329D0145112E1360522DBD7B9018B4AFF4362CF
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.KB...B...B.......@...e...@...e...F.......@.......@...e...K...B...z...e...T...e...C...e...C...RichB...................PE..L...Q.gM...........!................](.......0...............................p......E'...............................:..L....5.......P.......................`..\....................................4..@............0...............................text............................... ..`.rdata..<....0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\mata50b7.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):90209
                      Entropy (8bit):4.547805182917404
                      Encrypted:false
                      SSDEEP:768:YIjznOBobCw/mNNL4RoMis7itxy3SRJgIMRpzi5Pmk/3iB9IkMBc8/+A0i7iccxY:5/6w/mOis7eR9Kpzi5Ok/gMBZGWuHo9
                      MD5:ED82FA0ADCDB0DDCC0B01475B7ABCF8A
                      SHA1:A6F5D4DA34D18AC51E127FA5837E41CD515E5F8E
                      SHA-256:D8936CB9033FAB93CDA85AC1CCF54D359DC333479ABA6FC1AE450D8014B64C08
                      SHA-512:4FFA70FBF074DB25C7A277DD331441F46BA60383E44EA32C4E1402EBA886825AF85287270FDE645C60770FB2A680436D17848FCD40C2CE8AF5048BA3E3265C19
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.b. l.. l.. l..Bs.."l..[p.."l..Os..!l...p..1l..Os...l.. l...l..%`Q."l..&O..(l...j..!l...L../l..Rich l..........PE..L...6..B...........!.................5..................................................................................W....P..x....`.......................p.......................................................R...............................text.............................. ..`.rdata..............................@..@.data....d.......P..................@....idata.......P.......0..............@....rsrc........`.......@..............@..@.reloc.......p.......P..............@..B................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\matarb.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):90209
                      Entropy (8bit):4.547805182917404
                      Encrypted:false
                      SSDEEP:768:YIjznOBobCw/mNNL4RoMis7itxy3SRJgIMRpzi5Pmk/3iB9IkMBc8/+A0i7iccxY:5/6w/mOis7eR9Kpzi5Ok/gMBZGWuHo9
                      MD5:ED82FA0ADCDB0DDCC0B01475B7ABCF8A
                      SHA1:A6F5D4DA34D18AC51E127FA5837E41CD515E5F8E
                      SHA-256:D8936CB9033FAB93CDA85AC1CCF54D359DC333479ABA6FC1AE450D8014B64C08
                      SHA-512:4FFA70FBF074DB25C7A277DD331441F46BA60383E44EA32C4E1402EBA886825AF85287270FDE645C60770FB2A680436D17848FCD40C2CE8AF5048BA3E3265C19
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.b. l.. l.. l..Bs.."l..[p.."l..Os..!l...p..1l..Os...l.. l...l..%`Q."l..&O..(l...j..!l...L../l..Rich l..........PE..L...6..B...........!.................5..................................................................................W....P..x....`.......................p.......................................................R...............................text.............................. ..`.rdata..............................@..@.data....d.......P..................@....idata.......P.......0..............@....rsrc........`.......@..............@..@.reloc.......p.......P..............@..B................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\matarb.mexw32 (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):13824
                      Entropy (8bit):5.939485823387047
                      Encrypted:false
                      SSDEEP:384:0v6LKwf3gC/F+R30W27Ce+TDRAiO069Xj:RN1M0r7V+pvO/
                      MD5:72EDD5449D4C965F0E131C5625911A16
                      SHA1:4ADDD4D198BB26BB4F199E8E53F0675E93E3053C
                      SHA-256:2918EF52AB0D4F8F6DDA4B2B7D5ED3723AB5332ADB006A337665863FE4F09880
                      SHA-512:EC0F74E5268FA305BB6FE1AD07E7BF73F7F1DD35EC69D6519FA8233055D0D60F3211D3D092BA3ED59E8CD1F0D329D0145112E1360522DBD7B9018B4AFF4362CF
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.KB...B...B.......@...e...@...e...F.......@.......@...e...K...B...z...e...T...e...C...e...C...RichB...................PE..L...Q.gM...........!................](.......0...............................p......E'...............................:..L....5.......P.......................`..\....................................4..@............0...............................text............................... ..`.rdata..<....0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......2..............@..B................................................................................................................................................................................................................................................................................................................

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\quer5105.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):632
                      Entropy (8bit):7.3023268333747255
                      Encrypted:false
                      SSDEEP:12:V5uknebb8jfnPm9oPm4WuWm6Aebb8ak3g99Tdav+0HtZRVAd6I0bRdIO+gSvaSNP:VQkW9T820zAQRdvSrDkTzjMtd
                      MD5:BE1C9200C8D79E456A738F1C8B41DF8E
                      SHA1:040CF4A207D1F6F44CAF2FDCC8A95F020FD17C51
                      SHA-256:355D7F0C70C0C26383DD7913C24A3B0512CF3B0B62BB9C62088D4A44149B1DF9
                      SHA-512:41B495A59BE40BD3EB4F0A44F9C007F5182DFD7DD24E5DBAC3B894D2EC01B3C47721B39599536546507C7016263AA90A4EC4FE29DEDF4D169BA49C72CB0E60CF
                      Malicious:false
                      Preview:.P-file 2.4..........................8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....query...n.6....&..B.h..G.E..`1V_.3Ak.}..a...B.5.c.Q~..~'..i...vx..K.....;n.v..k.B...^.f.......2k...w_u....y...". ....%.s..v?<}............/..B.k......%...].kY..7.5.C.a..3..K9~....KQ..C..)....#..&/ImB;s......S...U]...I.7W5..Ra.OIM..y~.#.....?......nW1..c7...(-..-..G..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?9..K..n.tU..t..f.B...+.A.......2kF..w.u.....L.k...>..%.s..v?:}.........../..B.`.......#...].kX..7.5.CVa..c...9~.C..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\query.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):632
                      Entropy (8bit):7.3023268333747255
                      Encrypted:false
                      SSDEEP:12:V5uknebb8jfnPm9oPm4WuWm6Aebb8ak3g99Tdav+0HtZRVAd6I0bRdIO+gSvaSNP:VQkW9T820zAQRdvSrDkTzjMtd
                      MD5:BE1C9200C8D79E456A738F1C8B41DF8E
                      SHA1:040CF4A207D1F6F44CAF2FDCC8A95F020FD17C51
                      SHA-256:355D7F0C70C0C26383DD7913C24A3B0512CF3B0B62BB9C62088D4A44149B1DF9
                      SHA-512:41B495A59BE40BD3EB4F0A44F9C007F5182DFD7DD24E5DBAC3B894D2EC01B3C47721B39599536546507C7016263AA90A4EC4FE29DEDF4D169BA49C72CB0E60CF
                      Malicious:false
                      Preview:.P-file 2.4..........................8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....query...n.6....&..B.h..G.E..`1V_.3Ak.}..a...B.5.c.Q~..~'..i...vx..K.....;n.v..k.B...^.f.......2k...w_u....y...". ....%.s..v?<}............/..B.k......%...].kY..7.5.C.a..3..K9~....KQ..C..)....#..&/ImB;s......S...U]...I.7W5..Ra.OIM..y~.#.....?......nW1..c7...(-..-..G..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?9..K..n.tU..t..f.B...+.A.......2kF..w.u.....L.k...>..%.s..v?:}.........../..B.`.......#...].kX..7.5.CVa..c...9~.C..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\read.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):595
                      Entropy (8bit):7.237528206615109
                      Encrypted:false
                      SSDEEP:12:0fknebb8jfnPm9oPm4WuWm677ebbtkB3B4Sc7jLTx9CHW5IpdwJI0bRGO4va+qNp:HkB3KSc7jLd9EKIzwDRGvaDkouxpiLg2
                      MD5:27B1496A640B749215537CC38520645C
                      SHA1:83292417D9892C7A3BA708D1BA94012032E9B14A
                      SHA-256:9D2C1CA81A4476E1251A6CE9E64126CDD67F7F81F3149FA72D901126CAA63B3F
                      SHA-512:50500075CE89D7D9E42F8971E0721A7C015D204E4C8E1766BB899B7B1CBFC958FC20D2061272C7F644196B371A25C3CF7681A5C4E73D980DCA8B33C3BBE32DC1
                      Malicious:false
                      Preview:.P-file 2.4..........................8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....read...n.6....&..B.h..G.E..._%_.)S.-z.F..s..5j.."....T..t...?:..K..n.OU..O..n.B...^.o.._.)`.2k.61.[u.....L."...>..%.s..v?.}............./..B.i.......b...].k[..7.5.C.a...2]dm9~.....Q.....K.)....#..&/nmB;m......S....X]...I.7s5..Ua.O.M..y~.......n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?8..K..n.tU..t..d.B...;.E.......2k...w.t.....B."...>..%.s..v?8}............./..B.k....... ...].k^..7.5.C6a..K..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\read5115.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):595
                      Entropy (8bit):7.237528206615109
                      Encrypted:false
                      SSDEEP:12:0fknebb8jfnPm9oPm4WuWm677ebbtkB3B4Sc7jLTx9CHW5IpdwJI0bRGO4va+qNp:HkB3KSc7jLd9EKIzwDRGvaDkouxpiLg2
                      MD5:27B1496A640B749215537CC38520645C
                      SHA1:83292417D9892C7A3BA708D1BA94012032E9B14A
                      SHA-256:9D2C1CA81A4476E1251A6CE9E64126CDD67F7F81F3149FA72D901126CAA63B3F
                      SHA-512:50500075CE89D7D9E42F8971E0721A7C015D204E4C8E1766BB899B7B1CBFC958FC20D2061272C7F644196B371A25C3CF7681A5C4E73D980DCA8B33C3BBE32DC1
                      Malicious:false
                      Preview:.P-file 2.4..........................8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....read...n.6....&..B.h..G.E..._%_.)S.-z.F..s..5j.."....T..t...?:..K..n.OU..O..n.B...^.o.._.)`.2k.61.[u.....L."...>..%.s..v?.}............./..B.i.......b...].k[..7.5.C.a...2]dm9~.....Q.....K.)....#..&/nmB;m......S....X]...I.7s5..Ua.O.M..y~.......n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?8..K..n.tU..t..d.B...;.E.......2k...w.t.....B."...>..%.s..v?8}............./..B.k....... ...].k^..7.5.C6a..K..

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\samp5134.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1180
                      Entropy (8bit):5.050993935746915
                      Encrypted:false
                      SSDEEP:24:uXCoYUuFYvdzIAQ+kjZ9RlfPfO/eP9lDIX9tIw4retf5hJr0AAa:+CoY5YvezNj3RlHmWP3E3R/hrJ
                      MD5:9132A6C63131ED519DEB1B074780CD05
                      SHA1:C87F74663157D6AE2639BB0BA8E4356CA7615B0F
                      SHA-256:788CDF9B4581D2F81766728C3B1CDF501F99E02004D5D3438D4C3BE84EF937DA
                      SHA-512:B22FC4583AC09ECFA2B4435C5BC74070FBFC155C9EAFE4FE0F2C6754ABB247B730BC4BF1280391E906648A377E45B147C0428C8DCDB70C74B5CCA8FDF75DF910
                      Malicious:false
                      Preview:%A very very preliminary sample code to show how to use..%Caliber fuctions to talk to instrument from MATLAB..%Plase compile this using 'PCODE <filename> before..%running it.....%This script only with visa resource strings..%Since TekVisa does not support connection over raw sockets,..%you cannot connect to a Tek AWG using this script.....echo off....%Open a session. If you are connecting over LAN to an AWG..%the first parameter to NewSession would be the IP address..%and the second parameter would be the string'tcpip'..s=NewSession('USB0::0x0699::0x0343::JU010107::INSTR','usb');....%IDN query outputs two values;Status of the query and the ..%response from the instrument...[status,idn]=query(s, '*idn?');....%Writes a single command to the connected AWG. Status will..%be Zero if write is successful..status=Write(s,'Output1:State On');....%Following script creates a sine waveform with 1000 points..Frequency = 1e2;..Period = 1/Frequency;..Pts = [1:1000] * Period;..Data = sin(Pts);....%F

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\sample.m (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):1180
                      Entropy (8bit):5.050993935746915
                      Encrypted:false
                      SSDEEP:24:uXCoYUuFYvdzIAQ+kjZ9RlfPfO/eP9lDIX9tIw4retf5hJr0AAa:+CoY5YvezNj3RlHmWP3E3R/hrJ
                      MD5:9132A6C63131ED519DEB1B074780CD05
                      SHA1:C87F74663157D6AE2639BB0BA8E4356CA7615B0F
                      SHA-256:788CDF9B4581D2F81766728C3B1CDF501F99E02004D5D3438D4C3BE84EF937DA
                      SHA-512:B22FC4583AC09ECFA2B4435C5BC74070FBFC155C9EAFE4FE0F2C6754ABB247B730BC4BF1280391E906648A377E45B147C0428C8DCDB70C74B5CCA8FDF75DF910
                      Malicious:false
                      Preview:%A very very preliminary sample code to show how to use..%Caliber fuctions to talk to instrument from MATLAB..%Plase compile this using 'PCODE <filename> before..%running it.....%This script only with visa resource strings..%Since TekVisa does not support connection over raw sockets,..%you cannot connect to a Tek AWG using this script.....echo off....%Open a session. If you are connecting over LAN to an AWG..%the first parameter to NewSession would be the IP address..%and the second parameter would be the string'tcpip'..s=NewSession('USB0::0x0699::0x0343::JU010107::INSTR','usb');....%IDN query outputs two values;Status of the query and the ..%response from the instrument...[status,idn]=query(s, '*idn?');....%Writes a single command to the connected AWG. Status will..%be Zero if write is successful..status=Write(s,'Output1:State On');....%Following script creates a sine waveform with 1000 points..Frequency = 1e2;..Period = 1/Frequency;..Pts = [1:1000] * Period;..Data = sin(Pts);....%F

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\writ5134.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):736
                      Entropy (8bit):7.442997450480618
                      Encrypted:false
                      SSDEEP:12:J5Jfvknebb8jfnPm9oPm4WuWm6jebb8jo9K/yz7oIWSqKhKwuFTcl5I0VcRdIO+T:JrM9UmWD8uFTbRdvSrDkdUjMttrshXKo
                      MD5:C26A879A8DEEEB7D9E6DF0C5A537AA09
                      SHA1:4149EC97473835AC31E4953E5124D0E6B65472A2
                      SHA-256:EE442C104973C82E8C8056D8AB8DCD420C9870048542CF00D214926F8FFD5CF6
                      SHA-512:3DC0EA72749C8FF0046AAD531BA9165687E5724F3B2256636CC4E4B9E2302BF76E776A457A92878E64D350F56C5C21D8D107AF140ECA4AF223EF6928A580FA6F
                      Malicious:false
                      Preview:.P-file 2.4.. ...........3...........8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....Write...n.6....&..B.h..G.E..`1V_.]2k9g..G..we.F._.Co..3T.....LU.|...n.7:g.....?.#..9.".......2k]..w+u.....J."...>.;.%...v?.-4.........../..B.h...........].k...7.5.CPa.....H9~.F..?Q.....K.).....##...ImB;s......S....G]...I.7.5..Ya.OLM..y~.......?......nW0..cC....-.. ..G#...$.....+..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?9..K..n.tU..t..f.B...,.M.......2kF..w.u.....L.k...>..%.s..v?:}.........../..B.`.......#...].kX..7.5.CVa..c...9~.Z...Q.....K.(.....#..&/,mB;n......S....\]...I.7\5..Qa.OKM..y~.......?....K..WZ..c....H-..o..G

                      C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab\write.p (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):736
                      Entropy (8bit):7.442997450480618
                      Encrypted:false
                      SSDEEP:12:J5Jfvknebb8jfnPm9oPm4WuWm6jebb8jo9K/yz7oIWSqKhKwuFTcl5I0VcRdIO+T:JrM9UmWD8uFTbRdvSrDkdUjMttrshXKo
                      MD5:C26A879A8DEEEB7D9E6DF0C5A537AA09
                      SHA1:4149EC97473835AC31E4953E5124D0E6B65472A2
                      SHA-256:EE442C104973C82E8C8056D8AB8DCD420C9870048542CF00D214926F8FFD5CF6
                      SHA-512:3DC0EA72749C8FF0046AAD531BA9165687E5724F3B2256636CC4E4B9E2302BF76E776A457A92878E64D350F56C5C21D8D107AF140ECA4AF223EF6928A580FA6F
                      Malicious:false
                      Preview:.P-file 2.4.. ...........3...........8.....n.4....&..B.h..G.E..`1V_.]2kX........F..."...~'......?<..K....Write...n.6....&..B.h..G.E..`1V_.]2k9g..G..we.F._.Co..3T.....LU.|...n.7:g.....?.#..9.".......2k]..w+u.....J."...>.;.%...v?.-4.........../..B.h...........].k...7.5.CPa.....H9~.F..?Q.....K.).....##...ImB;s......S....G]...I.7.5..Ya.OLM..y~.......?......nW0..cC....-.. ..G#...$.....+..n.x....&..*.h..G.E..`1V_.4A.4h..X.....F.a.Vz..~'.....n.j....&...B.h...E..n1V_.]2k^........F..."...~'......?9..K..n.tU..t..f.B...,.M.......2kF..w.u.....L.k...>..%.s..v?:}.........../..B.`.......#...].kX..7.5.CVa..c...9~.Z...Q.....K.(.....#..&/,mB;n......S....\]...I.7\5..Qa.OKM..y~.......?....K..WZ..c....H-..o..G

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\ArbExpress Application.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 8 05:34:59 2024, mtime=Tue Oct 8 05:35:00 2024, atime=Tue Jul 14 18:57:08 2020, length=2762752, window=hide
                      Category:dropped
                      Size (bytes):1385
                      Entropy (8bit):4.553745797733391
                      Encrypted:false
                      SSDEEP:24:8mXM2JEqcdOEDDYjtYxjxJeAKfzdidfUUUPqygm:8m8pfdOLjtYxZKfzdidMgyg
                      MD5:5BF7BB86FC3ED73BE70E2056B1ED5B52
                      SHA1:85687D8E14C766C1F7EF40356DA12BD687B46E63
                      SHA-256:D4D5EEBB889B178E79C10A90DE82FED68E5306702A5A09BFCD67E30F7D9536A4
                      SHA-512:74EF111DE1062B8E66948510BDD2144EE6E50857D524C2636D54BD7240EF7C5529A63C94D55A25AD10148DF999CC9EA774278074F064AF9C19202B0669CB07E8
                      Malicious:false
                      Preview:L..................F.... ...=..2L....V:3L....Be..Z...(*.....................?....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....HY\4..TEKTRO~1..D......HY\4HY\4....t)....................a...T.e.k.t.r.o.n.i.x.....^.1.....HYf4..ARBEXP~1..F......HY\4HYf4....{)....................a.v.A.r.b.E.x.p.r.e.s.s.....T.1.....HYg4..System..>......HY\4HYg4....~).....................i..S.y.s.t.e.m.....j.2..(*..P$. .ARBEXP~1.EXE..N......HY`4HY`4.....)........................A.r.b.E.x.p.r.e.s.s...e.x.e.......p...............-.......o...........n.K......C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe..P.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S.y.s.t.e.m.\.A.r.b.E.x.p.r.e.s.s...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\ArbExpress Help.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 8 05:35:11 2024, mtime=Tue Oct 8 05:35:11 2024, atime=Fri Jan 10 17:51:28 2020, length=10408283, window=hide
                      Category:dropped
                      Size (bytes):1281
                      Entropy (8bit):4.663224963795364
                      Encrypted:false
                      SSDEEP:24:8lYPe2JEqcdOEDKYomtDxgdTAKfZdeVUUU/qygm:8l5pfdOGBtDxc0KfZdDQyg
                      MD5:8153AB980965D875117ECFF11AAEBDF9
                      SHA1:990C376B834565163FDAF7BDFA1606E7138DDE80
                      SHA-256:D84621AB60CD726B0A7C5FDDBB9006B3CFD717A13488EBA3F10EF28AC098FFFA
                      SHA-512:6CA6BCD07E327F1DFB84FED34B8C8439140EE10BC91B8593466D0BD7E9BBB9A7A092755359ED695C52BDD57CFD8A554ED2522C1F6CBCA014637355C2481C1C4E
                      Malicious:false
                      Preview:L..................F.... ..._C.9L......9L....x#.....[......................?....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....HY\4..TEKTRO~1..D......HY\4HY\4....t)....................a...T.e.k.t.r.o.n.i.x.....^.1.....HYg4..ARBEXP~1..F......HY\4HYh4....{).....................}..A.r.b.E.x.p.r.e.s.s.....T.1.....HYg4..System..>......HY\4HYg4....~).....................i..S.y.s.t.e.m.....j.2.[..*Pn. .ARBEXP~1.CHM..N......HYf4HYf4.....<........................A.r.b.E.x.p.r.e.s.s...c.h.m.......p...............-.......o...........n.K......C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.chm..P.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S.y.s.t.e.m.\.A.r.b.E.x.p.r.e.s.s...c.h.m.........*................@Z|...K.J.........`.......X.......134349.......

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Documentation\ArbExpress Installation Manual.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                      Category:dropped
                      Size (bytes):1130
                      Entropy (8bit):3.441176058939492
                      Encrypted:false
                      SSDEEP:12:8gl0Ca/ledp8e3lulK8uuVsShKxrk38K8uu+WGQmbdpYUwuXVzu+WGQCQ/CNUvHZ:8IdOmqDyk3bRpd9bQOUFqy
                      MD5:AA163887D16C4172E26222360444C598
                      SHA1:044EB02FCD542D8DE517CCE6331B7F906964CA8C
                      SHA-256:0917860F44C33C2A53C2C80EF9E89600D452B7EA0AC1940E36BC050149E2EB63
                      SHA-512:62EC75B9B08781642C60CBB3A3884D9ED9AAB401B25911BFFF7DBE35A00545606F29F3296487D9AA20C3B86BD9DE9A896699F48C8EEC5B7CECA126925693CB25
                      Malicious:false
                      Preview:L..................F........................................................u....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".\.1...........Tektronix.D............................................T.e.k.t.r.o.n.i.x.....`.1...........ArbExpress..F............................................A.r.b.E.x.p.r.e.s.s.....h.1...........Documentation.L............................................D.o.c.u.m.e.n.t.a.t.i.o.n.......2...........ArbExpress Installation Manual.pdf..v............................................A.r.b.E.x.p.r.e.s.s. .I.n.s.t.a.l.l.a.t.i.o.n. .M.a.n.u.a.l...p.d.f...2...n.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.D.o.c.u.m.e.n.t.a.t.i.o.n.\.A.r.b.E.x.p.r.e.s.s. .I.n.s.t.a.l.l.a.t.i.o.n. .M.a.n.u.a.l...p.d.f.........*................@Z|...K.J.....................1SPS.XF.L8C...

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Documentation\ArbExpress User Manual.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                      Category:dropped
                      Size (bytes):1090
                      Entropy (8bit):3.41493412191966
                      Encrypted:false
                      SSDEEP:12:8gl0Ka/ledp8e3lulK8uuVsShKxlAxuuwIbdpYUwuXVzuwYQ/CNUvH4t2YZ/elFR:8AdOmqD8AFd9LOUFqy
                      MD5:F357D518B7CA52309D632E16FB8354B7
                      SHA1:114F1CEE40D8E2A6B36764D4A03EB43F66E35AF9
                      SHA-256:19A189DF58A3C589BE8721B565402370585C761CE9B5EBD9E632EEF5E5D8C1AC
                      SHA-512:C3F59B571D40B2F0DDFCA3E7872252ACB37B924E915BE64F3C0DBE392FF518AA0F1F4AFE3DBD4020F6BAAF7F4A23DCC15CE248AA50944F4802F5A220BCBDE668
                      Malicious:false
                      Preview:L..................F........................................................]....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".\.1...........Tektronix.D............................................T.e.k.t.r.o.n.i.x.....`.1...........ArbExpress..F............................................A.r.b.E.x.p.r.e.s.s.....h.1...........Documentation.L............................................D.o.c.u.m.e.n.t.a.t.i.o.n.......2...........ArbExpress User Manual.pdf..f............................................A.r.b.E.x.p.r.e.s.s. .U.s.e.r. .M.a.n.u.a.l...p.d.f...*...f.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.D.o.c.u.m.e.n.t.a.t.i.o.n.\.A.r.b.E.x.p.r.e.s.s. .U.s.e.r. .M.a.n.u.a.l...p.d.f.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Release Notes.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                      Category:dropped
                      Size (bytes):1004
                      Entropy (8bit):3.2980761871529274
                      Encrypted:false
                      SSDEEP:12:8gl0aa/ledp8e3lulK8uuV45IkYOlbdpYUwuAyZlQ/CNUvH4t2YZ/elFlSJm:8wdOmq6BJdMOUFqy
                      MD5:30045E4D7E59BC0FEB333D9E2B5A3340
                      SHA1:BA9FB255832A7A7DF2B25A2BFAFAD20BACD48EF0
                      SHA-256:70983EFEF2066D33403187729DFB4D46DFF820341F2A60B4DE3C14377F46D7DF
                      SHA-512:83EEFA92216203393A08EB82DDBFBC5D3B64353A945520DF69BEC7BAB26DB7A8F690DB7B8B080FBF2AA1FA8F956ADD2D42BD676AF1CDFDDE8AC51500188C0570
                      Malicious:false
                      Preview:L..................F........................................................-....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".\.1...........Tektronix.D............................................T.e.k.t.r.o.n.i.x.....`.1...........ArbExpress..F............................................A.r.b.E.x.p.r.e.s.s.....T.1...........System..>............................................S.y.s.t.e.m.....t.2...........Release Notes.doc.T............................................R.e.l.e.a.s.e. .N.o.t.e.s...d.o.c... ...S.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S.y.s.t.e.m.\.R.e.l.e.a.s.e. .N.o.t.e.s...d.o.c.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.............

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Samples\Equations.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Directory, ctime=Tue Oct 8 05:35:08 2024, mtime=Tue Oct 8 05:35:08 2024, atime=Tue Oct 8 05:35:08 2024, length=12288, window=hide
                      Category:dropped
                      Size (bytes):1389
                      Entropy (8bit):4.553148988371639
                      Encrypted:false
                      SSDEEP:24:8mkNW22JEqcdOEDKYomt/ryvRrtCl3Rs54AyTfQd3lp5e4d3lp50UUUDqygm:8mqpfdOGBtj2rElB2mfQd3lO4d3lRkyg
                      MD5:A554040F33473D70BE0C39678820AE45
                      SHA1:4B7543CAEED0B19FD4563FA7B58B1D19CAF5C271
                      SHA-256:C9A2BCBB34C5E584A0A39919AC03819AD8FA1111294439178341EB3A2973FE51
                      SHA-512:1F668B755DE15DE217EE11F79B4A096F47AC512E30DD3F8BE7C257D73E536C7BD3EE04578FFB5F9A1AB583218B4EDDF257B5C3F4820F2D7876E948DC6D2A5A93
                      Malicious:false
                      Preview:L..................F........5..7L...'m.8L...'m.8L....0......................3....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....HY\4..TEKTRO~1..D......HY\4HY\4....t)....................a...T.e.k.t.r.o.n.i.x.....^.1.....HYg4..ARBEXP~1..F......HY\4HYh4....{).....................}..A.r.b.E.x.p.r.e.s.s.....V.1.....HYe4..Samples.@......HYe4HYe4....c)........................S.a.m.p.l.e.s.....\.1.....HYe4..EQUATI~1..D......HYe4HYe4.....)........................E.q.u.a.t.i.o.n.s.......l...............-.......k...........n.K......C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Equations..O.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S.a.m.p.l.e.s.\.E.q.u.a.t.i.o.n.s.>.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Samples\Waveforms.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Directory, ctime=Tue Oct 8 05:35:08 2024, mtime=Tue Oct 8 05:35:11 2024, atime=Tue Oct 8 05:35:11 2024, length=4096, window=hide
                      Category:dropped
                      Size (bytes):1263
                      Entropy (8bit):4.603720908692057
                      Encrypted:false
                      SSDEEP:24:8VhwD22JEqcdOEDKYomt/ryvRrtClKRLAyTfrd3lNUUUPqygm:8VFpfdOGBtj2rElA8mfrd3lOgyg
                      MD5:9B1938FA0AD23F01CED60D727DD14949
                      SHA1:0A5B88EF0870078CB65EE5D6CD470BCF2F2E58DE
                      SHA-256:7F78247084B70C967EA9D52006557751A4BE5613D5040F1F0759EA1168E67278
                      SHA-512:09AB4538DAC890CB8B3D51912CEEB72AE951A1D9969000207046F845B245727C65BA5D7763D59C7F7F38C56B4120D5383112FBD428F33CBF8FF5394DB7E787A2
                      Malicious:false
                      Preview:L..................F........'m.8L...wG.9L...wG.9L...........................3....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....HY\4..TEKTRO~1..D......HY\4HY\4....t)....................a...T.e.k.t.r.o.n.i.x.....^.1.....HYg4..ARBEXP~1..F......HY\4HYh4....{).....................}..A.r.b.E.x.p.r.e.s.s.....V.1.....HYe4..Samples.@......HYe4HYe4....c)........................S.a.m.p.l.e.s.....\.1.....HYe4..WAVEFO~1..D......HYe4HYe4....[*.....................4..W.a.v.e.f.o.r.m.s.......l...............-.......k...........n.K......C:\Program Files (x86)\Tektronix\ArbExpress\Samples\Waveforms..O.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S.a.m.p.l.e.s.\.W.a.v.e.f.o.r.m.s.........*................@Z|...K.J.........`.......X.......134349...........hT..CrF.f4...

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Tools\Matlab.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Directory, ctime=Tue Oct 8 05:35:11 2024, mtime=Tue Oct 8 05:35:11 2024, atime=Tue Oct 8 05:35:11 2024, length=4096, window=hide
                      Category:dropped
                      Size (bytes):1350
                      Entropy (8bit):4.543230354105075
                      Encrypted:false
                      SSDEEP:24:8maZzs2JEqcdOEDKYomtxs5yAJf5d0dgUUUPqygm:8myIpfdOGBtxiJf5d0dVAyg
                      MD5:DC227E142D0B545705477ED220E9E3E7
                      SHA1:876BD3C9E0C72EC1B05DEB0ABDA3E2CF8E952384
                      SHA-256:8BF1D974E5C6E980AC88E54EED0EC91D94B252652E37E7D21EA655FDB60D6CB1
                      SHA-512:50A1FB989005E2634043F57EF39F4FCA8CD7BB02036A91BB27BB2451C519A1159DDF562E7A1E4FB0F7B81DF7754886213E83E59E321FD2C049464D79E3834488
                      Malicious:false
                      Preview:L..................F...........9L....k.9L....k.9L...........................%....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....HY\4..TEKTRO~1..D......HY\4HY\4....t)....................a...T.e.k.t.r.o.n.i.x.....^.1.....HYg4..ARBEXP~1..F......HY\4HYh4....{).....................}..A.r.b.E.x.p.r.e.s.s.....P.1.....HYf4..Tools.<......HYf4HYf4.....+....................a.v.T.o.o.l.s.....T.1.....HYf4..Matlab..>......HYf4HYf4.....+....................:$K.M.a.t.l.a.b.......g...............-.......f...........n.K......C:\Program Files (x86)\Tektronix\ArbExpress\Tools\Matlab..J.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.T.o.o.l.s.\.M.a.t.l.a.b.9.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.T.o.o.l.s.\.M.a.t.l.a.b.\.....

                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tektronix ArbExpress\Uninstall ArbExpress.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Oct 8 05:34:54 2024, mtime=Tue Oct 8 05:34:54 2024, atime=Tue Jul 14 19:32:56 2020, length=804352, window=hide
                      Category:modified
                      Size (bytes):2644
                      Entropy (8bit):3.8894080788559786
                      Encrypted:false
                      SSDEEP:48:8CipfdOWSTZXXYMg3fbp0MdVTXXYhZdVTXXYH4dVTXXYh1ypFVTXXYhBAyg:8CGQXXqSwXeXpXFX2Ay
                      MD5:BA103441E666040B641C8738DAAC4CE3
                      SHA1:BBA6B1640FE0F94F529F016B153FD634F8DC2EF4
                      SHA-256:484DE6567840B51E8DEB18981C1CB831E9284709D0119D10622E2F782785E548
                      SHA-512:16F800A7A12AA7EC5FFAA74921A7C45B71ECF2A005E2FB09A00E744FF15A30BF758FE6D6AD8FEB788C447BFC01CE30D5D2509E819E2345009AA75774BE19E68A
                      Malicious:false
                      Preview:L..................F.@.. ....../L...Q../L........Z...F......................O....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1.....HY\4..INSTAL~1..~......HY\4HY\4.....)........................I.n.s.t.a.l.l.S.h.i.e.l.d. .I.n.s.t.a.l.l.a.t.i.o.n. .I.n.f.o.r.m.a.t.i.o.n.......1.....HY\4..{50457~1..~......HY\4HY\4.....).....................m..{.5.0.4.5.7.5.6.C.-.7.5.5.2.-.4.E.4.8.-.B.3.9.F.-.C.2.8.A.4.8.E.4.E.A.C.D.}.....\.2..F...P.. .setup.exe.D......HY\4HY\4....i)........................s.e.t.u.p...e.x.e.......................-...................n.K......C:\Program Files (x86)\InstallShield Installation Information\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.exe..}.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.n.s.t.a.l.l.S.h.i.e.l.d. .I.n.s.t.a.l.l.a.t.i.o.n. .I.n.f.o.r.m.a.t.i.o.n.\.{.5.0.4.5.7.5.6.C.

                      C:\Users\Public\Desktop\ArbExpress Application.lnk

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 8 05:34:59 2024, mtime=Tue Oct 8 05:35:14 2024, atime=Tue Jul 14 18:57:08 2020, length=2762752, window=hide
                      Category:dropped
                      Size (bytes):1367
                      Entropy (8bit):4.578517499347337
                      Encrypted:false
                      SSDEEP:24:8mXGW2JEqcdOEDKYomtDxjxJZ/AKfwdidfUUUPqygm:8mrpfdOGBtDxqKfwdidMgyg
                      MD5:7815F960159C2F3AA248A3134A982797
                      SHA1:CE4FCFA52058AD0636312EF53D48CBF939D1410A
                      SHA-256:8A0C270A9555D78122D1D671CE38023582D711FA68E701B385F6A66A7503AD8F
                      SHA-512:BE1A87DF089832E722ECA25E1C841BB8B5485B3062F527FF29693EF2284B91265B1694AD27878BEFE6DB46A2B76F8C19D355701B13D21D3C44F51209BDA1D9E7
                      Malicious:false
                      Preview:L..................F.... ...=..2L...d/.;L....Be..Z...(*.....................?....P.O. .:i.....+00.../C:\.....................1.....HY\4..PROGRA~2.........O.IHY\4....................V.....a...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....HY\4..TEKTRO~1..D......HY\4HY\4....t)....................a...T.e.k.t.r.o.n.i.x.....^.1.....HYg4..ARBEXP~1..F......HY\4HYh4....{).....................}..A.r.b.E.x.p.r.e.s.s.....T.1.....HYg4..System..>......HY\4HYg4....~).....................i..S.y.s.t.e.m.....j.2..(*..P$. .ARBEXP~1.EXE..N......HY`4HYa4.....)........................A.r.b.E.x.p.r.e.s.s...e.x.e.......p...............-.......o...........n.K......C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe..G.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S.y.s.t.e.m.\.A.r.b.E.x.p.r.e.s.s...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.e.k.t.r.o.n.i.x.\.A.r.b.E.x.p.r.e.s.s.\.S

                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DotNetInstaller.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:modified
                      Size (bytes):654
                      Entropy (8bit):5.221124782773253
                      Encrypted:false
                      SSDEEP:12:Q3LaJU2C9XAn10U26K9EsUBF51K9Vi0U29xtUz1B0U2uk71K6xhk70Uj7hBck6v:MLF2CpI326KuLF51K229Iz52VMj4B
                      MD5:B3A1EAF1DE51A999113D0F0B150C2EFD
                      SHA1:79892F4A2D76BDC1E5EBD5E105C2E45E8B2207CC
                      SHA-256:08B8DECCF24156D50E42638FEA1C7461A1CFB78848B32BD87434901BEFA102CE
                      SHA-512:816EDF7A334732CDD50C85F4036701211D5E75AE6AF3BA53CDB24C3402E2A5E0C2F2E9BAF92CBDFDE528AD34267F7ABC0FFBE636525EB4A74280F984C0BD32D2
                      Malicious:false
                      Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\25c2833ce29881dfbe170558e9e6b073\System.Configuration.Install.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\f4b409548f4799c2d8461ba7f4818be2\Accessibility.ni.dll",0..

                      C:\Users\user\AppData\Local\Temp\8f5b.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):304128
                      Entropy (8bit):2.777174706338683
                      Encrypted:false
                      SSDEEP:3072:HKaD0Ngzsd8RqY/ix4K5cC3NACuBCfuIdRdxMchpkgK/WXVhc1ESEBnz/JK583Fd:4YY
                      MD5:55F27335F7FBF56D3DF0E69CCA8AF0D3
                      SHA1:02FCE2AABEB9DF93165CE7106D0BD0B2BBE02396
                      SHA-256:3E36E75EE10F078730CF3287541AAF18E8C6B987D7F6FEEB12BDB8CC12CA031C
                      SHA-512:45542479BFF56D437DA88975A5DE313A6F5EE975384532F503DDFE0490EFFEC33DCCBD7BE2324E9A4B03BE80AE798D3772F79568D2ED9D52C54E92A1EAF91CC2
                      Malicious:false
                      Preview:......................>.......................................................v............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... .......&..._...!..."...#...$...%...'...(...5...?...*...+...,...-......./...0...1...2...3...4...V...6...7...8...9...:...;...<...=...>...@...Z...A...]...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y.......[...\...^...`...a.......b...c.......m...e...f...g...h...i...j...k...l...n...p...o...q...r...s...t.......u...........x...y...z...

                      C:\Users\user\AppData\Local\Temp\ispr9120.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Atari MSA archive data, -11636 sectors per track, starting track: 22332, ending track: 3470
                      Category:dropped
                      Size (bytes):259693
                      Entropy (8bit):6.692274993753087
                      Encrypted:false
                      SSDEEP:6144:qsIKmUhmFIr3hq5aKN+mpcSjP23O3yjlD3trv0:UaNU
                      MD5:5B26FDB5A5A3B6C06F591B358F970236
                      SHA1:8E817F8AA8CDB649C1566AB12F513A6E1404988D
                      SHA-256:9561957AC4300F51E48C55E907DAB6F94A5EA98A2AA221C055FBE463618DFE71
                      SHA-512:47519049B4048DC7AA2FF3898FF1CF06858F6310454969B6DD8192D4B0DC7C32A854A83C8BFD19DEA7EDB1623D6B296D8526B7352A17C680C78D148AD2129EA4
                      Malicious:false
                      Preview:.....W<.....%.*K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

                      C:\Users\user\AppData\Local\Temp\skin8e5.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Generic INItialization configuration [ALL]
                      Category:dropped
                      Size (bytes):25527
                      Entropy (8bit):4.801368694271482
                      Encrypted:false
                      SSDEEP:192:Rp4NNm9MNfLrOlD52MzFwFeSAWak8VeuGPy4fcPB3jhe7fnoJgX7I7N:Rp4NNm+NU
                      MD5:DB0B65FBB51667D25B39FAF77C9EBB52
                      SHA1:56482F2FAF50568D37FB133D5ACD25A4F93D428F
                      SHA-256:4C10EF89B1B745CB68D6D527BCD197339B5DF82AC32C962133D1CB6E6C6BDB24
                      SHA-512:D1A9E2A0F47FBB19522FFBF4A9CA1DC49330E3619C78EE1A57D1CEA868C25F698A0DB9F13A51C2FDB41553F71D744D17809E45BF526994D9314B3507288F624D
                      Malicious:false
                      Preview:[SKINS]..VERSION=1....[ALL]..TEXTCOLOR=255,255,255..RECTS=2..RECT1=0,51,102..RECT1POS=0,0..RECT1AREA=460,35..RECT2=61,102,171..RECT2POS=0,35..RECT2AREA=460,280..IMAGES=3..IMAGE1=LeftSplash2.BMP..IMAGE1POS=0,35..IMAGE1OPT=SCALE,UPPER_LEFT..IMAGE2=TopDivider.gif..IMAGE2POS=0,35..IMAGE2OPT=SCALE,HCENTER,UPPER_LEFT..IMAGE3=Console2.gif..IMAGE3POS=0,0..IMAGE3OPT=SCALE,LOWER_LEFT..BUTTONSUP=ButtonNormal.gif..BUTTONSDOWN=ButtonPushed.gif..BUTTONSOPT=SCALE,TRANSPARENT..BUTTONSTXTCLR=0,0,0..BUTTONSDISTXTCLR=96,104,112..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=2..BUTTON4POS=400,284....[AskPath]..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=31..BUTTON4POS=390,112....[AskDestPath]..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=196..BUTTON4POS=390,231....[ComponentDialog]..BUTTONS=4..BUTTON1=12.

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\0x0409.ini

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                      Category:dropped
                      Size (bytes):22492
                      Entropy (8bit):3.484893836872466
                      Encrypted:false
                      SSDEEP:384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
                      MD5:BE345D0260AE12C5F2F337B17E07C217
                      SHA1:0976BA0982FE34F1C35A0974F6178E15C238ED7B
                      SHA-256:E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
                      SHA-512:77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
                      Malicious:false
                      Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\0x0409.ini

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
                      Category:dropped
                      Size (bytes):22492
                      Entropy (8bit):3.484893836872466
                      Encrypted:false
                      SSDEEP:384:CTmyuV//BiTbh/G4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/z/lWr0aa0Mhs+XVgv
                      MD5:BE345D0260AE12C5F2F337B17E07C217
                      SHA1:0976BA0982FE34F1C35A0974F6178E15C238ED7B
                      SHA-256:E994689A13B9448C074F9B471EDEEC9B524890A0D82925E98AB90B658016D8F3
                      SHA-512:77040DBEE29BE6B136A83B9E444D8B4F71FF739F7157E451778FB4FCCB939A67FF881A70483DE16BCB6AE1FEA64A89E00711A33EC26F4D3EEA8E16C9E9553EFF
                      Malicious:false
                      Preview:..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\ISSetup.dll

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                      Category:dropped
                      Size (bytes):579584
                      Entropy (8bit):7.6477409990124645
                      Encrypted:false
                      SSDEEP:6144:/Fi43SaRsu0xho+Qvv0QhHxcul05EtXdosFRJrTy6kbdXLOvZ9sNSOVJEmY7ixzF:Lz0Y1d05EtXtFR9G6IcZZxsxzpKpHgT
                      MD5:B9D4678348F9D7FEF94C11DABD782960
                      SHA1:F2CA4A7B784F856ED7BDC9E9337544B35D69C9A3
                      SHA-256:1FAC3AA23390131843952C1E91AEBD0B6944EA65A2C271E36D288752890E9070
                      SHA-512:D0206DA19972504E9513639BF0BB2E14D155951ABDE07F579B34F1D2063010C765D44C0F343D673F42DC5C661B1234F096B29654B268CC2EC46756AFC6AE3CE6
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....b...b...b.}.n...b...l...b.i.i...b.X.i...b.5.G...b...~...b...{...b...c...b.0.h...b.0.i...b...d...b...f...b.Rich..b.........PE..L...i=VL...........!.................X...............................................7..............................<T......|V.......`..4....................p.......................................................................................text....P..............PEC2MO...... ....rsrc........`...................... ....reloc.......p......................@...........................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\Setup.bmp

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PC bitmap, Windows 3.x format, 688 x 463 x 24, image size 955632, resolution 2834 x 2834 px/m, cbSize 955686, bits offset 54
                      Category:dropped
                      Size (bytes):955686
                      Entropy (8bit):5.249397671368493
                      Encrypted:false
                      SSDEEP:12288:L8PRxvPxklDgYxsTLx0CDpS9fSu0iv+6vB:orvAESsTLx08pS9fSu0+B
                      MD5:80EF6C85B644F2D21AB2EC6CC09F48FE
                      SHA1:E45B027A0E6DC66534FDA2528FC0DA6B7D50C16F
                      SHA-256:2DD11A7D9027E89BDB78BD4A28C076E1D49D9F2177535CB6ACB34C0860B9A621
                      SHA-512:0D0DE9D6310D29E909ACE8085D1F0E1D47FA709C29D2FCF9F14BF26F97742285A7BEAA50482C233535F6B6B46705F3D18B3758AC433FE41849FC8A1CC6E98BF6
                      Malicious:false
                      Preview:BM&.......6...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\data1.cab

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:InstallShield CAB
                      Category:dropped
                      Size (bytes):530911
                      Entropy (8bit):7.9957712300000505
                      Encrypted:true
                      SSDEEP:12288:4lqL4JImTqN0rGADWWv1ia2UrYFGK9HZT5:UURm165Wv1iN9L
                      MD5:1026CFC15528C7E2D265B52AAD685B9D
                      SHA1:28972EBF5554F278AE5480AEF91A7A7F97C59D3D
                      SHA-256:51893753F8FD66A5ADD439B4AF1F5EA10E02FE37F163CEEDBA81D4FC2C182B9E
                      SHA-512:96B6C3E2A2EA2E3C20EC1A1E7D3CB9CBAD0482CCAF3E0ABC6742600C08A625B9594D450FCA2EC43E38D0BB12D94826E6A3C9CF33A96C597EF0EEFD31BF314B3D
                      Malicious:false
                      Preview:ISc(.........................................................................................................................................................................................................................................................................................................................................................................................luEPRuHN...H....................l.....L.E..OU..P......I..,0V...M.W...G..E...........................................................XQs.F.~^W.?L...Vi...[.%dsA......b$...2.e...{..Z.Jee`z.........$...E..'/.E.L.(..........O.Um+s.S.d..R.2.~..].DSU..k....T.~....O..A.nL{PeS.......}.G.0N.....M..b.E. z..$~H...R1_%Q.>.tu./...,..8.E*.h&.q4.. .R.....z.wB...?./v#,\...E~2...).coF[..U....._.E.$..,..4.S..f^... ..0|w.'.3.......l.......h...a[..>..i.....Y..>.'.p...N.-9A...:..+..Q.D.....!J..1....,\s.{:.)9.h..Q.$..3.>\....4...2<..Ad.?.M.3..Q..,k...ms.F..}'.fS...<3......(E.a...m.T.e.V....!XW..,..-/..lD^......S..

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\data1.hdr

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:InstallShield CAB
                      Category:dropped
                      Size (bytes):32419
                      Entropy (8bit):3.6015666237649064
                      Encrypted:false
                      SSDEEP:768:hbaIZIO6SaJvst5gp8XA/lNH2Z2yYNLp6:hxeW3Ss
                      MD5:C00BBD1327C6D7041A281BE5FB18CA1E
                      SHA1:C9C76C6BCC724C1531FB850167F0D65315673766
                      SHA-256:6E2E032966B8732E93996A96C12F579377648EA803FA065FED900F6655F1872F
                      SHA-512:DA26F7F26A0C4844523838A1626AF939178F5C77893EE039D4C40AC01A1B852DB6FFC863854320B8AA9D04439140D41839906539C48AE2129EBEA377B706ECA4
                      Malicious:false
                      Preview:ISc(............>?...~..........................................................................B~.........................................................................................................................................................................................................................................................................................luEPRuHN...H....................l.....L.E..OU..P......I..,0V...M.W...G..E....................................................................>?......e=..e=............................................b.......n.......z..................................................................................................................."...............:...F...R...............................................^.......j.......................v.......................................................................................................................................................................*...........6.

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\layout.bin

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):606
                      Entropy (8bit):2.042463363702611
                      Encrypted:false
                      SSDEEP:6:UwRGUlfEnalMZF2CzJthelhCnanl8JDWLNglETl127n:U2zlfzla2w1aRlQyBE
                      MD5:85E08C293EF716E68706D1F6D8C060BE
                      SHA1:7F41B99FBC629C15E7DFA6DFE04895EE023707A3
                      SHA-256:9DBDE49A20CAC223A0680E6A88B6B33EDF0F35CF5CE4A15A0D7D419E6A2E722B
                      SHA-512:999F9A90575B299795BE6C19F13FB667668BB3D11542792EA0965E693C54D158E2477F4DDDD37C408008DB82F3373AAB5A05034795327E594FD44C13E1E56DA3
                      Malicious:false
                      Preview:c..S.@..^...........@....................................................................................................................................................................................................................................................... ...L...............x............................... ...4...H...............................................s.e.t.u.p...i.n.i.....s.e.t.u.p...e.x.e...S.e.t.u.p...b.m.p...s.e.t.u.p...i.n.x...s.e.t.u.p...i.s.n...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.exe

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):804352
                      Entropy (8bit):6.5947838380291275
                      Encrypted:false
                      SSDEEP:12288:f3QOlnoHw/BVWJ0kVrOSknpcfAA3dF3q4NP:f37noQ/BVcN6P2tQ4NP
                      MD5:F037C2B0C1EB809C474EECFCB820F997
                      SHA1:543B57630595D55BCF6C38BA5B11F7D0B770DF30
                      SHA-256:1C07774BA5D0543F9109D8D67B8AB991F32B8DFA440787DE57E339BBC2073816
                      SHA-512:CE86A018D827F4E63E150A19680EE2EE36C65A070B7EE700796BD5330B552C55FC9730416FDEB5B2F52BC906E7FC09E52CFE5441E33C8913816C14C0B69F38C8
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`&...H...H...H...D...H.U.F...H...C...H..'B._.H..y...H.."T...H..#m...H...I...H.,"Q...H..'C...H...N...H.Rich..H.........................PE..L....=VL.................P..........}........`....@..........................................................................$..........x............................................................................`...............................text...cN.......P.................. ..`.rdata..V....`.......T..............@..@.data...$....P.......8..............@....rsrc...x...........................@..@........................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.ini

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2456
                      Entropy (8bit):3.6725407729186026
                      Encrypted:false
                      SSDEEP:48:rsAMapXYD5xibcPTmscu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAMaXPcrmqrvnp6kY05w7tCYOvlnAMn
                      MD5:6DD6AF0025691CD415234E63A59FB00B
                      SHA1:19BAD7981EACD8AB6132BC747ED71D11AD13FDCE
                      SHA-256:05F3257D331575BD32DD31D479582AFDEB9466496E2D384FF16E7EB537B86893
                      SHA-512:BB456B6418B7F5C728AEA06046A5946C0461AEE96BAA06C8BD6F467BE1C8B83B08FE4278ADEA0EC608B1A70E40CC5041F7A2B2963C03B13E5C6A90F04445DC3A
                      Malicious:false
                      Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.T.e.k.t.r.o.n.i.x. .A.r.b.E.x.p.r.e.s.s.......P.r.o.d.u.c.t.G.U.I.D.=.5.0.4.5.7.5.6.C.-.7.5.5.2.-.4.E.4.8.-.B.3.9.F.-.C.2.8.A.4.8.E.4.E.A.C.D.....C.o.m.p.a.n.y.N.a.m.e.=.T.e.k.t.r.o.n.i.x.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...T.e.k.t.r.o.n.i.x...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.....

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.inx

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):246914
                      Entropy (8bit):7.384542988989865
                      Encrypted:false
                      SSDEEP:3072:jboSoC531QrAcXoLqmRemqmZNCGqgzADb2EZ01m+qM8fvXzq7vy51QiabTeUL+9U:jboNCpiYGGNCd+uC67CTeVHJE
                      MD5:9F8490DD84FDDECA54D6F14F25870974
                      SHA1:ED5998423E45E47D67E7ABFA9D304D81E1C5C164
                      SHA-256:2DEFD9BD3F762CE684820242B72605FF9D1C96EDE0B12932B5C3C970F5ADFF8F
                      SHA-512:CBC6575408171D438BA590F39B49A2551C9F2EF1F29B4222205D2934A32084137E59FED3A8EAE7C494BA021318AE76906365F89DA23C3E84F11F2B9C29FA4269
                      Malicious:false
                      Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a@!mQ.Y]A..M1%*)!.)........................................}...m..q]}.eMm.U=].E-M.5.=.%.-..............................U......q..8...X...iaaUi.@..MEE)M..wSk..g....._.c.33o/.......<...H..$....,.h......m..X........E]].E....wg.S[wSS.....K./C3W.$H`P(.......H.$.....u..a...0x$...5mAYY.A....ck.cc.k.W.g/......;.oX0 .T,.0,,...........\......q..Yq... ....1II.1....W.k[k.......#...d<$@<<......8... ,|$..`......1q.$.............!!!.)g.K.Ow.;_.....#.<4l.P....L.....|,...........Y..D..P......1II.1.......C..cW{.......?.TDl....0X......$...$....D...iu.1u.0.T...s.....)!.).C.K3.3S#k.C7[.....8.L<D.<.4.,(....q.....H..\.iaaMi........p%==.%c.C.G;{{0........XHP.h<@........,..(......X...A}y]a.sD.....5I=55)=s.._.....7GO...../OlT(.....X.................y.eqqey...]UU5]..w{...-%%.-O.G.[.....O.k.tH......4(L...............u..au...YmAYY)A.g k.so.Kk......w'.g#+;+[. ..<T.

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\Disk1\setup.isn

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Atari MSA archive data, -11636 sectors per track, starting track: 22332, ending track: 3470
                      Category:dropped
                      Size (bytes):259693
                      Entropy (8bit):6.692274993753087
                      Encrypted:false
                      SSDEEP:6144:qsIKmUhmFIr3hq5aKN+mpcSjP23O3yjlD3trv0:UaNU
                      MD5:5B26FDB5A5A3B6C06F591B358F970236
                      SHA1:8E817F8AA8CDB649C1566AB12F513A6E1404988D
                      SHA-256:9561957AC4300F51E48C55E907DAB6F94A5EA98A2AA221C055FBE463618DFE71
                      SHA-512:47519049B4048DC7AA2FF3898FF1CF06858F6310454969B6DD8192D4B0DC7C32A854A83C8BFD19DEA7EDB1623D6B296D8526B7352A17C680C78D148AD2129EA4
                      Malicious:false
                      Preview:.....W<.....%.*K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\setup.ini

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2456
                      Entropy (8bit):3.6725407729186026
                      Encrypted:false
                      SSDEEP:48:rsAMapXYD5xibcPTmscu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAMaXPcrmqrvnp6kY05w7tCYOvlnAMn
                      MD5:6DD6AF0025691CD415234E63A59FB00B
                      SHA1:19BAD7981EACD8AB6132BC747ED71D11AD13FDCE
                      SHA-256:05F3257D331575BD32DD31D479582AFDEB9466496E2D384FF16E7EB537B86893
                      SHA-512:BB456B6418B7F5C728AEA06046A5946C0461AEE96BAA06C8BD6F467BE1C8B83B08FE4278ADEA0EC608B1A70E40CC5041F7A2B2963C03B13E5C6A90F04445DC3A
                      Malicious:false
                      Preview:..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.T.e.k.t.r.o.n.i.x. .A.r.b.E.x.p.r.e.s.s.......P.r.o.d.u.c.t.G.U.I.D.=.5.0.4.5.7.5.6.C.-.7.5.5.2.-.4.E.4.8.-.B.3.9.F.-.C.2.8.A.4.8.E.4.E.A.C.D.....C.o.m.p.a.n.y.N.a.m.e.=.T.e.k.t.r.o.n.i.x.....C.o.m.p.a.n.y.U.R.L.=.h.t.t.p.:././.w.w.w...T.e.k.t.r.o.n.i.x...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.k.i.n.=.s.e.t.u.p...i.s.n.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.....

                      C:\Users\user\AppData\Local\Temp\{3AC6FFEA-3778-4530-BBC2-4614DD352102}\setup.isn

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Atari MSA archive data, -11636 sectors per track, starting track: 22332, ending track: 3470
                      Category:dropped
                      Size (bytes):259693
                      Entropy (8bit):6.692274993753087
                      Encrypted:false
                      SSDEEP:6144:qsIKmUhmFIr3hq5aKN+mpcSjP23O3yjlD3trv0:UaNU
                      MD5:5B26FDB5A5A3B6C06F591B358F970236
                      SHA1:8E817F8AA8CDB649C1566AB12F513A6E1404988D
                      SHA-256:9561957AC4300F51E48C55E907DAB6F94A5EA98A2AA221C055FBE463618DFE71
                      SHA-512:47519049B4048DC7AA2FF3898FF1CF06858F6310454969B6DD8192D4B0DC7C32A854A83C8BFD19DEA7EDB1623D6B296D8526B7352A17C680C78D148AD2129EA4
                      Malicious:false
                      Preview:.....W<.....%.*K.....^N.....".UX.4..\%.z4.f..e'{%.w=$4F;f...4..6.%.v....1.. B/.c..r.>..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X..:...*X.....*y..:....X..:y\.x...1..i7......O.}..v....44.:...zqr^........w..C..f....@0.....@.J....oqs..a7...!.S..o.].`w.....l@o..Qb~A...e.,ROvA..f...!.b.:..)...H...t.M+...i'..r..VQ.1..(.t......Q

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBE9026.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):107392
                      Entropy (8bit):5.976686564124204
                      Encrypted:false
                      SSDEEP:1536:XDEbW8/KCWYxcnGP48IA2h+k3ZLZwyzHoAoS5RQjKRyVCUA:XDEKrScnS4rAI+wnHoAoS5RT2A
                      MD5:B83D2774CDAF5016CD8765A630FA1150
                      SHA1:50B7F86488926C6B06322AF6A5176E4C7786058D
                      SHA-256:4935372DAA99F6C10033ACCF0CD6403B6F7061477500C1EB65D7CA2DEDBCBFD8
                      SHA-512:90FD6C47D658491ACFD54A1CB7D76BB01C3E6F58B4DF4466998411D73E497A305DAC13798182448289052F836C92958CA42B69BB14549D51AEA4A0F92E665727
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,0.hQ..hQ..hQ..a)..&Q..a)..bQ..a)..CQ..O...iQ..O...gQ..hQ...Q..a)..kQ..v...iQ..a)..iQ..RichhQ..........PE..d...F=VL..........#..................}.........@....................................e%.......................................................V..........`............................................................................................................text...~........................... ..`.rdata..rb.......d..................@..@.data....*...p.......R..............@....pdata...............j..............@..@.rsrc...`............z..............@..@................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):107392
                      Entropy (8bit):5.976686564124204
                      Encrypted:false
                      SSDEEP:1536:XDEbW8/KCWYxcnGP48IA2h+k3ZLZwyzHoAoS5RQjKRyVCUA:XDEKrScnS4rAI+wnHoAoS5RT2A
                      MD5:B83D2774CDAF5016CD8765A630FA1150
                      SHA1:50B7F86488926C6B06322AF6A5176E4C7786058D
                      SHA-256:4935372DAA99F6C10033ACCF0CD6403B6F7061477500C1EB65D7CA2DEDBCBFD8
                      SHA-512:90FD6C47D658491ACFD54A1CB7D76BB01C3E6F58B4DF4466998411D73E497A305DAC13798182448289052F836C92958CA42B69BB14549D51AEA4A0F92E665727
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,0.hQ..hQ..hQ..a)..&Q..a)..bQ..a)..CQ..O...iQ..O...gQ..hQ...Q..a)..kQ..v...iQ..a)..iQ..RichhQ..........PE..d...F=VL..........#..................}.........@....................................e%.......................................................V..........`............................................................................................................text...~........................... ..`.rdata..rb.......d..................@..@.data....*...p.......R..............@....pdata...............j..............@..@.rsrc...`............z..............@..@................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\core9007.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65503
                      Entropy (8bit):3.783333450686201
                      Encrypted:false
                      SSDEEP:1536:biZVg/LPnypGccYM3MFe/Xvv+JcvpqLm416lt91FHWEi7I8qQdeVH3+HF2FnlP5r:gW/LPni+3MFe/XycRj4slt9HHWEi7I8M
                      MD5:09D38CECA6A012F4CE5B54F03DB9B21A
                      SHA1:01FCB72F22205E406FF9A48C5B98D7B7457D7D98
                      SHA-256:F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
                      SHA-512:8C73CA3AF53A9BAF1B9801F87A8FF759DA9B40637A86567C6CC10AB491ACCB446B40C8966807BD06D52EB57384E2D6A4886510DE338019CFD7EF966B45315BA9
                      Malicious:false
                      Preview:; Corecomp.ini..;..; This file stores information about files that InstallShield..; will install to the Windows\System folder, such as Windows..; 95 and NT 4.0 core components and DAO, ODBC, and ActiveX files...; ..; The entries have the following format, without a space before ..; or after the equal sign:..;..; <file name>=<properties>..; ..; Currently, following properties are supported:..; 0x00000000 No registry entry is created for this file. It is..; not logged for uninstallation, and is therefore ..; never removed...;..; Inappropriate modification to this file can prevent an..; application from getting Windows 95/Windows NT logo...;..; Last Updated: 2/27/2002; rs....[Win32]....12500852.cpx=0x00000000 ..12510866.cpx=0x00000000 ..12520437.cpx=0x00000000..12520850.cpx=0x00000000..12520860.cpx=0x00000000..12520861.cpx=0x00000000 ..12520863.cpx=0x00000000 ..12520865.cpx=0x00000000..6to4svc.dll=0x00000000..82557ndi.dll=0x00000000..8514a.dll=0x000

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\corecomp.ini (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65503
                      Entropy (8bit):3.783333450686201
                      Encrypted:false
                      SSDEEP:1536:biZVg/LPnypGccYM3MFe/Xvv+JcvpqLm416lt91FHWEi7I8qQdeVH3+HF2FnlP5r:gW/LPni+3MFe/XycRj4slt9HHWEi7I8M
                      MD5:09D38CECA6A012F4CE5B54F03DB9B21A
                      SHA1:01FCB72F22205E406FF9A48C5B98D7B7457D7D98
                      SHA-256:F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
                      SHA-512:8C73CA3AF53A9BAF1B9801F87A8FF759DA9B40637A86567C6CC10AB491ACCB446B40C8966807BD06D52EB57384E2D6A4886510DE338019CFD7EF966B45315BA9
                      Malicious:false
                      Preview:; Corecomp.ini..;..; This file stores information about files that InstallShield..; will install to the Windows\System folder, such as Windows..; 95 and NT 4.0 core components and DAO, ODBC, and ActiveX files...; ..; The entries have the following format, without a space before ..; or after the equal sign:..;..; <file name>=<properties>..; ..; Currently, following properties are supported:..; 0x00000000 No registry entry is created for this file. It is..; not logged for uninstallation, and is therefore ..; never removed...;..; Inappropriate modification to this file can prevent an..; application from getting Windows 95/Windows NT logo...;..; Last Updated: 2/27/2002; rs....[Win32]....12500852.cpx=0x00000000 ..12510866.cpx=0x00000000 ..12520437.cpx=0x00000000..12520850.cpx=0x00000000..12520860.cpx=0x00000000..12520861.cpx=0x00000000 ..12520863.cpx=0x00000000 ..12520865.cpx=0x00000000..6to4svc.dll=0x00000000..82557ndi.dll=0x00000000..8514a.dll=0x000

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotn9017.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):11152
                      Entropy (8bit):5.897352517059274
                      Encrypted:false
                      SSDEEP:192:Bw77flawuDuQd02NwyowJL/ZUW+ebCfKB5Qpkqs1IlJM3m:ANDQd02NwYJLGYbCCn1zm
                      MD5:8F50951DC767385E6E9801ECACC621E3
                      SHA1:468A8E65EBCF871198A67B478941645089A72557
                      SHA-256:F3C2471DF257575D0668DDDFD0C2F805E4B3236BC546255E6CAA2C813E914A52
                      SHA-512:C2CADF398BBA369D27A0C78D4C613F3B41E1D84A7E8B1A2A24E5D60F92A4D23E15BA9382816009C5476016DE12D110FD1852A45BD605408CD70C557B9FD49B7C
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6=VL............................>*... ...@....@.. .......................................................................)..K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H.......8"...............................................................0..?........(......,%s..........,....o.....+...o............&..&......*..*.........11..........14...............................0..W.......s................r...p.....(......s.......o.....,...o......o....+...o......&..&.....*.*.........EK..........EN...............................0...................i.>..........i.1s...+g......o......r...po....,..r...po....-....r...po....,..r...po....-....r...po....,..r#.

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):11152
                      Entropy (8bit):5.897352517059274
                      Encrypted:false
                      SSDEEP:192:Bw77flawuDuQd02NwyowJL/ZUW+ebCfKB5Qpkqs1IlJM3m:ANDQd02NwYJLGYbCCn1zm
                      MD5:8F50951DC767385E6E9801ECACC621E3
                      SHA1:468A8E65EBCF871198A67B478941645089A72557
                      SHA-256:F3C2471DF257575D0668DDDFD0C2F805E4B3236BC546255E6CAA2C813E914A52
                      SHA-512:C2CADF398BBA369D27A0C78D4C613F3B41E1D84A7E8B1A2A24E5D60F92A4D23E15BA9382816009C5476016DE12D110FD1852A45BD605408CD70C557B9FD49B7C
                      Malicious:true
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6=VL............................>*... ...@....@.. .......................................................................)..K....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H.......8"...............................................................0..?........(......,%s..........,....o.....+...o............&..&......*..*.........11..........14...............................0..W.......s................r...p.....(......s.......o.....,...o......o....+...o......&..&.....*.*.........EK..........EN...............................0...................i.>..........i.1s...+g......o......r...po....,..r...po....-....r...po....,..r...po....-....r...po....,..r#.

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\DIFx9007.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):84
                      Entropy (8bit):4.638552692098388
                      Encrypted:false
                      SSDEEP:3:m1eAsIdWVVVWhs6E2QVVK2Whsyor3Vg2Wn:mdv0am2QVVgQ3Van
                      MD5:1EB6253DEE328C2063CA12CF657BE560
                      SHA1:46E01BCBB287873CF59C57B616189505D2BB1607
                      SHA-256:6BC8B890884278599E4C0CA4095CEFDF0F5394C5796012D169CC0933E03267A1
                      SHA-512:7C573896ABC86D899AFBCE720690454C06DBFAFA97B69BC49B8E0DDEC5590CE16F3CC1A30408314DB7C4206AA95F5C684A6587EA2DA033AECC4F70720FC6189E
                      Malicious:false
                      Preview:[<Properties>]..DIFx32Supported=No..DIFxIntel64Supported=No..DIFxAMD64Supported=No..

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\DIFxData.ini (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):84
                      Entropy (8bit):4.638552692098388
                      Encrypted:false
                      SSDEEP:3:m1eAsIdWVVVWhs6E2QVVK2Whsyor3Vg2Wn:mdv0am2QVVgQ3Van
                      MD5:1EB6253DEE328C2063CA12CF657BE560
                      SHA1:46E01BCBB287873CF59C57B616189505D2BB1607
                      SHA-256:6BC8B890884278599E4C0CA4095CEFDF0F5394C5796012D169CC0933E03267A1
                      SHA-512:7C573896ABC86D899AFBCE720690454C06DBFAFA97B69BC49B8E0DDEC5590CE16F3CC1A30408314DB7C4206AA95F5C684A6587EA2DA033AECC4F70720FC6189E
                      Malicious:false
                      Preview:[<Properties>]..DIFx32Supported=No..DIFxIntel64Supported=No..DIFxAMD64Supported=No..

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\Font8ff7.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):37
                      Entropy (8bit):4.175273297885966
                      Encrypted:false
                      SSDEEP:3:m1eAsCMWRXBQYrD:mdjXIYf
                      MD5:8CE28395A49EB4ADA962F828ECA2F130
                      SHA1:270730E2969B8B03DB2A08BA93DFE60CBFB36C5F
                      SHA-256:A7E91B042CE33490353C00244C0420C383A837E73E6006837A60D3C174102932
                      SHA-512:BB712043CDDBE62B5BFDD79796299B0C4DE0883A39F79CD006D3B04A1A2BED74B477DF985F7A89B653E20CB719B94FA255FDAA0819A8C6180C338C01F39B8382
                      Malicious:false
                      Preview:[<Properties>]..FontRegistration=No..

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\FontData.ini (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):37
                      Entropy (8bit):4.175273297885966
                      Encrypted:false
                      SSDEEP:3:m1eAsCMWRXBQYrD:mdjXIYf
                      MD5:8CE28395A49EB4ADA962F828ECA2F130
                      SHA1:270730E2969B8B03DB2A08BA93DFE60CBFB36C5F
                      SHA-256:A7E91B042CE33490353C00244C0420C383A837E73E6006837A60D3C174102932
                      SHA-512:BB712043CDDBE62B5BFDD79796299B0C4DE0883A39F79CD006D3B04A1A2BED74B477DF985F7A89B653E20CB719B94FA255FDAA0819A8C6180C338C01F39B8382
                      Malicious:false
                      Preview:[<Properties>]..FontRegistration=No..

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\Stri9045.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):10794
                      Entropy (8bit):3.7718133428363454
                      Encrypted:false
                      SSDEEP:192:w6Psa1xfLjpTOtmeYja1jxW45MsJkKm5UOZNPbX3BQUtHyPKYRJRWRHEFvtOev:wva1xHpTUHmmn
                      MD5:4D08D91965F75CF4D8F22015DDC8A8DE
                      SHA1:769A3C1F91A3198DCDFA5DD080C276F3688632D1
                      SHA-256:9904B14B5F94BCB6D0F4BD7E9694467274331F62B4144B1263C95631AE5EBA7A
                      SHA-512:E548C71CC69468A50FB9A7DAF866CF9DF0FA4DC0D9DF71FDEC8047E3EA3BB771727F96592568B4816839493FD7B6C2E7746E03BC35419411F8011370FEB1ED5E
                      Malicious:false
                      Preview:..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.9.].....A.F.G.3.0.0.0._.F.I.L.E._.D.E.S.C.R.I.P.T.I.O.N.=.T.e.k.t.r.o.n.i.x. .A.F.G.3.0.0.0./.A.r.b.E.x.p.r.e.s.s. .F.i.l.e.....A.R.B.E.X.P.R.E.S.S._.A.P.P.L.I.C.A.T.I.O.N.=.A.r.b.E.x.p.r.e.s.s...e.x.e.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.D.E.S.C.R.I.P.T.I.O.N.=.T.e.k.t.r.o.n.i.x. .A.r.b.E.x.p.r.e.s.s. .F.i.l.e.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.E.X.T.E.N.S.I.O.N.=...w.f.m.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.I.C.O.N._.I.N.D.E.X.=.0.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.I.D.=.A.r.b.E.x.p.r.e.s.s...D.o.c.u.m.e.n.t.....A.R.B.E.X.P.R.E.S.S._.T.F.W._.F.I.L.E._.E.X.T.E.N.S.I.O.N.=...t.f.w.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E._.D.E.S.C.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M.=.C.u.s.t.o.m.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M._.D.E.S.C._.P.R.O.=.C.u.s.t.o.m.....I.D.S._.D.O.T.N.E.T._.F.R.A.M.E.W.O.R.K.=.M.i.c.r.o.s.o.f.t. ...

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\StringTable_0x0409.ips (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):10794
                      Entropy (8bit):3.7718133428363454
                      Encrypted:false
                      SSDEEP:192:w6Psa1xfLjpTOtmeYja1jxW45MsJkKm5UOZNPbX3BQUtHyPKYRJRWRHEFvtOev:wva1xHpTUHmmn
                      MD5:4D08D91965F75CF4D8F22015DDC8A8DE
                      SHA1:769A3C1F91A3198DCDFA5DD080C276F3688632D1
                      SHA-256:9904B14B5F94BCB6D0F4BD7E9694467274331F62B4144B1263C95631AE5EBA7A
                      SHA-512:E548C71CC69468A50FB9A7DAF866CF9DF0FA4DC0D9DF71FDEC8047E3EA3BB771727F96592568B4816839493FD7B6C2E7746E03BC35419411F8011370FEB1ED5E
                      Malicious:false
                      Preview:..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.9.].....A.F.G.3.0.0.0._.F.I.L.E._.D.E.S.C.R.I.P.T.I.O.N.=.T.e.k.t.r.o.n.i.x. .A.F.G.3.0.0.0./.A.r.b.E.x.p.r.e.s.s. .F.i.l.e.....A.R.B.E.X.P.R.E.S.S._.A.P.P.L.I.C.A.T.I.O.N.=.A.r.b.E.x.p.r.e.s.s...e.x.e.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.D.E.S.C.R.I.P.T.I.O.N.=.T.e.k.t.r.o.n.i.x. .A.r.b.E.x.p.r.e.s.s. .F.i.l.e.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.E.X.T.E.N.S.I.O.N.=...w.f.m.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.I.C.O.N._.I.N.D.E.X.=.0.....A.R.B.E.X.P.R.E.S.S._.F.I.L.E._.I.D.=.A.r.b.E.x.p.r.e.s.s...D.o.c.u.m.e.n.t.....A.R.B.E.X.P.R.E.S.S._.T.F.W._.F.I.L.E._.E.X.T.E.N.S.I.O.N.=...t.f.w.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E._.D.E.S.C.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M.=.C.u.s.t.o.m.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M._.D.E.S.C._.P.R.O.=.C.u.s.t.o.m.....I.D.S._.D.O.T.N.E.T._.F.R.A.M.E.W.O.R.K.=.M.i.c.r.o.s.o.f.t. ...

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isr90a3.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):389120
                      Entropy (8bit):5.523712660311275
                      Encrypted:false
                      SSDEEP:3072:bfJCQc/skkkkknOpb9YfMX0E9QsJB9cWe7Ka29stSyfQonN+kh:bhEskkkkknOpKluaufuNT
                      MD5:74F3C0FE8CAE9F03BF2A1AA3A0407D01
                      SHA1:C3C154F0BBD508483D58C2CB78498689F7B7C192
                      SHA-256:1D2F9BB9B2F0612265F9606D2A08889229FAF75D2F9F32CE048C5891C1F9F99A
                      SHA-512:ACF7A94E8E20C87AB16EDAF56C51AD99178AF30AD2DDED93652A27AD95B09D6D448BF7821419EB447108C7F603E2467857D8C318DDCF7FBBA15F7E3DBE13CC1E
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L....QVL...........!.....@...................P...............................................................................V..(........A...........................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc....A.......P..................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isres_0x0409.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):389120
                      Entropy (8bit):5.523712660311275
                      Encrypted:false
                      SSDEEP:3072:bfJCQc/skkkkknOpb9YfMX0E9QsJB9cWe7Ka29stSyfQonN+kh:bhEskkkkknOpKluaufuNT
                      MD5:74F3C0FE8CAE9F03BF2A1AA3A0407D01
                      SHA1:C3C154F0BBD508483D58C2CB78498689F7B7C192
                      SHA-256:1D2F9BB9B2F0612265F9606D2A08889229FAF75D2F9F32CE048C5891C1F9F99A
                      SHA-512:ACF7A94E8E20C87AB16EDAF56C51AD99178AF30AD2DDED93652A27AD95B09D6D448BF7821419EB447108C7F603E2467857D8C318DDCF7FBBA15F7E3DBE13CC1E
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L....QVL...........!.....@...................P...............................................................................V..(........A...........................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc....A.......P..................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isu9094.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):12288
                      Entropy (8bit):1.034678937378336
                      Encrypted:false
                      SSDEEP:48:KaGQhetcZeXHLtrmlUR0L5ZrlwKcycwIhtrlrB+2htz9I:5l6BrMUuLb9QzPW
                      MD5:22D161C26445E007F499C71039DF15E1
                      SHA1:039DCB8FE6B2C84485DC0F6854530DEF26353ECC
                      SHA-256:76D38656DB2FB9195B74C0A5ADD0FDE5E89C7C0ABBB5C54A68BE4E89CAAFFA1A
                      SHA-512:440134930FC0EDEE1599FE4CEB0F2B8DD8A2857188303C4CA6C717BAFB7524CEE742450DD84CBE519C56D66E0F0747D4A2B88287B4419DE88D8FE3A67D1082CF
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5.A[..A[..A[.hG]..A[.Rich.A[.................PE..L....m._...........!......... ...............................................0..........................................................`.................... .......................................................................................rsrc...`...........................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\_isuser_0x0409.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):12288
                      Entropy (8bit):1.034678937378336
                      Encrypted:false
                      SSDEEP:48:KaGQhetcZeXHLtrmlUR0L5ZrlwKcycwIhtrlrB+2htz9I:5l6BrMUuLb9QzPW
                      MD5:22D161C26445E007F499C71039DF15E1
                      SHA1:039DCB8FE6B2C84485DC0F6854530DEF26353ECC
                      SHA-256:76D38656DB2FB9195B74C0A5ADD0FDE5E89C7C0ABBB5C54A68BE4E89CAAFFA1A
                      SHA-512:440134930FC0EDEE1599FE4CEB0F2B8DD8A2857188303C4CA6C717BAFB7524CEE742450DD84CBE519C56D66E0F0747D4A2B88287B4419DE88D8FE3A67D1082CF
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5.A[..A[..A[.hG]..A[.Rich.A[.................PE..L....m._...........!......... ...............................................0..........................................................`.................... .......................................................................................rsrc...`...........................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\defa9084.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c
                      Category:dropped
                      Size (bytes):1168
                      Entropy (8bit):2.551387347019812
                      Encrypted:false
                      SSDEEP:12:b126a96IlDkYTYcspSuB0MRG763GDwFGrZYOFBz3WI7KEpw3f6QL7nhem:Ax96Il9T3ISMg76KJrZtT2b5X
                      MD5:0ABAFE3F69D053494405061DE2629C82
                      SHA1:E414B6F1E9EB416B9895012D24110B844F9F56D1
                      SHA-256:8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
                      SHA-512:63448F2BEF338EA44F3BF9EF35E594EF94B4259F3B2595D77A836E872129B879CEF912E23CF48421BABF1208275E21DA1FABFDC494958BCFCD391C78308EAA27
                      Malicious:false
                      Preview:RIFF....PAL data..........................................................f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3...............f...3..................f...3...............f..3.....f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3...................f...3..................f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3.....f...f...f...f.f.f.3.f...f...f...f..f.f.f.3.f...f...f...f...f.i.f.3.f...ff..ff..ff..fff.ff3.ff..f3..f3..f3..f3f.f33.f3..f...f...f...f.f.f.3.f...3...3...3...3.f.3.3.3...3...3...3..3.f.3.3.3...3...3...3...3.f.3.3.3...3f..3f..3f..3ff.3f3.3f..33..33..33..33f.333.33..3...3...3...3.f.3.3.3.............f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3.........................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\default.pal (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c
                      Category:dropped
                      Size (bytes):1168
                      Entropy (8bit):2.551387347019812
                      Encrypted:false
                      SSDEEP:12:b126a96IlDkYTYcspSuB0MRG763GDwFGrZYOFBz3WI7KEpw3f6QL7nhem:Ax96Il9T3ISMg76KJrZtT2b5X
                      MD5:0ABAFE3F69D053494405061DE2629C82
                      SHA1:E414B6F1E9EB416B9895012D24110B844F9F56D1
                      SHA-256:8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
                      SHA-512:63448F2BEF338EA44F3BF9EF35E594EF94B4259F3B2595D77A836E872129B879CEF912E23CF48421BABF1208275E21DA1FABFDC494958BCFCD391C78308EAA27
                      Malicious:false
                      Preview:RIFF....PAL data..........................................................f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3...............f...3..................f...3...............f..3.....f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3...................f...3..................f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3.....f...f...f...f.f.f.3.f...f...f...f..f.f.f.3.f...f...f...f...f.i.f.3.f...ff..ff..ff..fff.ff3.ff..f3..f3..f3..f3f.f33.f3..f...f...f...f.f.f.3.f...3...3...3...3.f.3.3.3...3...3...3..3.f.3.3.3...3...3...3...3.f.3.3.3...3f..3f..3f..3ff.3f3.3f..33..33..33..33f.333.33..3...3...3...3.f.3.3.3.............f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3.........................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt.dll (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                      Category:dropped
                      Size (bytes):265080
                      Entropy (8bit):7.943414176526729
                      Encrypted:false
                      SSDEEP:6144:4w2aRHD/ToBCIqR8qJsDW9L4yR3OSc27xbOuU0j+2zu:4iPG3DWqyR3a27x6un+Ou
                      MD5:3795427182D2DC8CE5609A342BC65313
                      SHA1:0E53A85D991526A9191D3B0F3007363B3649FAF0
                      SHA-256:F82E52E2A5176C01312F95B300B66AB1D2A0B0BC2556500C8F42A61390CC49CD
                      SHA-512:6C3669B38B67EE37D99F452AD6B0F58102FD0DB952E9F146B8E0EC409CE5BC61052D4CDB23C2EED4183B18BAF529C86AC95BAE420A90908D58D5F4399B0E1B76
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.yo...<...<...<...<...<p..<...<...<...<U..<...<=..<...<d..<...<..<...<8.2<...<..<...<...<...<=..<X..<..<...<...<...<Rich...<........PE..L....=VL...........!.....p..........(6.......................................`......xH.......................................3..........................x....P.......................................................................................text...................PEC2MO...... ....rsrc....@.......2.................. ....reloc.......P......................@...................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\isrt9045.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                      Category:dropped
                      Size (bytes):265080
                      Entropy (8bit):7.943414176526729
                      Encrypted:false
                      SSDEEP:6144:4w2aRHD/ToBCIqR8qJsDW9L4yR3OSc27xbOuU0j+2zu:4iPG3DWqyR3a27x6un+Ou
                      MD5:3795427182D2DC8CE5609A342BC65313
                      SHA1:0E53A85D991526A9191D3B0F3007363B3649FAF0
                      SHA-256:F82E52E2A5176C01312F95B300B66AB1D2A0B0BC2556500C8F42A61390CC49CD
                      SHA-512:6C3669B38B67EE37D99F452AD6B0F58102FD0DB952E9F146B8E0EC409CE5BC61052D4CDB23C2EED4183B18BAF529C86AC95BAE420A90908D58D5F4399B0E1B76
                      Malicious:false
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.yo...<...<...<...<...<p..<...<...<...<U..<...<=..<...<d..<...<..<...<8.2<...<..<...<...<...<=..<X..<..<...<...<...<Rich...<........PE..L....=VL...........!.....p..........(6.......................................`......xH.......................................3..........................x....P.......................................................................................text...................PEC2MO...... ....rsrc....@.......2.................. ....reloc.......P......................@...................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\lice8ff7.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with very long lines (707), with CRLF line terminators
                      Category:dropped
                      Size (bytes):6460
                      Entropy (8bit):5.02098414757129
                      Encrypted:false
                      SSDEEP:96:wR5U3WeZg0nmRHp/cghbzd0jzpCI/YdT0MUbtYIg6MKLXMtQLALA:sgnmH/c0+pJAd9b6Fj0AuA
                      MD5:5EBE2A05F5D3D8B86FF7364D5B6289B0
                      SHA1:A0428F939028E25DE7E4619B7BFF2512A1E9E761
                      SHA-256:7C34201DF96FDCB5C88897D480F07074F77FD29A6B26ECA01D684B331385D831
                      SHA-512:A55FF416077403AE408116A87DB5BA84D4C750F399003BC1FCEFC8D8E73F79256F7F37648CFD49BFB377E3F562CBC7FA7276F680BE6049035128860694FE1CA8
                      Malicious:false
                      Preview:TEKTRONIX SOFTWARE LICENSE AGREEMENT..(Waveform Creation and Editing tool for Tektronix AWG/AFG instruments)....THE ENCLOSED OR ACCOMPANYING PROGRAM IS FURNISHED SUBJECT TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. USE OF THE PROGRAM IN ANY MANNER, DOWNLOADING AND UNPACKING THE PROGRAM FROM ITS COMPRESSED STATE OR INSTALLING THE PROGRAM FROM A CD WILL BE CONSIDERED ACCEPTANCE OF THE AGREEMENT TERMS. IF THESE TERMS ARE NOT ACCEPTABLE, THE UNUSED PROGRAM AND ANY ACCOMPANYING DOCUMENTATION SHOULD BE RETURNED PROMPTLY TO TEKTRONIX FOR A REFUND OF ANY LICENSE FEE PAID FOR THE PROGRAM.....DEFINITIONS..."Program" means the software program accompanying this Agreement....."Customer" means the person or organization that downloaded the Program or to whom the Program was otherwise furnished by Tektronix.....LICENSE...Customer may:..a..Use the Program on any machine owned or controlled by Customer solely for use with instruments manufactured or marketed by Tektronix;..b..Copy the Program for

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\license.txt (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:ASCII text, with very long lines (707), with CRLF line terminators
                      Category:dropped
                      Size (bytes):6460
                      Entropy (8bit):5.02098414757129
                      Encrypted:false
                      SSDEEP:96:wR5U3WeZg0nmRHp/cghbzd0jzpCI/YdT0MUbtYIg6MKLXMtQLALA:sgnmH/c0+pJAd9b6Fj0AuA
                      MD5:5EBE2A05F5D3D8B86FF7364D5B6289B0
                      SHA1:A0428F939028E25DE7E4619B7BFF2512A1E9E761
                      SHA-256:7C34201DF96FDCB5C88897D480F07074F77FD29A6B26ECA01D684B331385D831
                      SHA-512:A55FF416077403AE408116A87DB5BA84D4C750F399003BC1FCEFC8D8E73F79256F7F37648CFD49BFB377E3F562CBC7FA7276F680BE6049035128860694FE1CA8
                      Malicious:false
                      Preview:TEKTRONIX SOFTWARE LICENSE AGREEMENT..(Waveform Creation and Editing tool for Tektronix AWG/AFG instruments)....THE ENCLOSED OR ACCOMPANYING PROGRAM IS FURNISHED SUBJECT TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. USE OF THE PROGRAM IN ANY MANNER, DOWNLOADING AND UNPACKING THE PROGRAM FROM ITS COMPRESSED STATE OR INSTALLING THE PROGRAM FROM A CD WILL BE CONSIDERED ACCEPTANCE OF THE AGREEMENT TERMS. IF THESE TERMS ARE NOT ACCEPTABLE, THE UNUSED PROGRAM AND ANY ACCOMPANYING DOCUMENTATION SHOULD BE RETURNED PROMPTLY TO TEKTRONIX FOR A REFUND OF ANY LICENSE FEE PAID FOR THE PROGRAM.....DEFINITIONS..."Program" means the software program accompanying this Agreement....."Customer" means the person or organization that downloaded the Program or to whom the Program was otherwise furnished by Tektronix.....LICENSE...Customer may:..a..Use the Program on any machine owned or controlled by Customer solely for use with instruments manufactured or marketed by Tektronix;..b..Copy the Program for

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setu8f9a.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):246914
                      Entropy (8bit):7.384542988989865
                      Encrypted:false
                      SSDEEP:3072:jboSoC531QrAcXoLqmRemqmZNCGqgzADb2EZ01m+qM8fvXzq7vy51QiabTeUL+9U:jboNCpiYGGNCd+uC67CTeVHJE
                      MD5:9F8490DD84FDDECA54D6F14F25870974
                      SHA1:ED5998423E45E47D67E7ABFA9D304D81E1C5C164
                      SHA-256:2DEFD9BD3F762CE684820242B72605FF9D1C96EDE0B12932B5C3C970F5ADFF8F
                      SHA-512:CBC6575408171D438BA590F39B49A2551C9F2EF1F29B4222205D2934A32084137E59FED3A8EAE7C494BA021318AE76906365F89DA23C3E84F11F2B9C29FA4269
                      Malicious:false
                      Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a@!mQ.Y]A..M1%*)!.)........................................}...m..q]}.eMm.U=].E-M.5.=.%.-..............................U......q..8...X...iaaUi.@..MEE)M..wSk..g....._.c.33o/.......<...H..$....,.h......m..X........E]].E....wg.S[wSS.....K./C3W.$H`P(.......H.$.....u..a...0x$...5mAYY.A....ck.cc.k.W.g/......;.oX0 .T,.0,,...........\......q..Yq... ....1II.1....W.k[k.......#...d<$@<<......8... ,|$..`......1q.$.............!!!.)g.K.Ow.;_.....#.<4l.P....L.....|,...........Y..D..P......1II.1.......C..cW{.......?.TDl....0X......$...$....D...iu.1u.0.T...s.....)!.).C.K3.3S#k.C7[.....8.L<D.<.4.,(....q.....H..\.iaaMi........p%==.%c.C.G;{{0........XHP.h<@........,..(......X...A}y]a.sD.....5I=55)=s.._.....7GO...../OlT(.....X.................y.eqqey...]UU5]..w{...-%%.-O.G.[.....O.k.tH......4(L...............u..au...YmAYY)A.g k.so.Kk......w'.g#+;+[. ..<T.

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\setup.inx (copy)

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):246914
                      Entropy (8bit):7.384542988989865
                      Encrypted:false
                      SSDEEP:3072:jboSoC531QrAcXoLqmRemqmZNCGqgzADb2EZ01m+qM8fvXzq7vy51QiabTeUL+9U:jboNCpiYGGNCd+uC67CTeVHJE
                      MD5:9F8490DD84FDDECA54D6F14F25870974
                      SHA1:ED5998423E45E47D67E7ABFA9D304D81E1C5C164
                      SHA-256:2DEFD9BD3F762CE684820242B72605FF9D1C96EDE0B12932B5C3C970F5ADFF8F
                      SHA-512:CBC6575408171D438BA590F39B49A2551C9F2EF1F29B4222205D2934A32084137E59FED3A8EAE7C494BA021318AE76906365F89DA23C3E84F11F2B9C29FA4269
                      Malicious:false
                      Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a@!mQ.Y]A..M1%*)!.)........................................}...m..q]}.eMm.U=].E-M.5.=.%.-..............................U......q..8...X...iaaUi.@..MEE)M..wSk..g....._.c.33o/.......<...H..$....,.h......m..X........E]].E....wg.S[wSS.....K./C3W.$H`P(.......H.$.....u..a...0x$...5mAYY.A....ck.cc.k.W.g/......;.oX0 .T,.0,,...........\......q..Yq... ....1II.1....W.k[k.......#...d<$@<<......8... ,|$..`......1q.$.............!!!.)g.K.Ow.;_.....#.<4l.P....L.....|,...........Y..D..P......1II.1.......C..cW{.......?.TDl....0X......$...$....D...iu.1u.0.T...s.....)!.).C.K3.3S#k.C7[.....8.L<D.<.4.,(....q.....H..\.iaaMi........p%==.%c.C.G;{{0........XHP.h<@........,..(......X...A}y]a.sD.....5I=55)=s.._.....7GO...../OlT(.....X.................y.eqqey...]UU5]..w{...-%%.-O.G.[.....O.k.tH......4(L...............u..au...YmAYY)A.g k.so.Kk......w'.g#+;+[. ..<T.

                      C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\{5045756C-7552-4E48-B39F-C28A48E4EACD}\skin913f.rra

                      Download File
                      Process:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      File Type:Generic INItialization configuration [ALL]
                      Category:dropped
                      Size (bytes):25527
                      Entropy (8bit):4.801368694271482
                      Encrypted:false
                      SSDEEP:192:Rp4NNm9MNfLrOlD52MzFwFeSAWak8VeuGPy4fcPB3jhe7fnoJgX7I7N:Rp4NNm+NU
                      MD5:DB0B65FBB51667D25B39FAF77C9EBB52
                      SHA1:56482F2FAF50568D37FB133D5ACD25A4F93D428F
                      SHA-256:4C10EF89B1B745CB68D6D527BCD197339B5DF82AC32C962133D1CB6E6C6BDB24
                      SHA-512:D1A9E2A0F47FBB19522FFBF4A9CA1DC49330E3619C78EE1A57D1CEA868C25F698A0DB9F13A51C2FDB41553F71D744D17809E45BF526994D9314B3507288F624D
                      Malicious:false
                      Preview:[SKINS]..VERSION=1....[ALL]..TEXTCOLOR=255,255,255..RECTS=2..RECT1=0,51,102..RECT1POS=0,0..RECT1AREA=460,35..RECT2=61,102,171..RECT2POS=0,35..RECT2AREA=460,280..IMAGES=3..IMAGE1=LeftSplash2.BMP..IMAGE1POS=0,35..IMAGE1OPT=SCALE,UPPER_LEFT..IMAGE2=TopDivider.gif..IMAGE2POS=0,35..IMAGE2OPT=SCALE,HCENTER,UPPER_LEFT..IMAGE3=Console2.gif..IMAGE3POS=0,0..IMAGE3OPT=SCALE,LOWER_LEFT..BUTTONSUP=ButtonNormal.gif..BUTTONSDOWN=ButtonPushed.gif..BUTTONSOPT=SCALE,TRANSPARENT..BUTTONSTXTCLR=0,0,0..BUTTONSDISTXTCLR=96,104,112..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=2..BUTTON4POS=400,284....[AskPath]..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=31..BUTTON4POS=390,112....[AskDestPath]..BUTTONS=4..BUTTON1=12..BUTTON1POS=195,284..BUTTON2=1..BUTTON2POS=250,284..BUTTON3=9..BUTTON3POS=400,284..BUTTON4=196..BUTTON4POS=390,231....[ComponentDialog]..BUTTONS=4..BUTTON1=12.

                      \Device\ConDrv

                      Download File
                      Process:C:\Windows\SysWOW64\cacls.exe
                      File Type:ASCII text, with very long lines (2002), with no line terminators
                      Category:dropped
                      Size (bytes):2002
                      Entropy (8bit):3.4576760942172498
                      Encrypted:false
                      SSDEEP:12:gb9bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbRbbbbbbbbbbU:t
                      MD5:88C638B18640262EC1BA40807D892E47
                      SHA1:7B5E5EC3379506F4B44D31D994133F7A0D4A7F8B
                      SHA-256:F18CD18B31B8FB53A7F84ABFFCD050213A1AECC6D4CD74FB9BF625D363F5AC01
                      SHA-512:239695991E673C69ED8E5A0BC4ED946D0A427A47816B5D3D63E79B7BA40BE76B49D2BDBAAB1048CD11FA1440D5F48648767AF9B8BF7384376DC7CCA117D2A7B2
                      Malicious:false
                      Preview:processed dir: processed dir: processed dir: processed dir: processed dir: processed file: processed file: processed dir: processed dir: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed file: processed dir: processed dir: processed dir: processed dir: pro

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.977946547120798
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 95.55%
                      • DirectShow filter (201580/2) 1.93%
                      • Windows ActiveX control (116523/4) 1.11%
                      • Win32 EXE PECompact compressed (v2.x) (59071/9) 0.56%
                      • InstallShield setup (43055/19) 0.41%
                      File name:ArbExpress_V3.6_en_0703_066146106.exe
                      File size:45'206'398 bytes
                      MD5:e2e80e23d79df3609dcaee7c2d7c2e72
                      SHA1:5318eef048fc22d2a027a1715658089c34c1d41d
                      SHA256:5c9ab13b2956d8dfadde510ea37578d8a67a59aff8d40d7524c756e1b602db5f
                      SHA512:19d9128d7e3a2efee02fc32d6a84a8a5b51dfab747ffb8af7035c5e5e5a588fec0e3ae59f8d9619375af0e44a32ea530cfd67abc6f358f3b5d16afc14c616b5c
                      SSDEEP:786432:aJv3YHKyr6GL778Z/u7YdCB6iUwBNyDv5q3QCPakTWcocoginxsc91a:IvoqyGGL77f7kCBxEDhtmakTUtxb94
                      TLSH:4CA73303B962444EE59269B0DCAF0DB4AA707D6BAA32624F3781FD2C3DF14827547B1D
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`&...H...H...H...D...H.U.F...H...C...H..'B._.H..y....H.."T...H..#m...H...I...H.,"Q...H..'C...H...N...H.Rich..H................

                      File Icon

                      Icon Hash:4492c4ceb2d2c245

                      Static PE Info

                      General

                      Entrypoint:0x43d97d
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x4C563DA6 [Mon Aug 2 03:38:14 2010 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:d359f27a4bcb5db01bbb086efdc99bd8

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      push FFFFFFFFh
                      push 004675A8h
                      push 0043F0A8h
                      mov eax, dword ptr fs:[00000000h]
                      push eax
                      mov dword ptr fs:[00000000h], esp
                      sub esp, 58h
                      push ebx
                      push esi
                      push edi
                      mov dword ptr [ebp-18h], esp
                      call dword ptr [0046638Ch]
                      xor edx, edx
                      mov dl, ah
                      mov dword ptr [0047D704h], edx
                      mov ecx, eax
                      and ecx, 000000FFh
                      mov dword ptr [0047D700h], ecx
                      shl ecx, 08h
                      add ecx, edx
                      mov dword ptr [0047D6FCh], ecx
                      shr eax, 10h
                      mov dword ptr [0047D6F8h], eax
                      push 00000001h
                      call 00007F67F48562F3h
                      pop ecx
                      test eax, eax
                      jne 00007F67F48538EAh
                      push 0000001Ch
                      call 00007F67F48539A7h
                      pop ecx
                      call 00007F67F4854874h
                      test eax, eax
                      jne 00007F67F48538EAh
                      push 00000010h
                      call 00007F67F4853996h
                      pop ecx
                      xor esi, esi
                      mov dword ptr [ebp-04h], esi
                      call 00007F67F4857C03h
                      call 00007F67F4857B5Dh
                      mov dword ptr [0047EF20h], eax
                      call 00007F67F48579E6h
                      mov dword ptr [0047D658h], eax
                      call 00007F67F48577B3h
                      call 00007F67F48576F6h
                      call 00007F67F4854CEAh
                      mov dword ptr [ebp-30h], esi
                      lea eax, dword ptr [ebp-5Ch]
                      push eax
                      call dword ptr [00466318h]
                      call 00007F67F485769Ah
                      mov dword ptr [ebp-64h], eax
                      test byte ptr [ebp-30h], 00000001h
                      je 00007F67F48538E8h
                      movzx eax, word ptr [ebp-2Ch]

                      Rich Headers

                      Programming Language:
                      • [ C ] VS98 (6.0) SP6 build 8804
                      • [IMP] VS2008 SP1 build 30729
                      • [C++] VS98 (6.0) SP6 build 8804
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x724b00x104.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7f0000x48878.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x660000x588.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x64e630x650006ba40cc976e0fccea8fad1b9f11148c2False0.5117114982982673data6.595714436384025IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x660000xe2560xe400688f80559ce0a808a88a5f77d346af22False0.3622361567982456data4.460932540314023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x750000x9f240x84007d0a0b5e6306ca9044dbf53ad2752072False0.24532433712121213data3.277902439193296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc0x7f0000x488780x48a00db337c833af6f13c264fe1c76afda0e8False0.31875605098967297data6.344657477747268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      GIF0x7fe3c0x6592GIF image data, version 89a, 175 x 312EnglishUnited States0.9916544881162987
                      RT_BITMAP0x863d00x14220Device independent bitmap graphic, 220 x 370 x 8, image size 814000.34390764454792394
                      RT_BITMAP0x9a5f00x1b5cDevice independent bitmap graphic, 180 x 75 x 4, image size 69000.18046830382638493
                      RT_BITMAP0x9c14c0x38e4Device independent bitmap graphic, 180 x 75 x 8, image size 135000.26689096402087337
                      RT_BITMAP0x9fa300x1238Device independent bitmap graphic, 60 x 60 x 8, image size 36000.23499142367066894
                      RT_BITMAP0xa0c680x6588Device independent bitmap graphic, 161 x 152 x 8, image size 24928, resolution 3796 x 3796 px/m, 256 important colors0.3035934133579563
                      RT_BITMAP0xa71f00x11f88Device independent bitmap graphic, 161 x 152 x 24, image size 73568, resolution 3780 x 3780 px/m0.12790729268557766
                      RT_ICON0xb91780x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.1152439024390244
                      RT_ICON0xb97e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.2217741935483871
                      RT_ICON0xb9ac80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.40202702702702703
                      RT_ICON0xb9bf00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.052505330490405115
                      RT_ICON0xbaa980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.07490974729241877
                      RT_ICON0xbb3400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.08959537572254335
                      RT_ICON0xbb8a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2932572614107884
                      RT_ICON0xbde500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4343339587242026
                      RT_ICON0xbeef80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7198581560283688
                      RT_ICON0xbf3600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.35618279569892475
                      RT_ICON0xbf6480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.42473118279569894
                      RT_DIALOG0xbf9300x1fedata0.4745098039215686
                      RT_DIALOG0xbfb300x296data0.44108761329305135
                      RT_DIALOG0xbfdc80x2e0data0.43342391304347827
                      RT_DIALOG0xc00a80x64data0.68
                      RT_DIALOG0xc010c0x42data0.8333333333333334
                      RT_DIALOG0xc01500xe6data0.6434782608695652
                      RT_DIALOG0xc02380x124data0.5068493150684932
                      RT_DIALOG0xc035c0xe6data0.5826086956521739
                      RT_DIALOG0xc04440x276data0.45396825396825397
                      RT_DIALOG0xc06bc0x3d8data0.41971544715447157
                      RT_DIALOG0xc0a940x182data0.5233160621761658
                      RT_DIALOG0xc0c180x21cdata0.48148148148148145
                      RT_DIALOG0xc0e340x1fadata0.5079051383399209
                      RT_DIALOG0xc10300x222data0.4835164835164835
                      RT_DIALOG0xc12540x8cdata0.7285714285714285
                      RT_DIALOG0xc12e00x3ccdata0.43209876543209874
                      RT_DIALOG0xc16ac0x158data0.5494186046511628
                      RT_DIALOG0xc18040x1eadata0.5163265306122449
                      RT_DIALOG0xc19f00x116data0.6079136690647482
                      RT_DIALOG0xc1b080xeedata0.6260504201680672
                      RT_DIALOG0xc1bf80x1d4data0.5021367521367521
                      RT_DIALOG0xc1dcc0x1ecdata0.5142276422764228
                      RT_DIALOG0xc1fb80x2b8data0.4813218390804598
                      RT_STRING0xc22700x160dataEnglishUnited States0.5340909090909091
                      RT_STRING0xc23d00x23edataEnglishUnited States0.40418118466898956
                      RT_STRING0xc26100x378dataEnglishUnited States0.4222972972972973
                      RT_STRING0xc29880x252dataEnglishUnited States0.4393939393939394
                      RT_STRING0xc2bdc0x1f4dataEnglishUnited States0.442
                      RT_STRING0xc2dd00x66cdataEnglishUnited States0.36253041362530414
                      RT_STRING0xc343c0x366dataEnglishUnited States0.41379310344827586
                      RT_STRING0xc37a40x27edataEnglishUnited States0.4561128526645768
                      RT_STRING0xc3a240x518dataEnglishUnited States0.39800613496932513
                      RT_STRING0xc3f3c0x882dataEnglishUnited States0.3002754820936639
                      RT_STRING0xc47c00x23edataEnglishUnited States0.45121951219512196
                      RT_STRING0xc4a000x3badataEnglishUnited States0.3280922431865828
                      RT_STRING0xc4dbc0x12cdataEnglishUnited States0.5266666666666666
                      RT_STRING0xc4ee80x4adataEnglishUnited States0.6756756756756757
                      RT_STRING0xc4f340xdadataEnglishUnited States0.6100917431192661
                      RT_STRING0xc50100x110dataEnglishUnited States0.5845588235294118
                      RT_STRING0xc51200x20adataEnglishUnited States0.4521072796934866
                      RT_STRING0xc532c0xbaMatlab v4 mat-file (little endian) P, numeric, rows 0, columns 0EnglishUnited States0.5860215053763441
                      RT_STRING0xc53e80xa8dataEnglishUnited States0.6607142857142857
                      RT_STRING0xc54900x12adataEnglishUnited States0.5201342281879194
                      RT_STRING0xc55bc0x422dataEnglishUnited States0.2741020793950851
                      RT_STRING0xc59e00x5c2dataEnglishUnited States0.37720488466757124
                      RT_STRING0xc5fa40x40dataEnglishUnited States0.671875
                      RT_STRING0xc5fe40xcaadataEnglishUnited States0.2313386798272671
                      RT_STRING0xc6c900x284dataEnglishUnited States0.43788819875776397
                      RT_GROUP_ICON0xc6f140x5adata0.7555555555555555
                      RT_GROUP_ICON0xc6f700x14data1.25
                      RT_GROUP_ICON0xc6f840x14data1.25
                      RT_VERSION0xc6f980x468data0.4237588652482269
                      RT_MANIFEST0xc74000x477XML 1.0 document, ASCII text, with CRLF line terminators0.4689413823272091

                      Imports

                      DLLImport
                      COMCTL32.dll
                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                      KERNEL32.dllFindResourceExW, GetDriveTypeW, WriteFile, lstrcpynW, lstrcmpiW, GetFileAttributesW, FindClose, FindFirstFileW, UnmapViewOfFile, MapViewOfFile, GetSystemInfo, VirtualQuery, CompareStringA, IsBadReadPtr, CreateFileMappingW, CreateDirectoryW, CompareStringW, GetCurrentDirectoryW, ExpandEnvironmentStringsW, SetFileAttributesW, FileTimeToLocalFileTime, GetFileTime, HeapFree, HeapAlloc, GetProcessHeap, TlsAlloc, TlsSetValue, GetCurrentThreadId, GetProcAddress, GetModuleHandleW, GetPrivateProfileIntW, lstrcpyW, lstrlenW, Sleep, CloseHandle, CreateProcessW, RemoveDirectoryW, DeleteFileW, SetLastError, GetFileSize, SetFilePointer, CreateEventW, QueryPerformanceFrequency, GetSystemTimeAsFileTime, ReleaseMutex, GetUserDefaultLangID, GetSystemDefaultLangID, CreateMutexW, SetErrorMode, LoadLibraryW, lstrcatW, FreeLibrary, GetDiskFreeSpaceW, VerLanguageNameW, WideCharToMultiByte, ReadFile, GetTickCount, GetCommandLineW, ExitThread, CreateThread, GetDateFormatA, GetTimeFormatA, CreateFileA, FreeResource, lstrcatA, MulDiv, lstrcmpiA, GetPrivateProfileIntA, GetPrivateProfileStringA, GetPrivateProfileSectionNamesA, GetOEMCP, GetACP, FlushFileBuffers, SetStdHandle, LoadLibraryA, GetStringTypeW, GetStringTypeA, IsBadCodePtr, GetExitCodeProcess, GetLocaleInfoW, IsValidLocale, lstrcpyA, lstrlenA, GetWindowsDirectoryW, InterlockedDecrement, LocalFree, InterlockedIncrement, FormatMessageW, GetTempPathW, GetVersionExW, CreateFileW, GlobalFree, FindResourceW, LoadResource, SizeofResource, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, MultiByteToWideChar, GetModuleFileNameW, GetSystemDirectoryW, SetCurrentDirectoryW, WaitForSingleObject, ExitProcess, GetCurrentProcess, DuplicateHandle, GetThreadContext, VirtualProtectEx, WriteProcessMemory, FlushInstructionCache, SetThreadContext, ResumeThread, GetLastError, GetCPInfo, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, GetCommandLineA, GetEnvironmentStrings, GetEnvironmentStringsW, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleA, HeapReAlloc, RaiseException, RtlUnwind, DeleteCriticalSection, InterlockedExchange, MoveFileExW, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetVersionExA, GetEnvironmentVariableA, GetModuleFileNameA, SetUnhandledExceptionFilter, HeapSize, LCMapStringW, LCMapStringA, TlsGetValue, GetTempFileNameW, OpenProcess, CompareFileTime, GetProcessTimes, TerminateProcess, GetLocalTime, InitializeCriticalSection, GetCurrentProcessId, GetVersion, LeaveCriticalSection, EnterCriticalSection, GetCurrentThread, VirtualProtect, SearchPathW, ResetEvent, SetEvent, QueryPerformanceCounter, SystemTimeToFileTime, lstrcmpA, FindNextFileW, lstrcmpW
                      USER32.dllCharUpperW, WaitForInputIdle, DialogBoxIndirectParamW, MessageBoxW, wsprintfW, SetForegroundWindow, SetWindowLongW, SetWindowTextW, SendMessageW, GetDlgItem, LoadIconW, EndDialog, MoveWindow, SetActiveWindow, DrawTextW, SetFocus, BeginPaint, LoadStringW, FillRect, EndPaint, GetMessageW, DefWindowProcW, GetWindow, SystemParametersInfoW, GetSystemMetrics, MapWindowPoints, GetPropW, EnableMenuItem, SetPropW, RemovePropW, GetSysColor, LoadImageW, GetDC, ReleaseDC, CreateDialogParamW, GetParent, GetWindowTextW, IsWindowVisible, ExitWindowsEx, UpdateWindow, InvalidateRect, DrawIcon, MapDialogRect, wsprintfA, GetClassNameW, GetWindowRect, DrawFocusRect, InflateRect, CallWindowProcW, GetWindowDC, CopyRect, EnumChildWindows, CreateWindowExW, RegisterClassExW, IntersectRect, GetDlgItemTextW, CreateDialogIndirectParamW, GetDesktopWindow, GetClientRect, IsWindowEnabled, FindWindowExW, IsDialogMessageW, PeekMessageW, MsgWaitForMultipleObjects, TranslateMessage, DispatchMessageW, EnableWindow, ShowWindow, SendDlgItemMessageW, PostMessageW, ScreenToClient, SetWindowPos, IsWindow, DestroyWindow, GetWindowLongW, SetDlgItemTextW
                      GDI32.dllSetBkMode, SetTextColor, TextOutW, RestoreDC, SetBkColor, CreateSolidBrush, UnrealizeObject, SelectPalette, RealizePalette, BitBlt, CreateCompatibleDC, SelectObject, GetDIBColorTable, GetSystemPaletteEntries, CreatePalette, DeleteDC, CreateHalftonePalette, GetDeviceCaps, TranslateCharsetInfo, GetObjectW, CreateFontIndirectW, DeleteObject, CreateCompatibleBitmap, CreateDCW, GetStockObject, GetTextExtentPoint32W, CreatePatternBrush, CreateDIBitmap, DeleteMetaFile, SetMetaFileBitsEx, SetStretchBltMode, SelectClipRgn, CreateRectRgn, SetPixel, PatBlt, PlayMetaFile, StretchBlt, CreateBitmap, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, SetMapMode, SaveDC
                      ADVAPI32.dllRegCreateKeyExW, RegOpenKeyExA, RegQueryValueExA, OpenThreadToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, FreeSid, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyW, RegEnumKeyW, RegEnumKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegQueryValueExW, RegDeleteValueW, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, RegOpenKeyExW, RegCloseKey
                      SHELL32.dllShellExecuteExW, SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation
                      ole32.dllCoInitialize, CoUninitialize, CoInitializeSecurity
                      OLEAUT32.dllVariantChangeType, VariantClear, GetErrorInfo, SysStringLen, SysReAllocStringLen, SysAllocString, SysFreeString, SysAllocStringLen
                      LZ32.dllLZOpenFileW, LZCopy, LZClose
                      msi.dll
                      RPCRT4.dllUuidToStringW, RpcStringFreeW, UuidCreate

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 8, 2024 08:34:20.811788082 CEST5361347162.159.36.2192.168.2.5
                      Oct 8, 2024 08:34:21.327908993 CEST5790253192.168.2.51.1.1.1
                      Oct 8, 2024 08:34:21.335939884 CEST53579021.1.1.1192.168.2.5
                      Oct 8, 2024 08:34:23.005273104 CEST6417053192.168.2.51.1.1.1
                      Oct 8, 2024 08:34:23.012262106 CEST53641701.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 8, 2024 08:34:21.327908993 CEST192.168.2.51.1.1.10xe3b3Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                      Oct 8, 2024 08:34:23.005273104 CEST192.168.2.51.1.1.10xa31eStandard query (0)197.87.175.4.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 8, 2024 08:34:21.335939884 CEST1.1.1.1192.168.2.50xe3b3Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                      Oct 8, 2024 08:34:23.012262106 CEST1.1.1.1192.168.2.50xa31eName error (3)197.87.175.4.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:33:47
                      Start date:08/10/2024
                      Path:C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\ArbExpress_V3.6_en_0703_066146106.exe"
                      Imagebase:0x400000
                      File size:45'206'398 bytes
                      MD5 hash:E2E80E23D79DF3609DCAEE7C2D7C2E72
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:3
                      Start time:02:34:22
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A3681F74-C246-4C16-9456-61CA4AC85351}
                      Imagebase:0x140000000
                      File size:107'392 bytes
                      MD5 hash:B83D2774CDAF5016CD8765A630FA1150
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:8
                      Start time:02:34:54
                      Start date:08/10/2024
                      Path:C:\Windows\System32\SrTasks.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
                      Imagebase:0x7ff63f120000
                      File size:59'392 bytes
                      MD5 hash:2694D2D28C368B921686FE567BD319EB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      General

                      Target ID:9
                      Start time:02:34:54
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:02:34:55
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DevComponents.DotNetBar2.dll"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:11
                      Start time:02:34:55
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:02:34:58
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbConnect.dll"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:13
                      Start time:02:34:58
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:14
                      Start time:02:35:00
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbExpress.exe"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:15
                      Start time:02:35:00
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:16
                      Start time:02:35:01
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ArbLib.dll"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:17
                      Start time:02:35:01
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:18
                      Start time:02:35:03
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\DisplayComponent.dll"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:19
                      Start time:02:35:03
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:20
                      Start time:02:35:05
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\PreviewComponent.dll"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:21
                      Start time:02:35:05
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:22
                      Start time:02:35:06
                      Start date:08/10/2024
                      Path:C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\dotnetinstaller.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\{D087C162-559C-4D68-B967-62FB89959971}\DotNetInstaller.exe" "C:\Program Files (x86)\Tektronix\ArbExpress\System\ScopeAcqPages.dll"
                      Imagebase:0x400000
                      File size:11'152 bytes
                      MD5 hash:8F50951DC767385E6E9801ECACC621E3
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:23
                      Start time:02:35:06
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:25
                      Start time:02:35:29
                      Start date:08/10/2024
                      Path:C:\Windows\SysWOW64\cmd.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\cmd.exe /c cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
                      Imagebase:0x790000
                      File size:236'544 bytes
                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:26
                      Start time:02:35:29
                      Start date:08/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6d64d0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      General

                      Target ID:27
                      Start time:02:35:30
                      Start date:08/10/2024
                      Path:C:\Windows\SysWOW64\cacls.exe
                      Wow64 process (32bit):true
                      Commandline:cacls "C:\Program Files (x86)\Tektronix\ArbExpress" /T /E /G Users:F
                      Imagebase:0xce0000
                      File size:27'648 bytes
                      MD5 hash:00BAAE10C69DAD58F169A3ED638D6C59
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:13.1%
                        Total number of Nodes:1945
                        Total number of Limit Nodes:53
                        execution_graph 6440 140009de4 6441 140009df3 6440->6441 6443 140009e1d 6440->6443 6441->6443 6444 1400088d0 6441->6444 6449 140008cdc 6444->6449 6450 140008c58 _getptd 47 API calls 6449->6450 6451 140008ce7 6450->6451 6452 1400088d9 6451->6452 6453 14000907c _lock 47 API calls 6451->6453 6454 140009ca8 6452->6454 6453->6452 6455 140009cc2 __CxxFrameHandler 6454->6455 6456 140009cb8 6454->6456 6458 140009cd6 6455->6458 6464 14000cf98 6455->6464 6457 14000961c malloc 47 API calls 6456->6457 6457->6455 6460 140009d3e __CxxFrameHandler 6458->6460 6461 140009cdf RtlCaptureContext 6458->6461 6462 140007d40 shared_ptr 6461->6462 6463 140009cff SetUnhandledExceptionFilter UnhandledExceptionFilter 6462->6463 6463->6460 6465 14000cfc4 6464->6465 6471 14000d01e DecodePointer 6464->6471 6466 14000d06f 6465->6466 6469 14000cfe8 6465->6469 6465->6471 6468 140008c58 _getptd 47 API calls 6466->6468 6474 14000d074 __CxxFrameHandler 6468->6474 6469->6471 6472 14000cff7 6469->6472 6470 14000c1ac _lock 47 API calls 6473 14000d113 6470->6473 6471->6474 6475 140008ab8 _errno 47 API calls 6472->6475 6479 14000d165 6473->6479 6482 140008b68 EncodePointer 6473->6482 6474->6470 6474->6473 6481 14000d016 6474->6481 6476 14000cffc 6475->6476 6478 140009594 _FF_MSGBANNER 9 API calls 6476->6478 6478->6481 6479->6481 6483 14000c0ac LeaveCriticalSection 6479->6483 6481->6458 6484 1400038ee 6485 14000391d 6484->6485 6491 140003998 6485->6491 6494 140003ab0 6485->6494 6488 140003ab0 67 API calls 6489 140003963 6488->6489 6503 14000787c 6489->6503 6492 140003979 6492->6491 6493 14000787c 51 API calls 6492->6493 6493->6491 6495 14000777c 47 API calls 6494->6495 6501 140003ab9 6495->6501 6496 140003ae6 6497 140006060 20 API calls 6496->6497 6500 140003948 6497->6500 6498 140003adb 6499 140006060 20 API calls 6498->6499 6499->6496 6500->6488 6501->6496 6501->6498 6501->6500 6502 140006060 20 API calls 6501->6502 6502->6498 6504 140007898 6503->6504 6505 1400078c9 6503->6505 6504->6505 6506 1400078a6 6504->6506 6511 1400078d7 6505->6511 6514 140009034 6505->6514 6507 140008ab8 _errno 47 API calls 6506->6507 6510 1400078ab 6507->6510 6512 140009594 _FF_MSGBANNER 9 API calls 6510->6512 6521 140009bd4 6511->6521 6513 1400078c5 shared_ptr 6512->6513 6513->6492 6515 140009063 HeapSize 6514->6515 6516 14000903d 6514->6516 6517 14000905d 6515->6517 6518 140008ab8 _errno 47 API calls 6516->6518 6517->6511 6519 140009042 6518->6519 6520 140009594 _FF_MSGBANNER 9 API calls 6519->6520 6520->6517 6522 140009bf8 6521->6522 6523 140009bee 6521->6523 6525 140009bfd 6522->6525 6530 140009c04 malloc 6522->6530 6524 1400076c4 malloc 47 API calls 6523->6524 6534 140009bf6 free 6524->6534 6526 140007398 free 47 API calls 6525->6526 6526->6534 6527 140009c0a HeapReAlloc 6527->6530 6527->6534 6528 140009c4d malloc 6531 140008ab8 _errno 47 API calls 6528->6531 6529 140009c8b 6532 140008ab8 _errno 47 API calls 6529->6532 6530->6527 6530->6528 6530->6529 6535 140009c72 6530->6535 6531->6534 6533 140009c90 GetLastError 6532->6533 6533->6534 6534->6513 6536 140008ab8 _errno 47 API calls 6535->6536 6537 140009c77 GetLastError 6536->6537 6537->6534 6538 14000eff0 6540 14000f01f 6538->6540 6539 14000f0b9 6540->6539 6541 140008cdc _getptd 47 API calls 6540->6541 6541->6539 6542 1400064f0 6543 140006522 SysFreeString 6542->6543 6544 140006549 6542->6544 6543->6544 6545 14000652d SysAllocString 6543->6545 6546 14000657e 6544->6546 6547 140006557 SysFreeString 6544->6547 6545->6544 6551 14000653f 6545->6551 6549 1400065b3 6546->6549 6550 14000658c SysFreeString 6546->6550 6547->6546 6548 140006562 SysAllocString 6547->6548 6548->6546 6552 140006574 6548->6552 6555 1400065c6 SysFreeString 6549->6555 6562 1400065ed 6549->6562 6550->6549 6553 140006597 SysAllocString 6550->6553 6554 140006060 20 API calls 6551->6554 6556 140006060 20 API calls 6552->6556 6553->6549 6557 1400065a9 6553->6557 6554->6544 6558 1400065d1 SysAllocString 6555->6558 6555->6562 6556->6546 6559 140006060 20 API calls 6557->6559 6560 1400065e3 6558->6560 6558->6562 6559->6549 6561 140006060 20 API calls 6560->6561 6561->6562 6563 14000a8f0 RtlUnwindEx 6564 14000f0f0 6573 14000863c 6564->6573 6567 140008cdc _getptd 47 API calls 6568 14000f155 6567->6568 6569 140008cdc _getptd 47 API calls 6568->6569 6570 14000f168 6569->6570 6572 14000f142 __CxxFrameHandler 6572->6567 6574 140008cdc _getptd 47 API calls 6573->6574 6575 14000864e 6574->6575 6576 14000865c 6575->6576 6588 1400088f4 DecodePointer 6575->6588 6578 140008cdc _getptd 47 API calls 6576->6578 6579 140008661 6578->6579 6580 140008678 6579->6580 6581 140008688 6579->6581 6582 1400088f4 __CxxFrameHandler 52 API calls 6580->6582 6584 140008cdc _getptd 47 API calls 6581->6584 6583 14000867d 6582->6583 6583->6572 6585 140008608 6583->6585 6584->6583 6586 140008cdc _getptd 47 API calls 6585->6586 6587 140008616 6586->6587 6587->6572 6589 140008909 6588->6589 6590 1400088d0 __CxxFrameHandler 51 API calls 6589->6590 6591 140008912 6590->6591 6591->6576 6592 14000f6f0 6595 140006000 6592->6595 6596 140006024 6595->6596 6597 14000600f 6595->6597 6597->6596 6598 140007398 free 47 API calls 6597->6598 6598->6597 6599 14000b0f1 6600 140008cdc _getptd 47 API calls 6599->6600 6601 14000b0fe 6600->6601 6602 14000b13d RaiseException 6601->6602 6603 14000b10f __CxxFrameHandler 6601->6603 6604 14000b158 6602->6604 6605 14000b121 RaiseException 6603->6605 6606 14000863c 52 API calls 6604->6606 6605->6604 6608 14000b17c 6606->6608 6607 140008cdc _getptd 47 API calls 6609 14000b1c6 6607->6609 6611 140008608 47 API calls 6608->6611 6613 14000b1b3 __CxxFrameHandler 6608->6613 6610 140008cdc _getptd 47 API calls 6609->6610 6612 14000b1da 6610->6612 6611->6613 6613->6607 6614 14000eef2 6617 14000c0ac LeaveCriticalSection 6614->6617 6618 140006bf8 6619 140006c18 6618->6619 6622 140007a78 6619->6622 6621 140006c3a 6623 140007a95 6622->6623 6624 140007a8c 6622->6624 6623->6621 6625 140007398 free 47 API calls 6624->6625 6625->6623 6626 140001800 6629 140003160 6626->6629 6628 14000181e 6630 140003204 6629->6630 6631 14000317b 6629->6631 6630->6628 6633 140003187 RaiseException 6631->6633 6634 14000319c 6631->6634 6632 1400031f4 DeleteCriticalSection 6632->6630 6633->6634 6634->6632 6635 140008d00 6636 140008e2a 6635->6636 6637 140008d09 6635->6637 6638 140008d24 6637->6638 6639 140007398 free 47 API calls 6637->6639 6640 140008d32 6638->6640 6641 140007398 free 47 API calls 6638->6641 6639->6638 6642 140008d40 6640->6642 6643 140007398 free 47 API calls 6640->6643 6641->6640 6644 140008d4e 6642->6644 6645 140007398 free 47 API calls 6642->6645 6643->6642 6646 140008d5c 6644->6646 6647 140007398 free 47 API calls 6644->6647 6645->6644 6648 140008d6a 6646->6648 6649 140007398 free 47 API calls 6646->6649 6647->6646 6650 140008d7b 6648->6650 6651 140007398 free 47 API calls 6648->6651 6649->6648 6652 140008d93 6650->6652 6654 140007398 free 47 API calls 6650->6654 6651->6650 6653 14000c1ac _lock 47 API calls 6652->6653 6657 140008d9d 6653->6657 6654->6652 6655 140008dcb 6667 14000c0ac LeaveCriticalSection 6655->6667 6657->6655 6659 140007398 free 47 API calls 6657->6659 6659->6655 6392 140002110 6393 14000212d 6392->6393 6394 140002145 6393->6394 6396 1400013f0 6393->6396 6397 140001431 6396->6397 6398 140001442 EnterCriticalSection 6396->6398 6397->6398 6399 14000143b 6397->6399 6400 140001475 6398->6400 6404 140001698 6398->6404 6403 140007200 __initmbctable 8 API calls 6399->6403 6401 140001504 GetModuleFileNameW LoadTypeLibEx 6400->6401 6408 1400014c5 GetModuleFileNameW 6400->6408 6411 140001530 6401->6411 6402 140001709 LeaveCriticalSection 6402->6399 6405 140001724 6403->6405 6404->6402 6413 140001160 6404->6413 6405->6394 6408->6404 6409 1400014e5 6408->6409 6409->6404 6410 1400014f0 LoadTypeLib 6409->6410 6410->6411 6411->6404 6419 140005f30 6411->6419 6415 140001193 6413->6415 6414 140001247 6414->6402 6415->6414 6416 1400012e5 SysStringLen 6415->6416 6417 1400012dc SysFreeString 6415->6417 6418 140001314 SysFreeString 6415->6418 6416->6415 6417->6416 6418->6415 6420 140005f5a 6419->6420 6423 140005f53 6419->6423 6421 1400073d8 59 API calls 6420->6421 6422 140005f69 6421->6422 6422->6423 6424 140005f8b EnterCriticalSection LeaveCriticalSection 6422->6424 6423->6404 6424->6423 6688 140006610 LoadLibraryW 6689 140006636 6688->6689 6690 14000664b GetProcAddress 6688->6690 6691 140006660 FreeLibrary 6690->6691 6693 14000667e FreeLibrary 6690->6693 6694 14000ee15 6695 14000ee49 6694->6695 6696 14000ee3d 6694->6696 6697 1400088d0 __CxxFrameHandler 51 API calls 6695->6697 6697->6696 6698 140007d18 6701 14000a824 6698->6701 6702 14000a856 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 6701->6702 6703 140007d21 6701->6703 6702->6703 6704 14000f420 6707 140006030 6704->6707 6708 14000604c 6707->6708 6709 14000603f LeaveCriticalSection 6707->6709 6709->6708 6710 14000f520 6713 140003aa0 CoTaskMemFree 6710->6713 6714 140003a20 6715 140003a34 6714->6715 6716 140003a49 6714->6716 6715->6716 6718 1400037f0 6715->6718 6719 140003829 6718->6719 6727 140003998 6718->6727 6720 140003832 lstrlenW 6719->6720 6719->6727 6721 14000386e 6720->6721 6722 1400038a3 lstrlenW 6721->6722 6723 1400038df 6722->6723 6724 140003ab0 67 API calls 6723->6724 6723->6727 6725 140003948 6724->6725 6726 140003ab0 67 API calls 6725->6726 6728 140003963 6726->6728 6727->6716 6729 14000787c 51 API calls 6728->6729 6730 140003979 6729->6730 6730->6727 6731 14000787c 51 API calls 6730->6731 6731->6727 6732 140006320 GetSystemWow64DirectoryW 6733 140006352 GetLastError 6732->6733 6734 140006366 SysAllocString 6732->6734 6735 14000635c 6733->6735 6734->6735 6736 140007200 __initmbctable 8 API calls 6735->6736 6737 140006386 6736->6737 6738 140009e28 SetUnhandledExceptionFilter 6743 140007e2c 6744 140007f45 6743->6744 6745 140007e6d _cinit __CxxFrameHandler 6743->6745 6745->6744 6746 140007f09 RtlUnwindEx 6745->6746 6746->6745 6747 14000d22c 6748 14000d233 SetLastError 6747->6748 6749 14000d23e 6747->6749 6748->6749 6750 14000ae2f 6760 14000ad5d __CxxFrameHandler 6750->6760 6751 14000ae5b 6752 140008cdc _getptd 47 API calls 6751->6752 6753 14000ae60 6752->6753 6755 14000ae6e 6753->6755 6756 140008cdc _getptd 47 API calls 6753->6756 6754 1400088f4 __CxxFrameHandler 52 API calls 6754->6760 6757 14000ae83 __CxxFrameHandler 6755->6757 6758 1400088f4 __CxxFrameHandler 52 API calls 6755->6758 6756->6755 6758->6757 6759 140008208 47 API calls __CxxFrameHandler 6759->6760 6760->6751 6760->6754 6760->6759 6762 140008238 6760->6762 6763 140008cdc _getptd 47 API calls 6762->6763 6764 140008246 6763->6764 6764->6760 6765 140006130 6766 140006156 RegConnectRegistryW 6765->6766 6767 140006150 6765->6767 6768 140006169 6766->6768 6767->6766 6769 140003230 6770 140003249 6769->6770 6771 14000323e 6769->6771 6772 140003283 6770->6772 6773 14000325e CoCreateInstance 6770->6773 6773->6772 6774 140001232 6775 140001242 6774->6775 6776 140001247 6775->6776 6777 1400012e5 SysStringLen 6775->6777 6778 1400012dc SysFreeString 6775->6778 6779 140001314 SysFreeString 6775->6779 6777->6775 6778->6777 6779->6775 6370 140009238 6371 14000c1ac _lock 47 API calls 6370->6371 6372 140009266 6371->6372 6374 14000928d DecodePointer 6372->6374 6377 140009349 _initterm 6372->6377 6373 14000937f 6376 1400093aa 6373->6376 6388 14000c0ac LeaveCriticalSection 6373->6388 6374->6377 6378 1400092aa DecodePointer 6374->6378 6377->6373 6391 14000c0ac LeaveCriticalSection 6377->6391 6380 1400092ce 6378->6380 6380->6377 6383 1400092ed DecodePointer 6380->6383 6387 140009302 DecodePointer DecodePointer 6380->6387 6389 140008b68 EncodePointer 6380->6389 6381 140009398 6384 1400090ac malloc GetModuleHandleW GetProcAddress 6381->6384 6390 140008b68 EncodePointer 6383->6390 6386 1400093a0 ExitProcess 6384->6386 6387->6380 6780 14000223b 6781 140002253 6780->6781 6783 140002265 6781->6783 6784 1400030a0 InitializeCriticalSection 6781->6784 6785 1400030bf 6784->6785 6785->6783 6790 14000733c 6793 140008934 6790->6793 6794 14000c1ac _lock 47 API calls 6793->6794 6798 140008947 6794->6798 6795 140008990 6802 14000c0ac LeaveCriticalSection 6795->6802 6798->6795 6800 140007398 free 47 API calls 6798->6800 6801 14000897b 6798->6801 6799 140007398 free 47 API calls 6799->6795 6800->6801 6801->6799 6809 140002f40 6810 1400079f8 __CxxFrameHandler 47 API calls 6809->6810 6811 140002f4e 6810->6811 5722 140007b44 GetStartupInfoW 5725 140007b6b 5722->5725 5762 140008ad8 HeapCreate 5725->5762 5726 140007c0d 5765 140008e38 5726->5765 5727 140007bf4 5885 140009844 5727->5885 5728 140007bf9 5894 14000961c 5728->5894 5734 140007c38 _RTC_Initialize 5781 14000a4c4 GetStartupInfoA 5734->5781 5736 140007c24 5738 14000961c malloc 47 API calls 5736->5738 5737 140007c1f 5739 140009844 _FF_MSGBANNER 47 API calls 5737->5739 5740 140007c2e 5738->5740 5739->5736 5742 1400090e8 malloc 3 API calls 5740->5742 5742->5734 5744 140007c51 GetCommandLineW 5794 14000a430 GetEnvironmentStringsW 5744->5794 5749 140007c6e 5750 140007c7c 5749->5750 5751 14000907c _lock 47 API calls 5749->5751 5804 14000a070 5750->5804 5751->5750 5754 140007c8f 5817 140009188 5754->5817 5755 14000907c _lock 47 API calls 5755->5754 5757 140007c99 5758 140007ca4 5757->5758 5759 14000907c _lock 47 API calls 5757->5759 5823 140001a00 GetCommandLineW CoInitializeEx 5758->5823 5759->5758 5761 140007cca 5763 140008afc HeapSetInformation 5762->5763 5764 140007be7 5762->5764 5763->5764 5764->5726 5764->5727 5764->5728 5935 1400093fc 5765->5935 5767 140008e43 5940 14000bf9c 5767->5940 5770 140008eac 5958 140008b7c 5770->5958 5771 140008e4c FlsAlloc 5771->5770 5773 140008e64 5771->5773 5944 140008f28 5773->5944 5777 140008e7b FlsSetValue 5777->5770 5778 140008e8e 5777->5778 5949 140008ba4 5778->5949 5782 140008f28 _getptd 47 API calls 5781->5782 5791 14000a501 5782->5791 5783 140007c43 5783->5744 5930 14000907c 5783->5930 5784 14000a6ed GetStdHandle 5789 14000a6c7 5784->5789 5785 14000a71c GetFileType 5785->5789 5786 140008f28 _getptd 47 API calls 5786->5791 5787 14000a77c SetHandleCount 5787->5783 5788 14000a630 5788->5783 5788->5789 5792 14000a663 GetFileType 5788->5792 5793 14000d21c _lock InitializeCriticalSectionAndSpinCount 5788->5793 5789->5783 5789->5784 5789->5785 5789->5787 5790 14000d21c _lock InitializeCriticalSectionAndSpinCount 5789->5790 5790->5789 5791->5783 5791->5786 5791->5788 5791->5789 5792->5788 5793->5788 5795 140007c62 5794->5795 5796 14000a458 5794->5796 5800 14000a340 GetModuleFileNameW 5795->5800 5797 140008ebc _lock 47 API calls 5796->5797 5798 14000a47f __initmbctable 5797->5798 5799 14000a498 FreeEnvironmentStringsW 5798->5799 5799->5795 5801 14000a380 5800->5801 5802 140008ebc _lock 47 API calls 5801->5802 5803 14000a3e0 5801->5803 5802->5803 5803->5749 5805 14000a0a3 5804->5805 5806 140007c81 5804->5806 5807 140008f28 _getptd 47 API calls 5805->5807 5806->5754 5806->5755 5814 14000a0d1 5807->5814 5808 14000a14e 5809 140007398 free 47 API calls 5808->5809 5809->5806 5810 140008f28 _getptd 47 API calls 5810->5814 5811 14000a18e 5812 140007398 free 47 API calls 5811->5812 5812->5806 5814->5806 5814->5808 5814->5810 5814->5811 5815 14000a129 5814->5815 6064 14000d678 5814->6064 5816 14000946c malloc 8 API calls 5815->5816 5816->5814 5818 14000919e _cinit 5817->5818 6073 14000cf34 5818->6073 5820 1400091bb _initterm_e 5822 1400091de _cinit 5820->5822 6076 1400075c0 5820->6076 5822->5757 5825 140001a78 GetCurrentThreadId 5823->5825 6093 1400028b0 5825->6093 5828 140001b5b SysStringLen 5830 140001b68 SysStringLen CharUpperBuffW 5828->5830 5831 140001b7c 5828->5831 5829 140001b50 6126 140006060 5829->6126 5830->5831 5833 1400028b0 59 API calls 5831->5833 5835 140001bb0 5833->5835 5834 140001b5a 5834->5828 6099 140001840 5835->6099 5837 140001bc7 5843 140001c3d CharNextW 5837->5843 5845 140001c53 CharNextW 5837->5845 5846 140001c2f CharNextW 5837->5846 5847 140001c4e 5837->5847 5838 140001cf8 CreateEventW 5839 140001d14 CreateThread 5838->5839 5840 140001d3b 5838->5840 5839->5840 5841 140001d43 StringFromGUID2 SysAllocString 5840->5841 5842 140001db8 SysStringLen 5840->5842 5848 140001d75 5841->5848 5849 140001d80 SysFreeString SysStringByteLen SysAllocStringByteLen 5841->5849 5850 140001dc5 SysStringLen CharUpperBuffW 5842->5850 5851 140001dd9 5842->5851 5843->5837 5843->5847 5844 140001ff7 CoUninitialize SysFreeString 5855 140002011 5844->5855 5845->5847 5856 140001c68 5845->5856 5846->5837 5846->5843 5847->5838 5868 140001f32 5847->5868 5852 140006060 20 API calls 5848->5852 5853 140001da4 5849->5853 5854 140001daf SysFreeString 5849->5854 5850->5851 5880 140001df0 5851->5880 6135 140002e60 5851->6135 5857 140001d7f 5852->5857 5859 140006060 20 API calls 5853->5859 5854->5842 6115 140007200 5855->6115 5862 140001c70 lstrcmpiW 5856->5862 5857->5849 5858 140001fe3 DeleteCriticalSection 5858->5844 5863 140001dae 5859->5863 5867 140001c88 lstrcmpiW 5862->5867 5862->5868 5863->5854 5864 140002030 5864->5761 5865 140001ec2 5869 140001f11 SleepEx 5865->5869 5870 140001ec8 GetMessageW 5865->5870 5866 140001e10 CreateItemMoniker 5871 140001e30 Sleep 5866->5871 5866->5880 5867->5868 5881 140001ca0 5867->5881 5868->5844 5868->5858 5874 140001f23 5869->5874 5875 140001f29 SysFreeString 5869->5875 5872 140001f02 5870->5872 5873 140001edf 5870->5873 5876 140001e45 5871->5876 5871->5880 5872->5869 5878 140001ee0 DispatchMessageW GetMessageW 5873->5878 5874->5875 5875->5868 5876->5880 5877 140001e62 GetRunningObjectTable 5879 140001e9f Sleep 5877->5879 5877->5880 5878->5872 5878->5878 5879->5880 5880->5865 5880->5866 5880->5877 5880->5879 5881->5847 5882 140001ccb CharNextW 5881->5882 5883 140001cbd CharNextW 5881->5883 5884 140001cde CharNextW 5881->5884 5882->5847 5882->5881 5883->5881 5883->5882 5884->5847 5884->5862 6324 14000d5a4 5885->6324 5888 140009861 5890 14000961c malloc 47 API calls 5888->5890 5893 140009882 5888->5893 5889 14000d5a4 _FF_MSGBANNER 47 API calls 5889->5888 5891 140009878 5890->5891 5892 14000961c malloc 47 API calls 5891->5892 5892->5893 5893->5728 5895 14000963f 5894->5895 5896 14000d5a4 _FF_MSGBANNER 44 API calls 5895->5896 5926 140007c03 5895->5926 5897 140009661 5896->5897 5898 1400097e6 GetStdHandle 5897->5898 5900 14000d5a4 _FF_MSGBANNER 44 API calls 5897->5900 5899 1400097f9 malloc 5898->5899 5898->5926 5903 14000980f WriteFile 5899->5903 5899->5926 5901 140009674 5900->5901 5901->5898 5902 140009685 5901->5902 5904 140009d70 malloc 44 API calls 5902->5904 5902->5926 5903->5926 5905 1400096b0 5904->5905 5906 1400096c9 GetModuleFileNameA 5905->5906 5907 14000946c malloc 8 API calls 5905->5907 5908 1400096e9 5906->5908 5912 14000971a malloc 5906->5912 5907->5906 5909 140009d70 malloc 44 API calls 5908->5909 5910 140009701 5909->5910 5910->5912 5914 14000946c malloc 8 API calls 5910->5914 5911 140009775 6339 14000d440 5911->6339 5912->5911 6330 14000d4cc 5912->6330 5914->5912 5916 1400097a0 5920 14000d440 malloc 44 API calls 5916->5920 5919 14000946c malloc 8 API calls 5919->5916 5921 1400097b6 5920->5921 5923 1400097cf 5921->5923 5924 14000946c malloc 8 API calls 5921->5924 5922 14000946c malloc 8 API calls 5922->5911 6348 14000d24c 5923->6348 5924->5923 5927 1400090e8 5926->5927 6366 1400090ac GetModuleHandleW 5927->6366 5931 140009844 _FF_MSGBANNER 46 API calls 5930->5931 5932 140009089 5931->5932 5933 14000961c malloc 46 API calls 5932->5933 5934 140009090 DecodePointer 5933->5934 5966 140008b68 EncodePointer 5935->5966 5937 140009407 _initp_misc_winsig 5938 140008918 EncodePointer 5937->5938 5939 14000944a EncodePointer 5938->5939 5939->5767 5941 14000bfbf 5940->5941 5943 140008e48 5941->5943 5967 14000d21c InitializeCriticalSectionAndSpinCount 5941->5967 5943->5770 5943->5771 5945 140008f4d 5944->5945 5947 140008e73 5945->5947 5948 140008f6b Sleep 5945->5948 5969 14000ce84 5945->5969 5947->5770 5947->5777 5948->5945 5948->5947 6013 14000c1ac 5949->6013 5959 140008b98 5958->5959 5960 140008b8b FlsFree 5958->5960 5961 14000c05b DeleteCriticalSection 5959->5961 5963 14000c079 5959->5963 5960->5959 5962 140007398 free 47 API calls 5961->5962 5962->5959 5964 14000c087 DeleteCriticalSection 5963->5964 5965 140007c12 5963->5965 5964->5963 5965->5734 5965->5736 5965->5737 5968 14000d244 5967->5968 5968->5941 5970 14000ce99 5969->5970 5975 14000cecb malloc 5969->5975 5971 14000cea7 5970->5971 5970->5975 5978 140008ab8 5971->5978 5973 14000cee3 HeapAlloc 5974 14000cec7 5973->5974 5973->5975 5974->5945 5975->5973 5975->5974 5985 140008c58 GetLastError FlsGetValue 5978->5985 5980 140008ac1 5981 140009594 DecodePointer 5980->5981 5982 1400095c5 5981->5982 5983 1400095df _FF_MSGBANNER 5981->5983 5982->5974 6003 14000946c 5983->6003 5986 140008cc6 SetLastError 5985->5986 5987 140008c7e 5985->5987 5986->5980 5988 140008f28 _getptd 42 API calls 5987->5988 5989 140008c8b 5988->5989 5989->5986 5990 140008c93 FlsSetValue 5989->5990 5991 140008ca9 5990->5991 5992 140008cbf 5990->5992 5993 140008ba4 _getptd 42 API calls 5991->5993 5997 140007398 5992->5997 5995 140008cb0 GetCurrentThreadId 5993->5995 5995->5986 5996 140008cc4 5996->5986 5998 1400073cd free 5997->5998 5999 14000739d HeapFree 5997->5999 5998->5996 5999->5998 6000 1400073b8 5999->6000 6001 140008ab8 _errno 45 API calls 6000->6001 6002 1400073bd GetLastError 6001->6002 6002->5998 6011 140007d40 6003->6011 6006 140009509 6008 140009529 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6006->6008 6007 1400094ce RtlVirtualUnwind 6007->6008 6009 140009574 GetCurrentProcess TerminateProcess 6008->6009 6010 140009568 _FF_MSGBANNER 6008->6010 6009->5982 6010->6009 6012 140007d49 RtlCaptureContext RtlLookupFunctionEntry 6011->6012 6012->6006 6012->6007 6014 14000c1ca 6013->6014 6015 14000c1db EnterCriticalSection 6013->6015 6019 14000c0c4 6014->6019 6018 14000907c _lock 46 API calls 6018->6015 6020 14000c102 6019->6020 6021 14000c0eb 6019->6021 6023 14000c117 6020->6023 6045 140008ebc 6020->6045 6022 140009844 _FF_MSGBANNER 46 API calls 6021->6022 6024 14000c0f0 6022->6024 6023->6015 6023->6018 6026 14000961c malloc 46 API calls 6024->6026 6028 14000c0f8 6026->6028 6033 1400090e8 malloc 3 API calls 6028->6033 6029 14000c13c 6032 14000c1ac _lock 46 API calls 6029->6032 6030 14000c12d 6031 140008ab8 _errno 46 API calls 6030->6031 6031->6023 6034 14000c146 6032->6034 6033->6020 6035 14000c17e 6034->6035 6036 14000c14f 6034->6036 6038 140007398 free 46 API calls 6035->6038 6037 14000d21c _lock InitializeCriticalSectionAndSpinCount 6036->6037 6040 14000c15c 6037->6040 6039 14000c16d LeaveCriticalSection 6038->6039 6039->6023 6040->6039 6042 140007398 free 46 API calls 6040->6042 6043 14000c168 6042->6043 6044 140008ab8 _errno 46 API calls 6043->6044 6044->6039 6047 140008ed8 6045->6047 6048 140008f10 6047->6048 6049 140008ef0 Sleep 6047->6049 6050 1400076c4 6047->6050 6048->6029 6048->6030 6049->6047 6049->6048 6051 140007758 malloc 6050->6051 6060 1400076dc malloc 6050->6060 6053 140008ab8 _errno 46 API calls 6051->6053 6052 140007714 HeapAlloc 6054 14000774d 6052->6054 6052->6060 6053->6054 6054->6047 6055 140009844 _FF_MSGBANNER 46 API calls 6059 1400076f4 6055->6059 6056 14000773d 6058 140008ab8 _errno 46 API calls 6056->6058 6057 14000961c malloc 46 API calls 6057->6059 6061 140007742 6058->6061 6059->6052 6059->6055 6059->6057 6062 1400090e8 malloc 3 API calls 6059->6062 6060->6052 6060->6056 6060->6059 6060->6061 6063 140008ab8 _errno 46 API calls 6061->6063 6062->6059 6063->6054 6065 14000d693 6064->6065 6066 14000d689 6064->6066 6067 140008ab8 _errno 47 API calls 6065->6067 6066->6065 6071 14000d6c3 6066->6071 6068 14000d69b 6067->6068 6069 140009594 _FF_MSGBANNER 9 API calls 6068->6069 6070 14000d6b6 6069->6070 6070->5814 6071->6070 6072 140008ab8 _errno 47 API calls 6071->6072 6072->6068 6074 14000cf4a EncodePointer 6073->6074 6074->6074 6075 14000cf5f 6074->6075 6075->5820 6079 1400074b8 6076->6079 6092 140009100 6079->6092 6098 1400028ce 6093->6098 6095 140001b21 StringFromGUID2 SysAllocString 6095->5828 6095->5829 6139 140002c20 6098->6139 6100 14000187d 6099->6100 6112 14000198e 6100->6112 6279 140002300 6100->6279 6102 140007200 __initmbctable 8 API calls 6103 1400019e9 6102->6103 6103->5837 6104 1400018ae 6105 140002300 59 API calls 6104->6105 6111 1400018f9 6104->6111 6107 1400018e4 6105->6107 6106 140001955 UuidFromStringW 6106->6112 6282 1400027d0 6107->6282 6108 140002300 59 API calls 6110 14000192d 6108->6110 6113 1400027d0 59 API calls 6110->6113 6111->6106 6111->6108 6112->6102 6114 140001942 6113->6114 6114->6106 6116 140007209 6115->6116 6117 140007214 6116->6117 6118 140008784 RtlCaptureContext RtlLookupFunctionEntry 6116->6118 6117->5864 6119 1400087c8 RtlVirtualUnwind 6118->6119 6120 140008809 6118->6120 6121 14000882b IsDebuggerPresent 6119->6121 6120->6121 6301 14000bf94 6121->6301 6123 14000888a SetUnhandledExceptionFilter UnhandledExceptionFilter 6124 1400088b2 GetCurrentProcess TerminateProcess 6123->6124 6125 1400088a8 _FF_MSGBANNER 6123->6125 6124->5864 6125->6124 6127 140008088 __CxxFrameHandler RaiseException 6126->6127 6128 140006079 RegOpenKeyExW 6127->6128 6129 1400060d2 6128->6129 6130 140006119 6128->6130 6302 1400048a0 RegOpenKeyExW 6129->6302 6130->5834 6133 140006106 RegCloseKey 6134 14000610c 6133->6134 6134->5834 6136 140002e8d 6135->6136 6137 140002e83 6135->6137 6138 1400073d8 59 API calls 6136->6138 6137->5880 6138->6137 6140 140002c44 6139->6140 6141 140002c49 6139->6141 6154 140006c9c 6140->6154 6144 140002947 6141->6144 6161 140002ca0 6141->6161 6144->6095 6145 14000777c 6144->6145 6146 14000779d shared_ptr 6145->6146 6152 140007799 __initmbctable 6145->6152 6147 1400077a2 6146->6147 6151 1400077ed 6146->6151 6146->6152 6148 140008ab8 _errno 47 API calls 6147->6148 6149 1400077a7 6148->6149 6150 140009594 _FF_MSGBANNER 9 API calls 6149->6150 6150->6152 6151->6152 6153 140008ab8 _errno 47 API calls 6151->6153 6152->6095 6153->6149 6171 140006e08 6154->6171 6156 140006cbd 6175 140007074 6156->6175 6160 140006d02 6163 140002cdf 6161->6163 6162 140002d18 6164 1400073d8 59 API calls 6162->6164 6163->6162 6165 140007968 __CxxFrameHandler 47 API calls 6163->6165 6167 140002d71 6164->6167 6166 140002d4a 6165->6166 6168 140008088 __CxxFrameHandler RaiseException 6166->6168 6169 140002dbc 6167->6169 6170 14000777c 47 API calls 6167->6170 6168->6162 6169->6144 6170->6169 6172 140006e31 malloc 6171->6172 6181 140006d04 6172->6181 6176 140006f78 59 API calls 6175->6176 6177 140006ce4 6176->6177 6178 140008088 6177->6178 6179 1400080af __initmbctable 6178->6179 6180 1400080f6 RaiseException 6179->6180 6180->6160 6182 140006d76 6181->6182 6186 140006d26 6181->6186 6183 140006d81 6182->6183 6184 140006c9c 59 API calls 6182->6184 6188 140006d97 6183->6188 6207 140006a78 6183->6207 6184->6183 6186->6182 6189 140006d56 6186->6189 6187 140006d74 6187->6156 6188->6187 6190 14000777c 47 API calls 6188->6190 6192 140006f78 6189->6192 6190->6187 6193 140006fa3 6192->6193 6194 140006f9e 6192->6194 6196 140006fd2 6193->6196 6197 140006fb3 6193->6197 6217 140006e50 6194->6217 6198 140006fdd 6196->6198 6200 140006c9c 59 API calls 6196->6200 6229 140006edc 6197->6229 6202 140006a78 59 API calls 6198->6202 6204 140006ff0 6198->6204 6200->6198 6202->6204 6203 140006edc 59 API calls 6206 140006fcd 6203->6206 6205 14000777c 47 API calls 6204->6205 6204->6206 6205->6206 6206->6187 6209 140006ab2 6207->6209 6208 140006b32 6250 1400073d8 6208->6250 6209->6208 6244 140007968 6209->6244 6212 140006b37 6215 140006b7b 6212->6215 6216 14000777c 47 API calls 6212->6216 6214 140008088 __CxxFrameHandler RaiseException 6214->6208 6215->6188 6216->6215 6218 140006e80 malloc 6217->6218 6219 140006d04 59 API calls 6218->6219 6220 140006e94 6219->6220 6221 140007074 59 API calls 6220->6221 6222 140006ebb 6221->6222 6223 140008088 __CxxFrameHandler RaiseException 6222->6223 6224 140006ed9 6223->6224 6225 140006e50 59 API calls 6224->6225 6227 140006f02 6224->6227 6225->6227 6226 140006f4a 6226->6193 6227->6226 6235 140007ae0 6227->6235 6230 140006efd 6229->6230 6233 140006f02 6229->6233 6231 140006e50 59 API calls 6230->6231 6231->6233 6232 140006f4a 6232->6203 6233->6232 6234 140007ae0 47 API calls 6233->6234 6234->6232 6236 140007b14 __initmbctable 6235->6236 6237 140007aee 6235->6237 6236->6226 6238 140007af3 6237->6238 6239 140007b1d 6237->6239 6240 140008ab8 _errno 47 API calls 6238->6240 6239->6236 6242 140008ab8 _errno 47 API calls 6239->6242 6241 140007af8 6240->6241 6243 140009594 _FF_MSGBANNER 9 API calls 6241->6243 6242->6241 6243->6236 6245 140006b15 6244->6245 6246 14000798f malloc 6244->6246 6245->6214 6247 1400076c4 malloc 47 API calls 6246->6247 6248 1400079a0 6247->6248 6248->6245 6264 140009d70 6248->6264 6253 1400073e3 malloc 6250->6253 6251 1400076c4 malloc 47 API calls 6251->6253 6252 1400073fc 6252->6212 6253->6251 6253->6252 6257 140007402 6253->6257 6254 140007449 6273 1400079f8 6254->6273 6257->6254 6259 1400075c0 _cinit 57 API calls 6257->6259 6258 140008088 __CxxFrameHandler RaiseException 6260 140007470 6258->6260 6259->6254 6261 140008f28 _getptd 47 API calls 6260->6261 6262 140007487 EncodePointer 6261->6262 6263 1400074a5 6262->6263 6263->6212 6265 140009d85 6264->6265 6266 140009d7b 6264->6266 6267 140008ab8 _errno 47 API calls 6265->6267 6266->6265 6268 140009db1 6266->6268 6272 140009d8d 6267->6272 6270 140009da9 6268->6270 6271 140008ab8 _errno 47 API calls 6268->6271 6269 140009594 _FF_MSGBANNER 9 API calls 6269->6270 6270->6245 6271->6272 6272->6269 6274 140007a21 malloc 6273->6274 6278 14000745a 6273->6278 6275 1400076c4 malloc 47 API calls 6274->6275 6274->6278 6276 140007a3b 6275->6276 6277 140009d70 malloc 47 API calls 6276->6277 6276->6278 6277->6278 6278->6258 6280 1400027d0 59 API calls 6279->6280 6281 14000232a 6280->6281 6281->6104 6283 140002801 6282->6283 6284 1400027fc 6282->6284 6286 140002833 6283->6286 6287 140002817 6283->6287 6285 140006e50 59 API calls 6284->6285 6285->6283 6288 140002c20 59 API calls 6286->6288 6295 140002b60 6287->6295 6293 14000283e 6288->6293 6291 140002b60 59 API calls 6292 140002831 6291->6292 6292->6111 6293->6292 6294 14000777c 47 API calls 6293->6294 6294->6292 6296 140002b7e 6295->6296 6299 140002b83 6295->6299 6298 140006e50 59 API calls 6296->6298 6297 140002824 6297->6291 6298->6299 6299->6297 6300 140007ae0 47 API calls 6299->6300 6300->6297 6301->6123 6303 140004908 6302->6303 6316 1400049e5 6302->6316 6306 140004915 6303->6306 6307 14000490d RegCloseKey 6303->6307 6304 1400049f1 RegCloseKey 6305 1400049f7 6304->6305 6308 140007200 __initmbctable 8 API calls 6305->6308 6309 140004931 RegEnumKeyExW 6306->6309 6306->6316 6307->6306 6310 140004a09 6308->6310 6311 1400049c1 6309->6311 6317 14000496a 6309->6317 6310->6133 6310->6134 6312 1400049d6 6311->6312 6313 1400049cb RegCloseKey 6311->6313 6319 140004ad0 6312->6319 6313->6312 6315 1400048a0 11 API calls 6315->6317 6316->6304 6316->6305 6317->6315 6317->6316 6318 14000498a RegEnumKeyExW 6317->6318 6318->6311 6318->6317 6320 140004ae9 GetModuleHandleW 6319->6320 6321 140004b1b RegDeleteKeyW 6319->6321 6320->6321 6322 140004afb GetProcAddress 6320->6322 6322->6321 6325 14000d5ac 6324->6325 6326 140009852 6325->6326 6327 140008ab8 _errno 47 API calls 6325->6327 6326->5888 6326->5889 6328 14000d5d1 6327->6328 6329 140009594 _FF_MSGBANNER 9 API calls 6328->6329 6329->6326 6335 14000d4da 6330->6335 6331 14000d4df 6332 140008ab8 _errno 47 API calls 6331->6332 6333 14000975c 6331->6333 6334 14000d509 6332->6334 6333->5911 6333->5922 6336 140009594 _FF_MSGBANNER 9 API calls 6334->6336 6335->6331 6335->6333 6337 14000d52d 6335->6337 6336->6333 6337->6333 6338 140008ab8 _errno 47 API calls 6337->6338 6338->6334 6340 14000d458 6339->6340 6342 14000d44e 6339->6342 6341 140008ab8 _errno 47 API calls 6340->6341 6347 14000d460 6341->6347 6342->6340 6343 14000d49c 6342->6343 6345 140009787 6343->6345 6346 140008ab8 _errno 47 API calls 6343->6346 6344 140009594 _FF_MSGBANNER 9 API calls 6344->6345 6345->5916 6345->5919 6346->6347 6347->6344 6365 140008b68 EncodePointer 6348->6365 6367 1400090c6 GetProcAddress 6366->6367 6368 1400090df ExitProcess 6366->6368 6367->6368 6369 1400090db 6367->6369 6369->6368 6812 14000ef44 6813 14000ef56 6812->6813 6814 14000ef60 6812->6814 6816 14000c0ac LeaveCriticalSection 6813->6816 6817 14000ed50 6818 14000ed6c 6817->6818 6819 140008088 __CxxFrameHandler RaiseException 6818->6819 6820 14000ed8f 6819->6820 6821 14000f750 6824 1400030d0 6821->6824 6825 1400030a0 shared_ptr InitializeCriticalSection 6824->6825 6826 14000312f 6825->6826 6827 140006958 DeleteCriticalSection 6828 140006974 6827->6828 6829 140006979 6827->6829 6830 140007398 free 47 API calls 6828->6830 6830->6829 6831 140004658 6835 140004684 shared_ptr 6831->6835 6832 140007200 __initmbctable 8 API calls 6834 1400047db 6832->6834 6833 14000471f RegSetValueExW 6836 140004761 strtoxl 6833->6836 6835->6833 6837 140004689 strtoxl 6835->6837 6836->6837 6839 140004b80 6836->6839 6837->6832 6840 140004b90 6839->6840 6841 140004bb5 6840->6841 6842 140004baa CharNextW 6840->6842 6843 140004bc1 6841->6843 6844 140004bf1 CharNextW 6841->6844 6850 140004ca2 6841->6850 6842->6840 6843->6837 6846 140004c7e 6844->6846 6853 140004c04 6844->6853 6845 140004cbc CharNextW 6847 140004d0e 6845->6847 6845->6850 6846->6847 6848 140004c8b CharNextW 6846->6848 6847->6837 6848->6847 6849 140004c0d CharNextW 6849->6846 6849->6853 6850->6845 6850->6847 6851 140004c22 CharNextW 6852 140004c2b CharNextW 6851->6852 6852->6847 6852->6853 6853->6846 6853->6849 6853->6851 6853->6852 6854 14000ce5c 6855 14000ce69 6854->6855 6856 14000ce73 6854->6856 6858 14000cc64 6855->6858 6859 140008cdc _getptd 47 API calls 6858->6859 6860 14000cc88 6859->6860 6882 14000c7f4 6860->6882 6865 14000ce11 6865->6856 6866 140008ebc _lock 47 API calls 6867 14000ccb4 __initmbctable 6866->6867 6867->6865 6900 14000c9ec 6867->6900 6870 14000ce13 6870->6865 6872 14000ce2c 6870->6872 6873 140007398 free 47 API calls 6870->6873 6871 14000ccef 6875 140007398 free 47 API calls 6871->6875 6876 14000cd14 6871->6876 6874 140008ab8 _errno 47 API calls 6872->6874 6873->6872 6874->6865 6875->6876 6876->6865 6877 14000c1ac _lock 47 API calls 6876->6877 6878 14000cd4c 6877->6878 6879 14000cdfc 6878->6879 6881 140007398 free 47 API calls 6878->6881 6910 14000c0ac LeaveCriticalSection 6879->6910 6881->6879 6883 140008cdc _getptd 47 API calls 6882->6883 6884 14000c803 6883->6884 6885 14000c81e 6884->6885 6886 14000c1ac _lock 47 API calls 6884->6886 6888 14000c8a2 6885->6888 6890 14000907c _lock 47 API calls 6885->6890 6891 14000c831 6886->6891 6887 14000c868 6911 14000c0ac LeaveCriticalSection 6887->6911 6893 14000c95c 6888->6893 6890->6888 6891->6887 6892 140007398 free 47 API calls 6891->6892 6892->6887 6912 14000c8b0 6893->6912 6896 14000c9a1 6898 14000c9a6 GetACP 6896->6898 6899 14000c98c 6896->6899 6897 14000c97c GetOEMCP 6897->6899 6898->6899 6899->6865 6899->6866 6901 14000c95c __initmbctable 49 API calls 6900->6901 6902 14000ca13 6901->6902 6903 14000ca1b __initmbctable 6902->6903 6904 14000ca6c IsValidCodePage 6902->6904 6908 14000ca92 shared_ptr 6902->6908 6905 140007200 __initmbctable 8 API calls 6903->6905 6904->6903 6907 14000ca7d GetCPInfo 6904->6907 6906 14000cc4f 6905->6906 6906->6870 6906->6871 6907->6903 6907->6908 7079 14000c610 GetCPInfo 6908->7079 6913 14000c8c6 6912->6913 6917 14000c92a 6912->6917 6914 140008cdc _getptd 47 API calls 6913->6914 6915 14000c8cb 6914->6915 6918 14000c903 6915->6918 6920 14000c504 6915->6920 6917->6896 6917->6897 6918->6917 6919 14000c7f4 __initmbctable 47 API calls 6918->6919 6919->6917 6921 140008cdc _getptd 47 API calls 6920->6921 6922 14000c50f 6921->6922 6923 14000c538 6922->6923 6924 14000c52a 6922->6924 6925 14000c1ac _lock 47 API calls 6923->6925 6926 140008cdc _getptd 47 API calls 6924->6926 6927 14000c542 6925->6927 6928 14000c52f 6926->6928 6934 14000c4ac 6927->6934 6932 14000c570 6928->6932 6933 14000907c _lock 47 API calls 6928->6933 6932->6918 6933->6932 6935 14000c4f6 6934->6935 6936 14000c4ba __initmbctable _getptd 6934->6936 6938 14000c0ac LeaveCriticalSection 6935->6938 6936->6935 6939 14000c1f0 6936->6939 6940 14000c287 6939->6940 6942 14000c20e 6939->6942 6941 14000c2da 6940->6941 6943 140007398 free 47 API calls 6940->6943 6951 14000c307 6941->6951 6991 14000d740 6941->6991 6942->6940 6950 140007398 free 47 API calls 6942->6950 6953 14000c24d 6942->6953 6944 14000c2ab 6943->6944 6946 140007398 free 47 API calls 6944->6946 6952 14000c2bf 6946->6952 6947 14000c26f 6955 140007398 free 47 API calls 6947->6955 6949 140007398 free 47 API calls 6949->6951 6956 14000c241 6950->6956 6954 14000c353 6951->6954 6964 140007398 47 API calls free 6951->6964 6957 140007398 free 47 API calls 6952->6957 6953->6947 6958 140007398 free 47 API calls 6953->6958 6959 14000c27b 6955->6959 6967 14000d974 6956->6967 6962 14000c2ce 6957->6962 6963 14000c263 6958->6963 6960 140007398 free 47 API calls 6959->6960 6960->6940 6965 140007398 free 47 API calls 6962->6965 6983 14000d92c 6963->6983 6964->6951 6965->6941 6968 14000da03 6967->6968 6969 14000d97d 6967->6969 6968->6953 6970 14000d997 6969->6970 6971 140007398 free 47 API calls 6969->6971 6972 14000d9a9 6970->6972 6973 140007398 free 47 API calls 6970->6973 6971->6970 6974 14000d9bb 6972->6974 6975 140007398 free 47 API calls 6972->6975 6973->6972 6976 14000d9cd 6974->6976 6977 140007398 free 47 API calls 6974->6977 6975->6974 6978 14000d9df 6976->6978 6979 140007398 free 47 API calls 6976->6979 6977->6976 6980 14000d9f1 6978->6980 6981 140007398 free 47 API calls 6978->6981 6979->6978 6980->6968 6982 140007398 free 47 API calls 6980->6982 6981->6980 6982->6968 6984 14000d931 6983->6984 6989 14000d96e 6983->6989 6985 14000d94a 6984->6985 6986 140007398 free 47 API calls 6984->6986 6987 14000d95c 6985->6987 6988 140007398 free 47 API calls 6985->6988 6986->6985 6987->6989 6990 140007398 free 47 API calls 6987->6990 6988->6987 6989->6947 6990->6989 6992 14000c2fb 6991->6992 6993 14000d749 6991->6993 6992->6949 6994 140007398 free 47 API calls 6993->6994 6995 14000d75a 6994->6995 6996 140007398 free 47 API calls 6995->6996 6997 14000d763 6996->6997 6998 140007398 free 47 API calls 6997->6998 6999 14000d76c 6998->6999 7000 140007398 free 47 API calls 6999->7000 7001 14000d775 7000->7001 7002 140007398 free 47 API calls 7001->7002 7003 14000d77e 7002->7003 7004 140007398 free 47 API calls 7003->7004 7005 14000d787 7004->7005 7006 140007398 free 47 API calls 7005->7006 7007 14000d78f 7006->7007 7008 140007398 free 47 API calls 7007->7008 7009 14000d798 7008->7009 7010 140007398 free 47 API calls 7009->7010 7011 14000d7a1 7010->7011 7012 140007398 free 47 API calls 7011->7012 7013 14000d7aa 7012->7013 7014 140007398 free 47 API calls 7013->7014 7015 14000d7b3 7014->7015 7016 140007398 free 47 API calls 7015->7016 7017 14000d7bc 7016->7017 7018 140007398 free 47 API calls 7017->7018 7019 14000d7c5 7018->7019 7020 140007398 free 47 API calls 7019->7020 7021 14000d7ce 7020->7021 7022 140007398 free 47 API calls 7021->7022 7023 14000d7d7 7022->7023 7024 140007398 free 47 API calls 7023->7024 7025 14000d7e0 7024->7025 7026 140007398 free 47 API calls 7025->7026 7027 14000d7ec 7026->7027 7028 140007398 free 47 API calls 7027->7028 7029 14000d7f8 7028->7029 7030 140007398 free 47 API calls 7029->7030 7031 14000d804 7030->7031 7032 140007398 free 47 API calls 7031->7032 7033 14000d810 7032->7033 7034 140007398 free 47 API calls 7033->7034 7035 14000d81c 7034->7035 7036 140007398 free 47 API calls 7035->7036 7037 14000d828 7036->7037 7038 140007398 free 47 API calls 7037->7038 7039 14000d834 7038->7039 7040 140007398 free 47 API calls 7039->7040 7041 14000d840 7040->7041 7042 140007398 free 47 API calls 7041->7042 7043 14000d84c 7042->7043 7044 140007398 free 47 API calls 7043->7044 7045 14000d858 7044->7045 7046 140007398 free 47 API calls 7045->7046 7047 14000d864 7046->7047 7048 140007398 free 47 API calls 7047->7048 7049 14000d870 7048->7049 7050 140007398 free 47 API calls 7049->7050 7051 14000d87c 7050->7051 7052 140007398 free 47 API calls 7051->7052 7053 14000d888 7052->7053 7054 140007398 free 47 API calls 7053->7054 7055 14000d894 7054->7055 7056 140007398 free 47 API calls 7055->7056 7057 14000d8a0 7056->7057 7058 140007398 free 47 API calls 7057->7058 7059 14000d8ac 7058->7059 7060 140007398 free 47 API calls 7059->7060 7061 14000d8b8 7060->7061 7062 140007398 free 47 API calls 7061->7062 7063 14000d8c4 7062->7063 7064 140007398 free 47 API calls 7063->7064 7065 14000d8d0 7064->7065 7066 140007398 free 47 API calls 7065->7066 7067 14000d8dc 7066->7067 7068 140007398 free 47 API calls 7067->7068 7069 14000d8e8 7068->7069 7070 140007398 free 47 API calls 7069->7070 7071 14000d8f4 7070->7071 7072 140007398 free 47 API calls 7071->7072 7073 14000d900 7072->7073 7074 140007398 free 47 API calls 7073->7074 7075 14000d90c 7074->7075 7076 140007398 free 47 API calls 7075->7076 7077 14000d918 7076->7077 7078 140007398 free 47 API calls 7077->7078 7078->6992 7080 14000c652 shared_ptr 7079->7080 7088 14000c73e 7079->7088 7089 14000dd54 7080->7089 7083 140007200 __initmbctable 8 API calls 7085 14000c7de 7083->7085 7085->6903 7087 14000e3e8 __initmbctable 80 API calls 7087->7088 7088->7083 7090 14000c8b0 __initmbctable 47 API calls 7089->7090 7091 14000dd78 7090->7091 7099 14000dae8 7091->7099 7094 14000e3e8 7095 14000c8b0 __initmbctable 47 API calls 7094->7095 7096 14000e40c 7095->7096 7180 14000dea8 7096->7180 7100 14000db75 7099->7100 7101 14000db38 GetStringTypeW 7099->7101 7103 14000db52 7100->7103 7104 14000dca4 7100->7104 7102 14000db5a GetLastError 7101->7102 7101->7103 7102->7100 7105 14000dc9d 7103->7105 7106 14000db9e MultiByteToWideChar 7103->7106 7123 14000e89c GetLocaleInfoA 7104->7123 7108 140007200 __initmbctable 8 API calls 7105->7108 7106->7105 7111 14000dbcc 7106->7111 7110 14000c6d5 7108->7110 7110->7094 7114 14000dbf1 shared_ptr __initmbctable 7111->7114 7116 1400076c4 malloc 47 API calls 7111->7116 7112 14000dcff GetStringTypeA 7112->7105 7115 14000dd22 7112->7115 7114->7105 7117 14000dc58 MultiByteToWideChar 7114->7117 7119 140007398 free 47 API calls 7115->7119 7116->7114 7120 14000dc7a GetStringTypeW 7117->7120 7121 14000dc8f 7117->7121 7119->7105 7120->7121 7121->7105 7122 140007398 free 47 API calls 7121->7122 7122->7105 7124 14000e8d3 7123->7124 7125 14000e8ce 7123->7125 7154 14000d734 7124->7154 7127 140007200 __initmbctable 8 API calls 7125->7127 7128 14000dcce 7127->7128 7128->7105 7128->7112 7129 14000e8f0 7128->7129 7130 14000e942 GetCPInfo 7129->7130 7131 14000ea1a 7129->7131 7132 14000e9f3 MultiByteToWideChar 7130->7132 7133 14000e954 7130->7133 7134 140007200 __initmbctable 8 API calls 7131->7134 7132->7131 7138 14000e979 malloc 7132->7138 7133->7132 7135 14000e95e GetCPInfo 7133->7135 7136 14000dcf4 7134->7136 7135->7132 7137 14000e973 7135->7137 7136->7105 7136->7112 7137->7132 7137->7138 7139 14000e9b5 shared_ptr __initmbctable 7138->7139 7140 1400076c4 malloc 47 API calls 7138->7140 7139->7131 7141 14000ea51 MultiByteToWideChar 7139->7141 7140->7139 7142 14000eab3 7141->7142 7143 14000ea7b 7141->7143 7142->7131 7148 140007398 free 47 API calls 7142->7148 7144 14000eabb 7143->7144 7145 14000ea80 WideCharToMultiByte 7143->7145 7146 14000eac1 WideCharToMultiByte 7144->7146 7147 14000eaed 7144->7147 7145->7142 7146->7142 7146->7147 7149 140008f28 _getptd 47 API calls 7147->7149 7148->7131 7150 14000eafa 7149->7150 7150->7142 7151 14000eb02 WideCharToMultiByte 7150->7151 7151->7142 7152 14000eb2b 7151->7152 7153 140007398 free 47 API calls 7152->7153 7153->7142 7155 14000e824 7154->7155 7158 14000e5a0 7155->7158 7159 14000c8b0 __initmbctable 47 API calls 7158->7159 7162 14000e5d2 7159->7162 7160 14000e5e0 7161 140008ab8 _errno 47 API calls 7160->7161 7163 14000e5e5 7161->7163 7162->7160 7165 14000e61b 7162->7165 7164 140009594 _FF_MSGBANNER 9 API calls 7163->7164 7167 14000e600 7164->7167 7168 14000e66b 7165->7168 7170 14000e48c 7165->7170 7167->7125 7168->7167 7169 140008ab8 _errno 47 API calls 7168->7169 7169->7167 7171 14000c8b0 __initmbctable 47 API calls 7170->7171 7172 14000e4ad 7171->7172 7176 14000e4ba 7172->7176 7177 14000e854 7172->7177 7175 14000dd54 __initmbctable 69 API calls 7175->7176 7176->7165 7178 14000c8b0 __initmbctable 47 API calls 7177->7178 7179 14000e4e2 7178->7179 7179->7175 7181 14000df00 LCMapStringW 7180->7181 7184 14000df24 7180->7184 7182 14000df30 GetLastError 7181->7182 7181->7184 7182->7184 7183 14000e1f2 7187 14000e89c __initmbctable 69 API calls 7183->7187 7184->7183 7185 14000df9f 7184->7185 7186 14000e1eb 7185->7186 7188 14000dfbd MultiByteToWideChar 7185->7188 7189 140007200 __initmbctable 8 API calls 7186->7189 7190 14000e220 7187->7190 7188->7186 7198 14000dfec 7188->7198 7191 14000c708 7189->7191 7190->7186 7192 14000e37b LCMapStringA 7190->7192 7193 14000e23f 7190->7193 7191->7087 7212 14000e287 7192->7212 7195 14000e8f0 __initmbctable 62 API calls 7193->7195 7194 14000e068 MultiByteToWideChar 7196 14000e092 LCMapStringW 7194->7196 7197 14000e1dd 7194->7197 7201 14000e257 7195->7201 7196->7197 7202 14000e0bc 7196->7202 7197->7186 7205 140007398 free 47 API calls 7197->7205 7199 14000e01d __initmbctable 7198->7199 7200 1400076c4 malloc 47 API calls 7198->7200 7199->7186 7199->7194 7200->7199 7201->7186 7203 14000e25f LCMapStringA 7201->7203 7206 14000e0c7 7202->7206 7211 14000e102 7202->7211 7203->7212 7216 14000e28e 7203->7216 7204 14000e3ab 7204->7186 7209 140007398 free 47 API calls 7204->7209 7205->7186 7206->7197 7208 14000e0de LCMapStringW 7206->7208 7207 140007398 free 47 API calls 7207->7204 7208->7197 7209->7186 7210 14000e16f LCMapStringW 7213 14000e1cf 7210->7213 7214 14000e190 WideCharToMultiByte 7210->7214 7215 1400076c4 malloc 47 API calls 7211->7215 7224 14000e120 __initmbctable 7211->7224 7212->7204 7212->7207 7213->7197 7223 140007398 free 47 API calls 7213->7223 7214->7213 7215->7224 7217 14000e2af shared_ptr __initmbctable 7216->7217 7218 1400076c4 malloc 47 API calls 7216->7218 7217->7212 7219 14000e311 LCMapStringA 7217->7219 7218->7217 7220 14000e339 7219->7220 7221 14000e33d 7219->7221 7220->7212 7226 140007398 free 47 API calls 7220->7226 7225 14000e8f0 __initmbctable 62 API calls 7221->7225 7223->7197 7224->7197 7224->7210 7225->7220 7226->7212 6430 140001760 6431 140001770 WaitForSingleObject 6430->6431 6432 140001780 WaitForSingleObject 6431->6432 6432->6432 6433 140001794 6432->6433 6433->6431 6434 1400017a0 CloseHandle PostThreadMessageW 6433->6434 7227 140003660 7236 1400036f0 7227->7236 7230 1400036f0 49 API calls 7231 140003691 7230->7231 7232 14000369f 7231->7232 7233 140007398 free 47 API calls 7231->7233 7234 1400036b5 7232->7234 7235 140007398 free 47 API calls 7232->7235 7233->7232 7235->7234 7237 14000374b 7236->7237 7243 140003709 7236->7243 7239 140007398 free 47 API calls 7237->7239 7241 140003758 7237->7241 7238 1400037a4 RaiseException 7238->7236 7239->7241 7240 140007398 free 47 API calls 7242 140003688 7240->7242 7241->7240 7241->7242 7242->7230 7243->7237 7243->7238 7244 14000378e RaiseException 7243->7244 7244->7238 7251 140005a70 7252 140005afd 7251->7252 7254 140005ac4 7251->7254 7253 140005b15 GetModuleFileNameW 7252->7253 7301 140005b39 7252->7301 7255 140005b34 7253->7255 7256 140005b40 7253->7256 7254->7252 7261 1400037f0 73 API calls 7254->7261 7307 140003a80 GetLastError 7255->7307 7259 140005b47 7256->7259 7266 140005b8d 7256->7266 7257 1400036f0 49 API calls 7260 140005d7c 7257->7260 7262 1400036f0 49 API calls 7259->7262 7263 1400036f0 49 API calls 7260->7263 7261->7254 7264 140005b56 7262->7264 7265 140005d86 7263->7265 7269 1400036f0 49 API calls 7264->7269 7271 140007398 free 47 API calls 7265->7271 7278 140005d95 7265->7278 7267 140005bfa lstrlenW 7266->7267 7268 140005be0 GetModuleHandleW 7266->7268 7270 14000777c 47 API calls 7267->7270 7268->7267 7274 140005bed 7268->7274 7276 140005b60 7269->7276 7277 140005c37 7270->7277 7271->7278 7272 140007398 free 47 API calls 7273 140005b83 7272->7273 7281 140007200 __initmbctable 8 API calls 7273->7281 7282 1400037f0 73 API calls 7274->7282 7275 140005b6f 7275->7273 7285 140007398 free 47 API calls 7275->7285 7276->7275 7283 140007398 free 47 API calls 7276->7283 7279 140005c81 lstrlenW 7277->7279 7280 140005c3b 7277->7280 7278->7272 7278->7273 7279->7274 7284 1400036f0 49 API calls 7280->7284 7286 140005dbb 7281->7286 7287 140005cbc 7282->7287 7283->7275 7290 140005c4a 7284->7290 7285->7273 7288 140005cd2 7287->7288 7289 140005d10 7287->7289 7291 1400036f0 49 API calls 7288->7291 7293 1400037f0 73 API calls 7289->7293 7292 1400036f0 49 API calls 7290->7292 7294 140005cdc 7291->7294 7295 140005c54 7292->7295 7300 140005d24 7293->7300 7296 1400036f0 49 API calls 7294->7296 7297 140005c63 7295->7297 7299 140007398 free 47 API calls 7295->7299 7298 140005ce6 7296->7298 7297->7273 7303 140007398 free 47 API calls 7297->7303 7302 140005cf5 7298->7302 7304 140007398 free 47 API calls 7298->7304 7299->7297 7300->7301 7309 140005870 LoadLibraryExW 7300->7309 7301->7257 7302->7273 7306 140007398 free 47 API calls 7302->7306 7303->7273 7304->7302 7306->7273 7308 140003a8e 7307->7308 7308->7301 7310 1400058e8 FindResourceW 7309->7310 7311 1400058dc 7309->7311 7313 14000590b LoadResource 7310->7313 7314 1400058ff 7310->7314 7312 140003a80 GetLastError 7311->7312 7322 1400058e1 strtoxl 7312->7322 7316 140005924 7313->7316 7317 140005930 SizeofResource 7313->7317 7315 140003a80 GetLastError 7314->7315 7328 140005904 FreeLibrary 7315->7328 7318 140003a80 GetLastError 7316->7318 7319 140005969 7317->7319 7317->7322 7318->7328 7321 140005995 7319->7321 7323 14000599c 7319->7323 7324 14000597e 7319->7324 7327 1400059d4 MultiByteToWideChar 7321->7327 7321->7328 7325 140007200 __initmbctable 8 API calls 7322->7325 7326 140006060 20 API calls 7323->7326 7324->7321 7335 1400041c0 7324->7335 7329 140005a53 7325->7329 7326->7321 7331 1400059f2 7327->7331 7332 1400059fb 7327->7332 7328->7322 7329->7301 7333 140003a80 GetLastError 7331->7333 7340 140005660 7332->7340 7333->7328 7336 1400076c4 malloc 47 API calls 7335->7336 7337 1400041d1 7336->7337 7338 1400041e0 7337->7338 7339 140006060 20 API calls 7337->7339 7338->7321 7339->7338 7341 140005671 __initmbctable 7340->7341 7342 140005840 7341->7342 7355 140003bf0 7341->7355 7344 140007200 __initmbctable 8 API calls 7342->7344 7345 140005857 7344->7345 7345->7328 7346 14000574d CoTaskMemFree 7346->7342 7347 140005730 7347->7346 7348 140005710 lstrcmpiW 7350 1400056a7 7348->7350 7349 140004b80 7 API calls 7349->7350 7350->7342 7350->7346 7350->7347 7350->7348 7350->7349 7351 140004d40 122 API calls 7350->7351 7352 1400057ba 7350->7352 7354 14000581b CharNextW 7350->7354 7351->7350 7389 140004d40 7352->7389 7354->7350 7356 140003c36 7355->7356 7357 140003c40 lstrlenW 7355->7357 7360 140007200 __initmbctable 8 API calls 7356->7360 7358 140003c74 7357->7358 7359 140003c79 CoTaskMemAlloc 7357->7359 7362 140003c94 CoTaskMemFree 7358->7362 7376 140003ca6 7358->7376 7359->7358 7361 14000409d 7360->7361 7361->7350 7362->7356 7364 140003e19 CharNextW 7364->7376 7365 140003b00 68 API calls 7365->7376 7366 140003d78 CharNextW 7367 140003d88 CharNextW 7366->7367 7366->7376 7368 140003b00 68 API calls 7367->7368 7368->7376 7369 140003fc7 CharNextW 7369->7376 7382 140003fe6 CoTaskMemFree 7369->7382 7370 140003e6e CharNextW 7370->7376 7370->7382 7371 140003cff CharNextW CharNextW CharNextW CharNextW lstrlenW 7449 140003b00 7371->7449 7373 140003dd5 lstrlenW 7374 140003b00 68 API calls 7373->7374 7374->7376 7376->7364 7376->7365 7376->7366 7376->7369 7376->7370 7376->7371 7376->7373 7377 140004021 7376->7377 7378 140004016 7376->7378 7380 140003f00 lstrcmpiW 7376->7380 7376->7382 7383 14000400c 7376->7383 7385 140004035 RaiseException 7376->7385 7386 140003f5a lstrlenW 7376->7386 7388 140003f86 CharNextW 7376->7388 7456 1400075d8 7376->7456 7379 140006060 20 API calls 7377->7379 7381 140006060 20 API calls 7378->7381 7379->7382 7380->7376 7381->7377 7382->7356 7384 140006060 20 API calls 7383->7384 7384->7378 7385->7382 7387 140003b00 68 API calls 7386->7387 7387->7376 7388->7376 7388->7388 7390 140004d4f __initmbctable 7389->7390 7391 140004b80 7 API calls 7390->7391 7409 140004da6 7391->7409 7392 140004dc0 lstrcmpiW lstrcmpiW 7392->7409 7393 140007200 __initmbctable 8 API calls 7395 14000564e 7393->7395 7394 140005633 RegCloseKey 7428 140004dac 7394->7428 7395->7347 7396 140004f1d lstrcmpiW 7396->7409 7397 140004f54 lstrcmpiW 7397->7409 7398 1400050d3 RegOpenKeyExW 7401 140005128 RegOpenKeyExW 7398->7401 7398->7409 7399 1400050ac CharNextW 7399->7409 7400 140004e70 lstrcmpiW 7400->7409 7407 140005172 RegCreateKeyExW 7401->7407 7401->7409 7402 140004e46 CharNextW 7402->7409 7403 140005286 RegOpenKeyExW 7403->7409 7404 1400055a2 7405 1400055a7 RegCloseKey 7404->7405 7404->7428 7405->7428 7406 140005109 RegCloseKey 7406->7409 7407->7409 7413 1400055c1 7407->7413 7408 14000552f 7411 140005534 RegCloseKey 7408->7411 7408->7428 7409->7392 7409->7396 7409->7397 7409->7398 7409->7399 7409->7400 7409->7401 7409->7402 7409->7403 7409->7404 7409->7406 7409->7407 7409->7408 7410 1400052c1 RegCloseKey 7409->7410 7412 140005157 RegCloseKey 7409->7412 7409->7413 7414 1400075d8 47 API calls 7409->7414 7415 1400051c0 RegCloseKey 7409->7415 7416 14000558a 7409->7416 7419 140004340 87 API calls 7409->7419 7420 140004b80 7 API calls 7409->7420 7422 14000501d RegOpenKeyExW 7409->7422 7423 14000522b lstrlenW 7409->7423 7424 1400047f0 16 API calls 7409->7424 7425 140005547 7409->7425 7409->7428 7430 1400055dc 7409->7430 7431 1400055f1 7409->7431 7432 14000555c 7409->7432 7433 140005076 RegCloseKey 7409->7433 7435 1400055e6 7409->7435 7436 140005368 lstrlenW 7409->7436 7438 140004d40 89 API calls 7409->7438 7439 140004a20 RegQueryInfoKeyW 7409->7439 7440 14000546a RegCloseKey 7409->7440 7441 140005403 lstrcmpiW 7409->7441 7442 140005613 7409->7442 7444 1400054a7 GetModuleHandleW 7409->7444 7445 1400048a0 17 API calls 7409->7445 7447 140005505 RegDeleteKeyW 7409->7447 7448 14000557c 7409->7448 7410->7409 7411->7428 7412->7409 7418 1400055cf RegCloseKey 7413->7418 7413->7428 7414->7409 7415->7409 7417 14000558f RegCloseKey 7416->7417 7416->7428 7417->7428 7418->7428 7419->7409 7420->7409 7421 140006060 20 API calls 7421->7448 7426 14000504e RegDeleteValueW 7422->7426 7422->7448 7423->7409 7424->7409 7425->7428 7429 14000554c RegCloseKey 7425->7429 7426->7409 7427 140006060 20 API calls 7427->7431 7428->7393 7429->7428 7434 140006060 20 API calls 7430->7434 7431->7421 7437 14000556e RegCloseKey 7432->7437 7432->7448 7433->7409 7434->7435 7435->7427 7436->7409 7437->7448 7438->7409 7439->7409 7440->7409 7441->7409 7442->7428 7443 140005621 RegCloseKey 7442->7443 7443->7428 7444->7409 7446 1400054b9 GetProcAddress 7444->7446 7445->7409 7446->7409 7447->7409 7448->7394 7448->7428 7450 140003b27 7449->7450 7451 140003bcf 7449->7451 7450->7451 7452 140003b77 7450->7452 7454 140003b66 CoTaskMemRealloc 7450->7454 7451->7376 7452->7451 7453 140003ab0 67 API calls 7452->7453 7455 140003bad 7453->7455 7454->7451 7454->7452 7455->7376 7460 1400075ec 7456->7460 7457 1400075f1 7458 140008ab8 _errno 47 API calls 7457->7458 7459 1400075f6 7457->7459 7464 14000761b 7458->7464 7459->7376 7460->7457 7460->7459 7462 140007643 7460->7462 7461 140009594 _FF_MSGBANNER 9 API calls 7461->7459 7462->7459 7463 140008ab8 _errno 47 API calls 7462->7463 7463->7464 7464->7461 7468 140005f73 7469 140005f7f 7468->7469 7470 140005f84 7469->7470 7471 140005f8b EnterCriticalSection LeaveCriticalSection 7469->7471 7471->7470 7477 140002d76 7479 140002d95 7477->7479 7478 140002dbc 7479->7478 7480 14000777c 47 API calls 7479->7480 7480->7478 7481 14000387a 7482 1400038a3 lstrlenW 7481->7482 7483 1400038df 7482->7483 7484 140003ab0 67 API calls 7483->7484 7489 140003998 7483->7489 7485 140003948 7484->7485 7486 140003ab0 67 API calls 7485->7486 7487 140003963 7486->7487 7488 14000787c 51 API calls 7487->7488 7490 140003979 7488->7490 7490->7489 7491 14000787c 51 API calls 7490->7491 7491->7489 7492 14000f17d LeaveCriticalSection 7493 140002080 7494 140002099 7493->7494 7495 14000208e 7493->7495 7496 1400020b6 7494->7496 7497 1400013f0 78 API calls 7494->7497 7497->7496 7501 14000f280 7504 140001370 SysFreeString 7501->7504 7505 140002780 7506 1400027b4 7505->7506 7507 1400027aa DeleteCriticalSection 7505->7507 7507->7506 7508 14000f78c 7511 14000698c 7508->7511 7512 1400069a7 shared_ptr 7511->7512 7513 1400030a0 shared_ptr InitializeCriticalSection 7512->7513 7514 1400069e4 7513->7514 7515 140006190 7516 1400061a2 7515->7516 7517 1400061aa RegCloseKey 7515->7517 7518 1400061bc 7517->7518 7522 140006390 LoadLibraryExW 7523 140006492 GetLastError 7522->7523 7524 1400063e2 7522->7524 7527 14000649c 7523->7527 7525 140006401 7524->7525 7526 1400063eb lstrlenW 7524->7526 7529 140006478 GetProcAddress 7525->7529 7526->7525 7534 140006405 __initmbctable 7526->7534 7528 140007200 __initmbctable 8 API calls 7527->7528 7530 1400064ce 7528->7530 7531 1400064a6 FreeLibrary 7529->7531 7532 140006489 FreeLibrary 7529->7532 7531->7527 7532->7523 7534->7529 7535 140006439 WideCharToMultiByte 7534->7535 7535->7529 7536 14000eb90 7537 14000ebc8 __GSHandlerCheckCommon 7536->7537 7539 14000ebfe 7537->7539 7540 14000831c 7537->7540 7541 140008cdc _getptd 47 API calls 7540->7541 7542 14000833e 7541->7542 7543 140008cdc _getptd 47 API calls 7542->7543 7544 14000834e 7543->7544 7545 140008cdc _getptd 47 API calls 7544->7545 7546 14000835e 7545->7546 7549 14000bd6c 7546->7549 7550 140008cdc _getptd 47 API calls 7549->7550 7552 14000bd95 7550->7552 7551 14000be93 7555 14000beb3 7551->7555 7566 140008393 7551->7566 7603 140008208 7551->7603 7552->7551 7553 14000be00 7552->7553 7552->7566 7557 14000be5c 7553->7557 7560 14000be22 7553->7560 7553->7566 7554 14000beed 7554->7566 7609 14000b7ec 7554->7609 7555->7554 7555->7566 7606 140008220 7555->7606 7559 14000be80 7557->7559 7561 14000be65 7557->7561 7594 140008270 7559->7594 7571 14000aa24 7560->7571 7567 14000be46 7561->7567 7568 1400088f4 __CxxFrameHandler 52 API calls 7561->7568 7566->7539 7577 14000ad10 7567->7577 7568->7567 7569 1400088f4 __CxxFrameHandler 52 API calls 7569->7567 7572 14000aa46 7571->7572 7573 14000aa4b 7571->7573 7574 1400088f4 __CxxFrameHandler 52 API calls 7572->7574 7575 14000aa5d 7573->7575 7576 1400088f4 __CxxFrameHandler 52 API calls 7573->7576 7574->7573 7575->7567 7575->7569 7576->7575 7679 14000aab8 7577->7679 7580 140008208 __CxxFrameHandler 47 API calls 7581 14000ad4a 7580->7581 7582 140008cdc _getptd 47 API calls 7581->7582 7592 14000ad57 __CxxFrameHandler 7582->7592 7583 14000ae5b 7584 140008cdc _getptd 47 API calls 7583->7584 7585 14000ae60 7584->7585 7587 14000ae6e 7585->7587 7589 140008cdc _getptd 47 API calls 7585->7589 7586 1400088f4 __CxxFrameHandler 52 API calls 7586->7592 7590 14000ae83 __CxxFrameHandler 7587->7590 7591 1400088f4 __CxxFrameHandler 52 API calls 7587->7591 7588 140008208 47 API calls __CxxFrameHandler 7588->7592 7589->7587 7590->7566 7591->7590 7592->7583 7592->7586 7592->7588 7593 140008238 _SetImageBase 47 API calls 7592->7593 7593->7592 7683 14000811c 7594->7683 7598 1400082a5 7599 1400082e4 7598->7599 7600 140008cdc _getptd 47 API calls 7598->7600 7601 14000ad10 __CxxFrameHandler 52 API calls 7599->7601 7600->7598 7602 140008303 7601->7602 7602->7566 7604 140008cdc _getptd 47 API calls 7603->7604 7605 140008211 7604->7605 7605->7555 7607 140008cdc _getptd 47 API calls 7606->7607 7608 140008229 7607->7608 7608->7554 7610 14000aab0 __SetUnwindTryBlock 52 API calls 7609->7610 7611 14000b83f 7610->7611 7612 14000811c __SetUnwindTryBlock 53 API calls 7611->7612 7613 14000b854 7612->7613 7694 14000ab28 7613->7694 7616 14000b88c 7618 14000ab28 __GetUnwindTryBlock 53 API calls 7616->7618 7617 14000b86c __CxxFrameHandler 7697 14000aaec 7617->7697 7619 14000b88a 7618->7619 7621 1400088f4 __CxxFrameHandler 52 API calls 7619->7621 7627 14000b8a5 7619->7627 7621->7627 7622 14000bcfc 7623 14000bc99 __CxxFrameHandler 7622->7623 7625 14000bd0c 7622->7625 7626 14000bd40 7622->7626 7624 140008cdc _getptd 47 API calls 7623->7624 7628 14000bcd3 7624->7628 7739 14000b5a8 7625->7739 7630 1400088d0 __CxxFrameHandler 51 API calls 7626->7630 7627->7622 7631 140008cdc _getptd 47 API calls 7627->7631 7634 14000ba62 7627->7634 7632 14000bce1 7628->7632 7639 1400088f4 __CxxFrameHandler 52 API calls 7628->7639 7633 14000bd45 7630->7633 7638 14000b8e9 7631->7638 7632->7566 7636 1400079f8 __CxxFrameHandler 47 API calls 7633->7636 7634->7622 7635 14000baa0 7634->7635 7637 14000bc25 7635->7637 7713 14000849c 7635->7713 7640 14000bd56 7636->7640 7637->7623 7643 140008208 __CxxFrameHandler 47 API calls 7637->7643 7646 14000bc50 7637->7646 7638->7632 7642 140008cdc _getptd 47 API calls 7638->7642 7639->7632 7640->7566 7644 14000b8fb 7642->7644 7643->7646 7645 140008cdc _getptd 47 API calls 7644->7645 7648 14000b907 7645->7648 7646->7623 7647 14000bc67 7646->7647 7649 140008208 __CxxFrameHandler 47 API calls 7646->7649 7652 14000af0c __CxxFrameHandler 52 API calls 7647->7652 7700 140008254 7648->7700 7649->7647 7650 140008208 __CxxFrameHandler 47 API calls 7669 14000bad9 7650->7669 7653 14000bc7e 7652->7653 7653->7623 7656 14000811c __SetUnwindTryBlock 53 API calls 7653->7656 7654 140008220 47 API calls __CxxFrameHandler 7654->7669 7655 14000b924 __CxxFrameHandler 7658 1400088f4 __CxxFrameHandler 52 API calls 7655->7658 7660 14000b93b 7655->7660 7656->7623 7657 14000b96f 7659 140008cdc _getptd 47 API calls 7657->7659 7658->7660 7661 14000b974 7659->7661 7660->7657 7662 1400088f4 __CxxFrameHandler 52 API calls 7660->7662 7661->7634 7663 140008cdc _getptd 47 API calls 7661->7663 7662->7657 7664 14000b986 7663->7664 7665 140008cdc _getptd 47 API calls 7664->7665 7667 14000b992 7665->7667 7703 14000af0c 7667->7703 7669->7637 7669->7650 7669->7654 7718 14000aba0 7669->7718 7732 14000b4e4 7669->7732 7671 14000ba0b 7672 1400088d0 __CxxFrameHandler 51 API calls 7671->7672 7673 14000ba10 __CxxFrameHandler 7672->7673 7675 140007968 __CxxFrameHandler 47 API calls 7673->7675 7674 140008208 47 API calls __CxxFrameHandler 7676 14000b9a4 __CxxFrameHandler 7674->7676 7677 14000ba3f 7675->7677 7676->7634 7676->7671 7676->7673 7676->7674 7678 140008088 __CxxFrameHandler RaiseException 7677->7678 7678->7634 7680 14000aada 7679->7680 7681 14000aacf 7679->7681 7680->7580 7682 14000aa24 __CxxFrameHandler 52 API calls 7681->7682 7682->7680 7684 14000aab0 __SetUnwindTryBlock 52 API calls 7683->7684 7685 140008150 7684->7685 7686 140008185 RtlLookupFunctionEntry 7685->7686 7687 1400081d3 7685->7687 7686->7685 7688 14000aab0 7687->7688 7689 14000aa24 7688->7689 7690 1400088f4 __CxxFrameHandler 52 API calls 7689->7690 7691 14000aa4b 7689->7691 7690->7691 7692 1400088f4 __CxxFrameHandler 52 API calls 7691->7692 7693 14000aa5d 7691->7693 7692->7693 7693->7598 7695 14000811c __SetUnwindTryBlock 53 API calls 7694->7695 7696 14000ab3b 7695->7696 7696->7616 7696->7617 7698 14000811c __SetUnwindTryBlock 53 API calls 7697->7698 7699 14000ab06 7698->7699 7699->7619 7701 140008cdc _getptd 47 API calls 7700->7701 7702 140008262 7701->7702 7702->7655 7704 14000af33 7703->7704 7709 14000af3d 7703->7709 7706 1400088f4 __CxxFrameHandler 52 API calls 7704->7706 7705 14000afbf 7705->7676 7707 14000af38 7706->7707 7708 1400088d0 __CxxFrameHandler 51 API calls 7707->7708 7708->7709 7709->7705 7710 140008220 47 API calls __CxxFrameHandler 7709->7710 7711 140008208 __CxxFrameHandler 47 API calls 7709->7711 7712 14000aba0 __CxxFrameHandler 47 API calls 7709->7712 7710->7709 7711->7709 7712->7709 7714 14000aab0 __SetUnwindTryBlock 52 API calls 7713->7714 7715 1400084d0 7714->7715 7716 1400084db 7715->7716 7717 1400088f4 __CxxFrameHandler 52 API calls 7715->7717 7716->7669 7717->7716 7719 14000abcb 7718->7719 7721 14000abd3 7718->7721 7720 140008208 __CxxFrameHandler 47 API calls 7719->7720 7720->7721 7722 140008208 __CxxFrameHandler 47 API calls 7721->7722 7723 14000abf2 7721->7723 7731 14000ac4f __CxxFrameHandler 7721->7731 7722->7723 7724 14000ac0e 7723->7724 7725 140008208 __CxxFrameHandler 47 API calls 7723->7725 7723->7731 7726 140008220 __CxxFrameHandler 47 API calls 7724->7726 7725->7724 7727 14000ac22 7726->7727 7728 14000ac3b 7727->7728 7729 140008208 __CxxFrameHandler 47 API calls 7727->7729 7727->7731 7730 140008220 __CxxFrameHandler 47 API calls 7728->7730 7729->7728 7730->7731 7731->7669 7733 14000811c __SetUnwindTryBlock 53 API calls 7732->7733 7735 14000b521 7733->7735 7734 14000b547 7737 140008208 __CxxFrameHandler 47 API calls 7734->7737 7735->7734 7756 14000b434 7735->7756 7738 14000b54c __CxxFrameHandler 7737->7738 7738->7669 7740 14000b7d4 7739->7740 7741 14000b5d9 7739->7741 7740->7623 7742 140008cdc _getptd 47 API calls 7741->7742 7743 14000b5de 7742->7743 7744 14000b63e 7743->7744 7745 140008cdc _getptd 47 API calls 7743->7745 7744->7740 7746 14000b651 7744->7746 7749 1400088f4 __CxxFrameHandler 52 API calls 7744->7749 7748 14000b5fd 7745->7748 7747 14000849c __CxxFrameHandler 52 API calls 7746->7747 7754 14000b686 7747->7754 7786 140008b68 EncodePointer 7748->7786 7749->7746 7753 140008208 47 API calls __CxxFrameHandler 7753->7754 7754->7740 7754->7753 7755 14000b4e4 __CxxFrameHandler 53 API calls 7754->7755 7755->7754 7757 14000b450 7756->7757 7765 14000b20c 7757->7765 7759 14000b461 7760 14000b4a1 7759->7760 7761 14000b466 7759->7761 7762 14000b479 __AdjustPointer 7760->7762 7763 140008220 __CxxFrameHandler 47 API calls 7760->7763 7761->7762 7764 140008220 __CxxFrameHandler 47 API calls 7761->7764 7762->7734 7763->7762 7764->7762 7766 14000b23c 7765->7766 7768 14000b244 7765->7768 7767 140008208 __CxxFrameHandler 47 API calls 7766->7767 7767->7768 7769 140008208 __CxxFrameHandler 47 API calls 7768->7769 7770 14000b261 7768->7770 7783 14000b2c1 __AdjustPointer __initmbctable 7768->7783 7769->7770 7771 14000b2e5 7770->7771 7775 14000b29f __CxxFrameHandler 7770->7775 7770->7783 7772 14000b350 7771->7772 7777 14000b2ef __CxxFrameHandler 7771->7777 7773 14000b35a 7772->7773 7774 140008220 __CxxFrameHandler 47 API calls 7772->7774 7779 14000b36e __CxxFrameHandler 7773->7779 7782 14000b3b3 __CxxFrameHandler 7773->7782 7774->7773 7776 1400088f4 __CxxFrameHandler 52 API calls 7775->7776 7775->7783 7776->7783 7778 1400088f4 __CxxFrameHandler 52 API calls 7777->7778 7777->7783 7778->7783 7780 1400088f4 __CxxFrameHandler 52 API calls 7779->7780 7779->7783 7780->7783 7781 1400088f4 __CxxFrameHandler 52 API calls 7781->7783 7784 14000b3da __CxxFrameHandler 7782->7784 7785 140008220 __CxxFrameHandler 47 API calls 7782->7785 7783->7759 7784->7781 7784->7783 7785->7784 7787 14000ef91 7790 14000acc4 7787->7790 7791 14000acd3 7790->7791 7792 14000acec 7790->7792 7794 14000ad00 7791->7794 7796 140008cdc _getptd 47 API calls 7791->7796 7793 140008cdc _getptd 47 API calls 7792->7793 7795 14000acf2 7793->7795 7795->7794 7798 140008cdc _getptd 47 API calls 7795->7798 7797 14000ace0 7796->7797 7799 1400088d0 __CxxFrameHandler 51 API calls 7797->7799 7798->7794 7799->7792 7800 14000ee92 7803 140009e44 7800->7803 7804 140008c58 _getptd 47 API calls 7803->7804 7805 140009e62 7804->7805 7810 1400021a0 7811 1400021db 7810->7811 7815 1400021d1 7810->7815 7812 1400073d8 59 API calls 7811->7812 7813 1400021fe 7812->7813 7814 1400030a0 shared_ptr InitializeCriticalSection 7813->7814 7813->7815 7814->7815 7819 1400023a0 7820 1400023cd SysFreeString SysFreeString SysFreeString SysFreeString 7819->7820 7821 1400023fa 7820->7821 7822 1400070a4 7823 1400079f8 __CxxFrameHandler 47 API calls 7822->7823 7824 1400070c7 7823->7824 7825 140006f78 59 API calls 7824->7825 7826 1400070f7 7825->7826 7831 14000eeae 7834 1400083a4 7831->7834 7835 140008cdc _getptd 47 API calls 7834->7835 7836 1400083c9 7835->7836 7837 140008cdc _getptd 47 API calls 7836->7837 7838 1400083d8 7837->7838 7839 14000bd6c __CxxFrameHandler 54 API calls 7838->7839 7840 140008413 7839->7840 7841 140008cdc _getptd 47 API calls 7840->7841 7842 140008418 7841->7842 7870 1400022b0 7871 1400022b5 7870->7871 7872 1400022ba 7870->7872 7873 1400073d8 59 API calls 7871->7873 7875 1400025a9 7871->7875 7874 1400073d8 59 API calls 7872->7874 7876 1400026a2 7872->7876 7873->7875 7874->7876 7852 1400062b0 GetSystemDirectoryW 7853 1400062e2 GetLastError 7852->7853 7854 1400062f6 SysAllocString 7852->7854 7855 1400062ec 7853->7855 7854->7855 7856 140007200 __initmbctable 8 API calls 7855->7856 7857 140006316 7856->7857 7858 1400066b0 LoadLibraryW 7859 1400066e8 GetProcAddress 7858->7859 7860 1400066de 7858->7860 7861 140006700 FreeLibrary 7859->7861 7862 140006710 FreeLibrary 7859->7862 7861->7860 7862->7860 7864 14000f6b0 7867 140004a90 7864->7867 7866 14000f6c2 7868 140004aa1 RegCloseKey 7867->7868 7869 140004ab7 7867->7869 7868->7866 7869->7866 7883 14000efb1 7884 140008cdc _getptd 47 API calls 7883->7884 7885 14000efbf 7884->7885 7886 14000efcd 7885->7886 7887 140008cdc _getptd 47 API calls 7885->7887 7887->7886 7888 1400059b2 7889 1400059c8 7888->7889 7890 1400059d4 MultiByteToWideChar 7889->7890 7891 1400059cd FreeLibrary 7889->7891 7893 1400059f2 7890->7893 7894 1400059fb 7890->7894 7897 140005a2a strtoxl 7891->7897 7895 140003a80 GetLastError 7893->7895 7896 140005660 145 API calls 7894->7896 7895->7891 7896->7891 7898 140007200 __initmbctable 8 API calls 7897->7898 7899 140005a53 7898->7899 7907 1400044b9 7912 1400044d2 7907->7912 7908 14000452e 7918 1400041f0 7908->7918 7909 1400044f0 CharNextW 7909->7912 7911 140004548 strtoxl 7913 140004b80 7 API calls 7911->7913 7915 1400047ae 7911->7915 7912->7908 7912->7909 7912->7911 7914 140004508 CharNextW 7912->7914 7913->7915 7914->7912 7916 140007200 __initmbctable 8 API calls 7915->7916 7917 1400047db 7916->7917 7919 140004223 7918->7919 7920 14000420e 7918->7920 7921 140004232 lstrlenW 7919->7921 7920->7911 7921->7921 7922 140004249 RegSetValueExW 7921->7922 7922->7911 7923 14000f5c0 7926 140002e00 7923->7926 7927 140002e1a 7926->7927 7928 140002e0c 7926->7928 7927->7928 7930 140002e29 7927->7930 7929 1400073d8 59 API calls 7928->7929 7931 140002e15 7929->7931 7932 140007968 __CxxFrameHandler 47 API calls 7930->7932 7933 140002e40 7932->7933 7934 140008088 __CxxFrameHandler RaiseException 7933->7934 7935 140002e5d 7934->7935 6435 1400061d0 SHGetSpecialFolderPathW 6436 140006206 6435->6436 6437 14000620d SysAllocString 6435->6437 6438 140007200 __initmbctable 8 API calls 6436->6438 6437->6436 6439 14000622d 6438->6439 7944 14000ecd0 7945 14000eced 7944->7945 7946 14000ed2f 7944->7946 7945->7946 7949 140007968 __CxxFrameHandler 47 API calls 7945->7949 7947 1400073d8 59 API calls 7946->7947 7948 14000ed34 7947->7948 7950 14000ed14 7949->7950 7951 140008088 __CxxFrameHandler RaiseException 7950->7951 7951->7946 7955 14000f6d0 7956 140004a90 Concurrency::details::ResourceManager::CreateNodeTopology RegCloseKey 7955->7956 7957 14000f6e5 7956->7957 7958 1400017d0 7959 1400017f1 7958->7959 7960 1400017e3 SetEvent 7958->7960 7960->7959 7961 14000aedb 7962 1400088d0 __CxxFrameHandler 51 API calls 7961->7962 7963 14000aee0 7962->7963 7964 1400020e0 7967 140001020 7964->7967 7966 140002102 7968 14000103c 7967->7968 7969 140001058 7968->7969 7970 1400013f0 78 API calls 7968->7970 7971 1400010b6 7969->7971 7972 14000109d lstrlenW 7969->7972 7970->7969 7971->7966 7972->7971 7973 1400032e0 7974 14000336d 7973->7974 7975 140003333 7973->7975 7976 140003385 GetModuleFileNameW 7974->7976 7977 1400033a9 7974->7977 7975->7974 7981 1400037f0 73 API calls 7975->7981 7978 1400033a4 7976->7978 7979 1400033ae 7976->7979 7980 1400036f0 49 API calls 7977->7980 7982 140003a80 GetLastError 7978->7982 7984 1400033b5 7979->7984 7993 1400033fb 7979->7993 7983 1400035da 7980->7983 7981->7975 7982->7977 7985 1400036f0 49 API calls 7983->7985 7986 1400036f0 49 API calls 7984->7986 7988 1400035e4 7985->7988 7987 1400033c4 7986->7987 7990 1400036f0 49 API calls 7987->7990 7989 1400035f3 7988->7989 7994 140007398 free 47 API calls 7988->7994 7997 1400033f1 7989->7997 8000 140007398 free 47 API calls 7989->8000 7995 1400033ce 7990->7995 7991 140003468 lstrlenW 7998 14000777c 47 API calls 7991->7998 7992 14000344e GetModuleHandleW 7992->7991 7996 14000345b 7992->7996 7993->7991 7993->7992 7994->7989 7999 1400033dd 7995->7999 8002 140007398 free 47 API calls 7995->8002 8003 1400037f0 73 API calls 7996->8003 8006 140007200 __initmbctable 8 API calls 7997->8006 8001 1400034a5 7998->8001 7999->7997 8009 140007398 free 47 API calls 7999->8009 8000->7997 8004 1400034a9 8001->8004 8005 1400034ef lstrlenW 8001->8005 8002->7999 8007 14000352a 8003->8007 8008 1400036f0 49 API calls 8004->8008 8005->7996 8010 140003619 8006->8010 8011 14000357e 8007->8011 8012 140003540 8007->8012 8013 1400034b8 8008->8013 8009->7997 8014 1400037f0 73 API calls 8011->8014 8015 1400036f0 49 API calls 8012->8015 8016 1400036f0 49 API calls 8013->8016 8024 140003592 8014->8024 8017 14000354a 8015->8017 8018 1400034c2 8016->8018 8019 1400036f0 49 API calls 8017->8019 8020 1400034d1 8018->8020 8022 140007398 free 47 API calls 8018->8022 8021 140003554 8019->8021 8020->7997 8023 140007398 free 47 API calls 8020->8023 8025 140003563 8021->8025 8027 140007398 free 47 API calls 8021->8027 8022->8020 8023->7997 8024->7977 8026 140005870 152 API calls 8024->8026 8025->7997 8028 140007398 free 47 API calls 8025->8028 8026->7977 8027->8025 8028->7997 8029 14000f2e0 8032 140002b20 SysFreeString SysFreeString SysFreeString SysFreeString 8029->8032 8033 14000afe0 8034 140008cdc _getptd 47 API calls 8033->8034 8035 14000b013 8034->8035 8036 140008cdc _getptd 47 API calls 8035->8036 8037 14000b027 8036->8037 8038 140008cdc _getptd 47 API calls 8037->8038 8039 14000b066 8038->8039 8040 140008cdc _getptd 47 API calls 8039->8040 8041 14000b072 8040->8041 8042 140008cdc _getptd 47 API calls 8041->8042 8043 14000b07e 8042->8043 8058 1400085c4 8043->8058 8046 140008cdc _getptd 47 API calls 8048 14000b0b1 8046->8048 8047 14000b0c2 __CxxFrameHandler 8050 14000863c 52 API calls 8047->8050 8049 140008cdc _getptd 47 API calls 8048->8049 8049->8047 8053 14000b17c 8050->8053 8051 14000b1b3 __CxxFrameHandler 8052 140008cdc _getptd 47 API calls 8051->8052 8054 14000b1c6 8052->8054 8053->8051 8056 140008608 47 API calls 8053->8056 8055 140008cdc _getptd 47 API calls 8054->8055 8057 14000b1da 8055->8057 8056->8051 8059 140008cdc _getptd 47 API calls 8058->8059 8061 1400085d5 8059->8061 8060 1400085e3 8063 140008cdc _getptd 47 API calls 8060->8063 8061->8060 8062 140008cdc _getptd 47 API calls 8061->8062 8062->8060 8064 1400085f7 8063->8064 8064->8046 8064->8047

                        Executed Functions

                        Function 0000000140001A00 Relevance: 72.2, APIs: 39, Strings: 2, Instructions: 400memorywindowsleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 140001a00-140001a76 GetCommandLineW CoInitializeEx 1 140001a78-140001a87 0->1 2 140001a9f-140001ab0 0->2 1->2 3 140001a89 1->3 4 140001ab2-140001ab8 2->4 5 140001acf-140001b4e GetCurrentThreadId call 1400028b0 StringFromGUID2 SysAllocString 2->5 6 140001a90-140001a9d 3->6 7 140001ac6-140001acd 4->7 8 140001aba-140001abf 4->8 13 140001b5b-140001b66 SysStringLen 5->13 14 140001b50-140001b5a call 140006060 5->14 6->2 7->4 7->5 8->7 15 140001b68-140001b76 SysStringLen CharUpperBuffW 13->15 16 140001b7c-140001bd0 call 1400028b0 call 140001840 13->16 14->13 15->16 23 140001bd2-140001bd7 call 1400071e0 16->23 24 140001bdc-140001bdf 16->24 23->24 26 140001be1-140001be4 24->26 27 140001be8-140001c0a 24->27 26->27 28 140001cef-140001cf2 27->28 29 140001c10-140001c14 27->29 30 140001f32-140001f3c 28->30 31 140001cf8-140001d12 CreateEventW 28->31 29->28 32 140001c1a 29->32 35 140001f64-140001f75 30->35 36 140001f3e-140001f41 30->36 33 140001d14-140001d35 CreateThread 31->33 34 140001d3b-140001d41 31->34 37 140001c22-140001c28 32->37 33->34 38 140001d43-140001d73 StringFromGUID2 SysAllocString 34->38 39 140001db8-140001dc3 SysStringLen 34->39 41 140001f94-140001f9b 35->41 42 140001f77-140001f7d 35->42 36->35 40 140001f43-140001f4a 36->40 43 140001c2a-140001c2d 37->43 44 140001c3d-140001c4c CharNextW 37->44 50 140001d75-140001d7f call 140006060 38->50 51 140001d80-140001da2 SysFreeString SysStringByteLen SysAllocStringByteLen 38->51 56 140001dc5-140001dd3 SysStringLen CharUpperBuffW 39->56 57 140001dd9-140001de4 39->57 52 140001f52-140001f62 40->52 53 140001f4c 40->53 45 140001ff7-14000200f CoUninitialize SysFreeString 41->45 46 140001f9d-140001fa7 41->46 54 140001f8b-140001f92 42->54 55 140001f7f-140001f84 42->55 47 140001c53-140001c62 CharNextW 43->47 48 140001c2f-140001c3b CharNextW 43->48 44->29 49 140001c4e 44->49 63 140002011-140002019 call 1400071e0 45->63 64 14000201e-140002051 call 140007200 45->64 58 140001fd1-140001fdb 46->58 59 140001fa9 46->59 47->28 67 140001c68 47->67 48->37 48->44 49->28 50->51 61 140001da4-140001dae call 140006060 51->61 62 140001daf-140001db2 SysFreeString 51->62 52->35 52->40 53->52 54->41 54->42 55->54 56->57 65 140001df5-140001dff 57->65 66 140001de6-140001df0 call 140002e60 57->66 70 140001fe3-140001ff0 DeleteCriticalSection 58->70 71 140001fdd 58->71 68 140001fb0-140001fb4 call 140001380 59->68 61->62 62->39 63->64 76 140001e04-140001e0a 65->76 66->65 77 140001c70-140001c82 lstrcmpiW 67->77 86 140001fb6-140001fc8 call 1400071e0 68->86 70->45 71->70 83 140001ec4-140001ec6 76->83 84 140001e10-140001e2e CreateItemMoniker 76->84 77->30 85 140001c88-140001c9a lstrcmpiW 77->85 87 140001f11-140001f21 SleepEx 83->87 88 140001ec8-140001edd GetMessageW 83->88 89 140001e4d-140001e55 84->89 90 140001e30-140001e43 Sleep 84->90 85->30 91 140001ca0-140001ca4 85->91 86->68 109 140001fca 86->109 95 140001f23 87->95 96 140001f29-140001f2c SysFreeString 87->96 93 140001f02-140001f0b 88->93 94 140001edf 88->94 100 140001e62-140001e73 GetRunningObjectTable 89->100 101 140001e57-140001e5c 89->101 97 140001e45-140001e4b 90->97 98 140001eba-140001ebc 90->98 91->28 99 140001ca6-140001cae 91->99 93->87 104 140001ee0-140001f00 DispatchMessageW GetMessageW 94->104 95->96 96->30 97->98 98->76 103 140001ec2 98->103 105 140001cb0-140001cb6 99->105 106 140001e75-140001e78 100->106 107 140001e9f-140001ea4 Sleep 100->107 101->100 103->88 104->93 104->104 111 140001cb8-140001cbb 105->111 112 140001ccb-140001cda CharNextW 105->112 108 140001eaa-140001eb2 106->108 113 140001e7a-140001e94 106->113 107->108 108->98 114 140001eb4 108->114 109->58 115 140001cbd-140001cc9 CharNextW 111->115 116 140001cde-140001ced CharNextW 111->116 112->91 117 140001cdc 112->117 118 140001e99-140001e9d 113->118 114->98 115->105 115->112 116->28 116->77 117->28 118->107 118->108
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: String$Char$Next$Free$AllocCreateMessageSleep$BuffByteFromThreadUpperlstrcmpi$CommandCriticalCurrentDeleteDispatchEventInitializeItemLineMonikerObjectRunningSectionTableUninitialize
                        • String ID: RegServer$UnregServer
                        • API String ID: 1439686361-1360048911
                        • Opcode ID: c53b9eb475a62b58cef6332658bd80aed3c823ee1ddb201bd18a5fc6f0ca370e
                        • Instruction ID: b7d74cdaf3e56adff6bdb8ee720ce2329d7f6e7b9e3d89e0ba8973d5c19e4dc5
                        • Opcode Fuzzy Hash: c53b9eb475a62b58cef6332658bd80aed3c823ee1ddb201bd18a5fc6f0ca370e
                        • Instruction Fuzzy Hash: C2024671205B8282EB66DF22E8547EA63A1FB8CBD4F444125FB9A477B4EF3AC445C300
                        Function 0000000140009238 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: DecodePointer$_initterm$ExitProcess_lock
                        • String ID:
                        • API String ID: 2551688548-0
                        • Opcode ID: d3b06b25a786ca0534e88820e4e6a3589d924fda1cc0c655bfba7bfd7dc408fa
                        • Instruction ID: 07673facac83906e7c76a80bdf98338d6e48441c0e0544f8201256dd6b8b1c23
                        • Opcode Fuzzy Hash: d3b06b25a786ca0534e88820e4e6a3589d924fda1cc0c655bfba7bfd7dc408fa
                        • Instruction Fuzzy Hash: 654147B1216B5081FA62DB13F8403D972A4B78CBC4F440125BB8E4BBBAEB7AC555CB05
                        Function 00000001400013F0 Relevance: 9.2, APIs: 6, Instructions: 209COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 154 1400013f0-14000142f 155 140001431-140001439 154->155 156 140001442-14000146f EnterCriticalSection 154->156 155->156 157 14000143b-14000143d 155->157 158 140001475-14000148b 156->158 159 1400016e8-1400016ea 156->159 163 140001714-140001741 call 140007200 157->163 160 140001504-14000152e GetModuleFileNameW LoadTypeLibEx 158->160 161 14000148d-140001496 158->161 162 1400016ec-1400016ef 159->162 168 140001530-140001532 160->168 161->160 164 140001498-1400014a1 161->164 165 1400016f1-1400016f9 162->165 166 140001709-140001712 LeaveCriticalSection 162->166 164->160 169 1400014a3-1400014ac 164->169 165->166 170 1400016fb-140001702 call 140001160 165->170 166->163 172 140001538-14000154a 168->172 173 1400016df-1400016e6 168->173 169->160 174 1400014ae-1400014ba 169->174 177 140001707 170->177 178 140001554-140001558 172->178 173->162 174->160 176 1400014bc-1400014c3 174->176 176->160 179 1400014c5-1400014df GetModuleFileNameW 176->179 177->166 180 1400016ba-1400016ce 178->180 181 14000155e-14000156b 178->181 179->173 182 1400014e5-1400014ea 179->182 180->173 189 1400016d0-1400016dd 180->189 183 140001578-140001590 181->183 184 14000156d-140001573 181->184 182->173 185 1400014f0-140001502 LoadTypeLib 182->185 190 140001661 183->190 191 140001596-1400015a3 183->191 184->183 185->168 189->162 194 140001666-14000167c 190->194 192 1400015a5-1400015a8 191->192 193 1400015af-1400015b2 191->193 196 140001622-140001630 192->196 197 1400015aa 192->197 193->196 198 1400015b4-1400015f8 193->198 199 140001682-1400016a1 call 140005f30 194->199 200 14000167e 194->200 202 140001632-140001646 196->202 203 14000164b-14000164e 196->203 197->194 214 140001608-14000160b 198->214 215 1400015fa-140001603 198->215 207 1400016a3-1400016a9 199->207 208 1400016aa-1400016b2 199->208 200->199 202->203 203->194 205 140001650-14000165f 203->205 205->194 207->208 208->180 210 1400016b4 208->210 210->180 216 140001613-140001616 214->216 217 14000160d 214->217 215->214 216->190 218 140001618-14000161d 216->218 217->216 218->196
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CriticalFileLoadModuleNameSectionType$EnterLeave
                        • String ID:
                        • API String ID: 2533399358-0
                        • Opcode ID: 4a95d764720e9f89894b0dbb495441985030873d61e6edebb0900d6dc42e40ab
                        • Instruction ID: 8eb3aa069d2603357a3d4cf543e7500a3a539a99d2529c06f853cfa51108d033
                        • Opcode Fuzzy Hash: 4a95d764720e9f89894b0dbb495441985030873d61e6edebb0900d6dc42e40ab
                        • Instruction Fuzzy Hash: 5AA1E1B6205B4182EA66CF16F8943D963A0F78CBD4F585126EB8E4B7B4DF3AC945C700
                        Function 0000000140007B44 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CommandInfoInitializeLineStartup_cinit
                        • String ID:
                        • API String ID: 3693240955-0
                        • Opcode ID: a677a459171d0055582345a6e5c1bd70690981f78429a4a97dd698e5d380b6b8
                        • Instruction ID: 618e1691778918ebcc204c73ae439f9684ea69a3c8b4418158c818dd905ae431
                        • Opcode Fuzzy Hash: a677a459171d0055582345a6e5c1bd70690981f78429a4a97dd698e5d380b6b8
                        • Instruction Fuzzy Hash: C3413EB1A0438186FB67EBA7B5517EA7291AB8D3C4F044439B789476F3DF7C89408712
                        Function 0000000140001760 Relevance: 6.0, APIs: 4, Instructions: 29synchronizationthreadwindowCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ObjectSingleWait$CloseHandleMessagePostThread
                        • String ID:
                        • API String ID: 3386540786-0
                        • Opcode ID: b996f8a358e3857f069cf0b71e94f0ea8b998367879f486d310f3a42798108ed
                        • Instruction ID: 5221bdb29aa0d4e5f2d3e52342bcc899d36ec8d34f176b3988a9326c8c9679c0
                        • Opcode Fuzzy Hash: b996f8a358e3857f069cf0b71e94f0ea8b998367879f486d310f3a42798108ed
                        • Instruction Fuzzy Hash: BEF06D7260458486F752DF36E4047A937A2FBDEBA9F445110EB594B2A4CB78C888CB40
                        Function 0000000140001160 Relevance: 4.6, APIs: 3, Instructions: 122COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 291 140001160-14000118d 292 140001193-140001195 291->292 293 14000119b-1400011c4 292->293 294 14000134d 292->294 295 1400011ca-1400011f8 call 140006a70 293->295 296 14000126b-140001270 293->296 297 14000134f-140001360 294->297 303 140001225 295->303 304 1400011fa-140001223 call 140007228 295->304 299 140001332-140001344 296->299 300 140001276-140001279 296->300 299->294 301 140001280-140001295 300->301 308 14000129b-1400012c8 301->308 309 140001320-14000132c 301->309 307 140001228-140001245 303->307 304->307 312 140001265 307->312 313 140001247-140001260 307->313 315 1400012ca-1400012da 308->315 316 140001300 308->316 309->299 309->301 312->296 313->297 318 1400012e5-1400012fe SysStringLen 315->318 319 1400012dc-1400012e2 SysFreeString 315->319 320 140001308-14000131a SysFreeString 316->320 318->320 319->318 320->309
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: String$Free
                        • String ID:
                        • API String ID: 1391021980-0
                        • Opcode ID: 2d10286868130cb06e7a1fcadc46548283396d2f5339114b0e3874c3305c231f
                        • Instruction ID: ee9f486afb513c7c286d9bc955161b819ab45af594cbfe0c5b807114dbd55448
                        • Opcode Fuzzy Hash: 2d10286868130cb06e7a1fcadc46548283396d2f5339114b0e3874c3305c231f
                        • Instruction Fuzzy Hash: 0C510876204B8082EB65CF16F4907AE77A0F789BE4F508215EFAA877A4DF38C555CB40
                        Function 000000014000A430 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 322 14000a430-14000a452 GetEnvironmentStringsW 323 14000a454-14000a456 322->323 324 14000a458-14000a45b 322->324 325 14000a4a4-14000a4b8 323->325 326 14000a45d-14000a464 324->326 327 14000a46f-14000a47a call 140008ebc 324->327 326->326 328 14000a466-14000a46d 326->328 330 14000a47f-14000a485 327->330 328->326 328->327 331 14000a487-14000a495 call 1400098a0 330->331 332 14000a498-14000a4a1 FreeEnvironmentStringsW 330->332 331->332 332->325
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: EnvironmentStrings$Free
                        • String ID:
                        • API String ID: 3328510275-0
                        • Opcode ID: 4be84f8da798ce5530ee38e97613c715554758017dcf0d69418dd1c154c19818
                        • Instruction ID: a05c25852a6f65f82b8facba23e8fe879d9a18c701681738e1736eaa58bf0201
                        • Opcode Fuzzy Hash: 4be84f8da798ce5530ee38e97613c715554758017dcf0d69418dd1c154c19818
                        • Instruction Fuzzy Hash: 3601AC75B0469085DE61EF63B54939A63E0E78EFC0F4C4420FB4A07765DABCC5808300
                        Function 00000001400061D0 Relevance: 3.0, APIs: 2, Instructions: 25memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: AllocFolderPathSpecialString
                        • String ID:
                        • API String ID: 997430384-0
                        • Opcode ID: 36e408226ae31ac45d39e01efaff93e09a8eb11419a68d0dd6d3ed220063823a
                        • Instruction ID: 3dace4caf315503cb7b9d81d11fe13e9779b47cba291b766f1ae0c490d9d72ea
                        • Opcode Fuzzy Hash: 36e408226ae31ac45d39e01efaff93e09a8eb11419a68d0dd6d3ed220063823a
                        • Instruction Fuzzy Hash: BAF01272714A4482FB32DB72F89579A63A1BB5C7C4F414416AB9D4B665DF3CC144CB00
                        Function 0000000140006240 Relevance: 3.0, APIs: 2, Instructions: 25memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: AllocFolderPathSpecialString
                        • String ID:
                        • API String ID: 997430384-0
                        • Opcode ID: d4544bca33c8623ed21ede49bc312ce01ed4ac2a4fc16018878fee9bde5d1abf
                        • Instruction ID: 6774e0e8a2b881655ae1fe0c58510dcf3f97e1c32c1f912f13a511ba33b91d73
                        • Opcode Fuzzy Hash: d4544bca33c8623ed21ede49bc312ce01ed4ac2a4fc16018878fee9bde5d1abf
                        • Instruction Fuzzy Hash: D6F0FE72714A4082EB72DB72F89579A62A1BB5C7C4F414415AB9D4B664DE3CC1448B00
                        Function 0000000140008AD8 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 347 140008ad8-140008afa HeapCreate 348 140008afc-140008b1a HeapSetInformation 347->348 349 140008b1f-140008b23 347->349 348->349
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Heap$CreateInformation
                        • String ID:
                        • API String ID: 1774340351-0
                        • Opcode ID: 60955895670250e950209d8e72f64c9098f7b83159f4408353f43344fc270f5a
                        • Instruction ID: 085bc612c012e77dfde3bb6aadc7deea4adf74b7881832ae79349772b23d908f
                        • Opcode Fuzzy Hash: 60955895670250e950209d8e72f64c9098f7b83159f4408353f43344fc270f5a
                        • Instruction Fuzzy Hash: 55E04FB572279082EB9ADB22B8597956290FB8C380F905029FF89077A4EF7DC1458B00
                        Function 0000000140008EBC Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 350 140008ebc-140008ed5 351 140008ed8-140008edb call 1400076c4 350->351 353 140008ee0-140008ee6 351->353 354 140008ee8-140008eee 353->354 355 140008f10-140008f27 353->355 354->355 356 140008ef0-140008f0e Sleep 354->356 356->351 356->355
                        APIs
                        • malloc.LIBCMT ref: 0000000140008EDB
                          • Part of subcall function 00000001400076C4: _FF_MSGBANNER.LIBCMT ref: 00000001400076F4
                          • Part of subcall function 00000001400076C4: HeapAlloc.KERNEL32(?,?,00000000,00000001400073F7), ref: 0000000140007719
                          • Part of subcall function 00000001400076C4: _errno.LIBCMT ref: 000000014000773D
                          • Part of subcall function 00000001400076C4: _errno.LIBCMT ref: 0000000140007748
                        • Sleep.KERNEL32(?,?,00000000,000000014000C125,?,?,?,000000014000C1CF,?,?,00000000,0000000140008BF9,?,?,00000000,0000000140008CB0), ref: 0000000140008EF2
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _errno$AllocHeapSleepmalloc
                        • String ID:
                        • API String ID: 496785850-0
                        • Opcode ID: a6449296bb5b4f8c4b08f73258b287ffd965e0c787605054bc7408744147d5ec
                        • Instruction ID: 537f67181e73cc186da4c8275488393e9c5cd010b32cf849189cf0473b688248
                        • Opcode Fuzzy Hash: a6449296bb5b4f8c4b08f73258b287ffd965e0c787605054bc7408744147d5ec
                        • Instruction Fuzzy Hash: 8DF0C272600B8582EA22DF27B4403AE7261F7DCBD0F540124FFAA077A4CF39C8928700

                        Non-executed Functions

                        Function 0000000140004D40 Relevance: 68.8, APIs: 33, Strings: 6, Instructions: 566stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0000000140004B80: CharNextW.USER32 ref: 0000000140004BAA
                        • lstrcmpiW.KERNEL32(?,?,?,00000000,?,00000000,00000001400057F3,?,00000000,?,00000000,0000000140005A1E), ref: 0000000140004DD2
                        • lstrcmpiW.KERNEL32(?,?,?,00000000,?,00000000,00000001400057F3,?,00000000,?,00000000,0000000140005A1E), ref: 0000000140004DEA
                        • CharNextW.USER32(?,?,?,00000000,?,00000000,00000001400057F3,?,00000000,?,00000000,0000000140005A1E), ref: 0000000140004E46
                        • lstrcmpiW.KERNEL32 ref: 0000000140004E76
                        • lstrlenW.KERNEL32 ref: 000000014000522E
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: lstrcmpi$CharNext$lstrlen
                        • String ID: Advapi32.dll$Delete$ForceRemove$NoRemove$RegDeleteKeyExW$Val
                        • API String ID: 3245553444-3074132075
                        • Opcode ID: 574a2f52c3467135ad231e8221758b9eccbb2765c3416c74247ca22dbefdb9c9
                        • Instruction ID: 778a35a82eab5513ffc37bb2e0784930ca6e74b3d4e47f5133f1fce391781031
                        • Opcode Fuzzy Hash: 574a2f52c3467135ad231e8221758b9eccbb2765c3416c74247ca22dbefdb9c9
                        • Instruction Fuzzy Hash: 743262B5304B4186FB62EB27B8543EB62A5B78DBC1F440125BB8987BB5EF79C445C700
                        Function 000000014000DEA8 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
                        • String ID:
                        • API String ID: 1837315383-0
                        • Opcode ID: 790e360d3d82f2ea2347be63969d824b8f6a96a5d02ec7c98fc1d8ce4b5cb352
                        • Instruction ID: 36ff578f2a5c835a7022fa6b916d227458f80fccd6e2589ac859924e0fb8596d
                        • Opcode Fuzzy Hash: 790e360d3d82f2ea2347be63969d824b8f6a96a5d02ec7c98fc1d8ce4b5cb352
                        • Instruction Fuzzy Hash: 11F19FB26046808AE766CF26F8407DD77A1F74CBD8F544625FB5A67BE8DB38CA408700
                        Function 0000000140004340 Relevance: 15.3, APIs: 10, Instructions: 270stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0000000140004B80: CharNextW.USER32 ref: 0000000140004BAA
                          • Part of subcall function 00000001400040C0: lstrcmpiW.KERNEL32 ref: 0000000140004176
                        • CharNextW.USER32(?,00000000,?,?,FFFFFFFE,?,00000000,0000000140004FE8), ref: 00000001400043FB
                        • lstrlenW.KERNEL32(?,00000000,?,?,FFFFFFFE,?,00000000,0000000140004FE8), ref: 0000000140004452
                        • CharNextW.USER32(?,00000000,?,?,FFFFFFFE,?,00000000,0000000140004FE8), ref: 00000001400044F3
                        • CharNextW.USER32(?,00000000,?,?,FFFFFFFE,?,00000000,0000000140004FE8), ref: 0000000140004512
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CharNext$lstrcmpilstrlen
                        • String ID:
                        • API String ID: 1051761657-0
                        • Opcode ID: f3154b8e141115c88e6c8bc3963e58bf20827cc774e56c4b8f923a12ca3be294
                        • Instruction ID: 839d84e8e2e58941d85d68fc581de24184406efd97ea25ddc00372293b46d8b9
                        • Opcode Fuzzy Hash: f3154b8e141115c88e6c8bc3963e58bf20827cc774e56c4b8f923a12ca3be294
                        • Instruction Fuzzy Hash: 48B161F2214A8081EB72DB16F8503EA62A5F78D7D0F444115FB8E87AE6EF78C444C705
                        Function 000000014000961C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000140009878,?,?,?,?,000000014000C0F0,?,?,?,000000014000C1CF), ref: 00000001400096DF
                        • GetStdHandle.KERNEL32(?,?,?,?,?,0000000140009878,?,?,?,?,000000014000C0F0,?,?,?,000000014000C1CF), ref: 00000001400097EB
                        • WriteFile.KERNEL32 ref: 0000000140009825
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: File$HandleModuleNameWrite
                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                        • API String ID: 3784150691-4022980321
                        • Opcode ID: 49319980787f49705267d80be5e237d6ac7b51f90437b0d6f23b082f9f5b6435
                        • Instruction ID: 7031fb11c9f8d5d7307010091df27ca73d12975a7f1fb81de5a39e834d5e979d
                        • Opcode Fuzzy Hash: 49319980787f49705267d80be5e237d6ac7b51f90437b0d6f23b082f9f5b6435
                        • Instruction Fuzzy Hash: C151BDB231464142FB26EB77B995BEA6291B78D3C4F804226BF8D4BAF5CF7DC1058640
                        Function 0000000140007200 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3778485334-0
                        • Opcode ID: f60b0a82c0ab7c463cc57d977c74447b366e374225e7c9d62e12f8eddd241c4b
                        • Instruction ID: 6456794bf226124b766afbac0b74476d5722fd6e4d820f3a85fa1103d037e848
                        • Opcode Fuzzy Hash: f60b0a82c0ab7c463cc57d977c74447b366e374225e7c9d62e12f8eddd241c4b
                        • Instruction Fuzzy Hash: 2E31DD75105B4585EAA2DB52F88439A73A4F78C394F90412AFB8E4B775DFBEC188CB00
                        Function 000000014000946C Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                        • String ID:
                        • API String ID: 3778485334-0
                        • Opcode ID: ae5614e2d4ca8372d021df3987ae21e1364e5e4791f7fabf3b96f1eeea8b4345
                        • Instruction ID: 06c94d1c8bf6888431f73c5498eb31435ce0334f070dcab656e6167061affebf
                        • Opcode Fuzzy Hash: ae5614e2d4ca8372d021df3987ae21e1364e5e4791f7fabf3b96f1eeea8b4345
                        • Instruction Fuzzy Hash: 53311872608B8582EB66CB56F4443DEB3A4F788795F500125EBCA47B69EF7CC248CB00
                        Function 0000000140005870 Relevance: 9.1, APIs: 6, Instructions: 127libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Library$ErrorFindFreeLastLoadResource
                        • String ID:
                        • API String ID: 3418355812-0
                        • Opcode ID: f31ee2e4daae8a9e28d2c12cb13091382cc6c1343d53f12a23b0ff9af19c730b
                        • Instruction ID: 988a098b27ff3148f2e01d2fd7557f730efac5fc2e13e597eb4f652e5678100b
                        • Opcode Fuzzy Hash: f31ee2e4daae8a9e28d2c12cb13091382cc6c1343d53f12a23b0ff9af19c730b
                        • Instruction Fuzzy Hash: BA5181B1705B8086EA52EB2BB4443DB62D1F78E7E1F500225BB9E477B5EF38C4458B41
                        Function 00000001400068B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: DriverPackageGetPathW
                        • API String ID: 145871493-341743864
                        • Opcode ID: 7ffa9a20de688f379fe2ae145a8db88722e4293c1271579e93f086675a7654c6
                        • Instruction ID: 71872d51fa73bb03ec15527d1967ee3b4e3d96c43b0306141dea45fb8dcd3b63
                        • Opcode Fuzzy Hash: 7ffa9a20de688f379fe2ae145a8db88722e4293c1271579e93f086675a7654c6
                        • Instruction Fuzzy Hash: A901A131704B9182EA46CB57B5903A953A0E78CFD0F085024FF8E5BB28DE3DC4968700
                        Function 000000014000A824 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                        • String ID:
                        • API String ID: 1445889803-0
                        • Opcode ID: 805f681e310bcaa54f51ad100a0e80d747b094cd24f6d97717bbde417d2946ab
                        • Instruction ID: 00aeea000cc7c7b808f48da4adb55bcdd5cd29d6573f5c95b593dc39200301c0
                        • Opcode Fuzzy Hash: 805f681e310bcaa54f51ad100a0e80d747b094cd24f6d97717bbde417d2946ab
                        • Instruction Fuzzy Hash: A5016931265B4086EB92CF22F8547956360F74DBD0F446620FF9E4B7B0DA7DC9898300
                        Function 0000000140009CA8 Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • RtlCaptureContext.KERNEL32 ref: 0000000140009CE7
                        • SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140009D2D
                        • UnhandledExceptionFilter.KERNEL32 ref: 0000000140009D38
                          • Part of subcall function 000000014000961C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000140009878,?,?,?,?,000000014000C0F0,?,?,?,000000014000C1CF), ref: 00000001400096DF
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                        • String ID:
                        • API String ID: 2731829486-0
                        • Opcode ID: 4e5702ea1c96806e4306ae5e32b9d8c9471292bcdca3bd7594f53fb29dccb40b
                        • Instruction ID: d7211cd7a0b934c5b14731845ea949a2d1b3d6b6722e21d5c4705f73c19bd827
                        • Opcode Fuzzy Hash: 4e5702ea1c96806e4306ae5e32b9d8c9471292bcdca3bd7594f53fb29dccb40b
                        • Instruction Fuzzy Hash: 21015E71215A8542FB66DB62F4547EA63A0FB8D384F040129BB8E0B6F5DF7DC504CB11
                        Function 0000000140003230 Relevance: 1.5, APIs: 1, Instructions: 35comCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CreateInstance
                        • String ID:
                        • API String ID: 542301482-0
                        • Opcode ID: 875605757a2449476a98f95d112a103c651caaa92174f3cc6de7ab4ff84c9953
                        • Instruction ID: 4eae171bfb77eac9e3a843d278eb924d81724f4266949a10ae07889404c9975a
                        • Opcode Fuzzy Hash: 875605757a2449476a98f95d112a103c651caaa92174f3cc6de7ab4ff84c9953
                        • Instruction Fuzzy Hash: 51016276604A11C2E712CF2AF450399B3B5F788BC8F598011EB8847738DF39C456C700
                        Function 000000014000E89C Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: InfoLocale
                        • String ID:
                        • API String ID: 2299586839-0
                        • Opcode ID: f43f5ff56737a04b063bbd7835d8b4b6d8fd65e0e1228449adbab71e683ed752
                        • Instruction ID: f8f62ac5750262d9b7ce562af0b70137be4286cdc81dfe6cc917c44723564100
                        • Opcode Fuzzy Hash: f43f5ff56737a04b063bbd7835d8b4b6d8fd65e0e1228449adbab71e683ed752
                        • Instruction Fuzzy Hash: F2E039B1608A8081FA32D762E8013CA27A0A79C798F800212BA9C5B6F5DE3CC201CB00
                        Function 0000000140009E28 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ExceptionFilterUnhandled
                        • String ID:
                        • API String ID: 3192549508-0
                        • Opcode ID: b8a79dd1f54f78a976d3e6130f85f59db9f1453600447be262f51493e9983399
                        • Instruction ID: 610a4ce270b00e521f3fe3a763a0a4cc7b624a191b6a2187795a19de89c1b2a3
                        • Opcode Fuzzy Hash: b8a79dd1f54f78a976d3e6130f85f59db9f1453600447be262f51493e9983399
                        • Instruction Fuzzy Hash: A5B01230B51400C1E705FB23ECCE3C022A0B75C340FC00412F3098A130EA7C819B8700
                        Function 000000014000D740 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 622 14000d740-14000d743 623 14000d929 622->623 624 14000d749-14000d928 call 140007398 * 43 622->624 624->623
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$ErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 1012874770-0
                        • Opcode ID: b294043ed31a96b31fe9a6b32b266b0c30e33a1bd26a6a8d2958a14b6af750a6
                        • Instruction ID: c0958beaf5094fad19d9f2a1c8c88e157fecefdb76ad659dea4977d404804c16
                        • Opcode Fuzzy Hash: b294043ed31a96b31fe9a6b32b266b0c30e33a1bd26a6a8d2958a14b6af750a6
                        • Instruction Fuzzy Hash: 3C4174B2A1164081FA46FB37D8527EC1320ABCAB84F444532BF4D6B2B7CEB4C9459350
                        Function 0000000140003BF0 Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 309stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000001400056A7,?,00000000), ref: 0000000140003C49
                        • CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,00000000,?,00000001400056A7,?,00000000), ref: 0000000140003C96
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: FreeTasklstrlen
                        • String ID: }}$HKCR$HKCU{Software{Classes
                        • API String ID: 3667574239-1142484189
                        • Opcode ID: 8d28bbf2e3c96b828f5a0bc7071d0360e1061a846541978ab76e6d9a7004125d
                        • Instruction ID: 97ba2297f0d36d74944d7852c4191000d12d93cac8a229ea8e4991eb19fa2dc4
                        • Opcode Fuzzy Hash: 8d28bbf2e3c96b828f5a0bc7071d0360e1061a846541978ab76e6d9a7004125d
                        • Instruction Fuzzy Hash: 60D1BCB2204A4181FB63DB13F4503EA26A4B74CBD8F544125FF9A5B7F2DB7AC5948704
                        Function 000000014000D24C Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • LoadLibraryA.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D289
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D2A5
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D2CD
                        • EncodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D2D6
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D2EC
                        • EncodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D2F5
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D30B
                        • EncodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D314
                        • GetProcAddress.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D332
                        • EncodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D33B
                        • DecodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D36D
                        • DecodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D37C
                        • DecodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D3D4
                        • DecodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D3F4
                        • DecodePointer.KERNEL32(?,?,?,?,00000000,000000FC,00000001,00000001400097E4,?,?,?,?,?,0000000140009878), ref: 000000014000D40D
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                        • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                        • API String ID: 3085332118-232180764
                        • Opcode ID: 5b6f6419df1a918eadaa3df85aa7bea1dcdac677b95fb57eba1084bd53492d35
                        • Instruction ID: b0c9ef7875fabae5a828df602e2b87cd1658d0750b339f68b7a2deeeea6f0124
                        • Opcode Fuzzy Hash: 5b6f6419df1a918eadaa3df85aa7bea1dcdac677b95fb57eba1084bd53492d35
                        • Instruction Fuzzy Hash: E8510AB0206B1581FE57EB53B8503E932A0AB8DBC0F441026BF8E4B7B5EF39C5518321
                        Function 000000014000B7EC Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
                        • String ID: bad exception$csm$csm$csm
                        • API String ID: 2351602029-820278400
                        • Opcode ID: 515ec01ff13d04b697d29f4db90ad25df8b22ea9fb6345d992fda9906cb2c0d0
                        • Instruction ID: dafaeae216a137fbed8fed7eac0a0837beabe067a753f3aa9ed93300367c0196
                        • Opcode Fuzzy Hash: 515ec01ff13d04b697d29f4db90ad25df8b22ea9fb6345d992fda9906cb2c0d0
                        • Instruction Fuzzy Hash: E2E18CB220478086EA72EB26B4407EA77A4F7597C4F448525FF8907BAACF38D491CB01
                        Function 0000000140005A70 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 213stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$lstrlen$Module$FileHandleName
                        • String ID: Module$Module_Raw$REGISTRY
                        • API String ID: 47240346-549000027
                        • Opcode ID: 0eb8516139d78ae7982e3a3e02dc2c56e693eea15e665ad8a8e3e17b88ff00be
                        • Instruction ID: 0d51043d63ccf1b47866b192c3ee8ae17b0444253f7b702fbe624e60540ffe13
                        • Opcode Fuzzy Hash: 0eb8516139d78ae7982e3a3e02dc2c56e693eea15e665ad8a8e3e17b88ff00be
                        • Instruction Fuzzy Hash: 5D916FB221578085FA62EB52F4947EB63A4FB8E7C1F841016BF8E47AB6DB39C545C700
                        Function 00000001400032E0 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 206stringCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$lstrlen$Module$FileHandleName
                        • String ID: Module$Module_Raw$REGISTRY
                        • API String ID: 47240346-549000027
                        • Opcode ID: 1b8dbd92e831d9b30aa19935c5f53163d24c720a99b2c8b5a10a1f49d7a59c73
                        • Instruction ID: a20f3075f30f8bfc617431944abcf7cf98644f1bb930d154fc3d943831a6d88f
                        • Opcode Fuzzy Hash: 1b8dbd92e831d9b30aa19935c5f53163d24c720a99b2c8b5a10a1f49d7a59c73
                        • Instruction Fuzzy Hash: 0A916EB2219B8095EA63DB12F4917EA63A8FB897C4F801015BF8E47AB6DF39C545C700
                        Function 000000014000AFE0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd$CreateFrameInfo
                        • String ID: csm
                        • API String ID: 4181383844-1018135373
                        • Opcode ID: a2df5260ed98cf15840aef52eb4146501ad7326ec8d4dfc4be3d0cca82250c27
                        • Instruction ID: 59cbc98ad185060b0f050dae6d6d36192f63636f2b4c1a8b54fdef7a96141d2f
                        • Opcode Fuzzy Hash: a2df5260ed98cf15840aef52eb4146501ad7326ec8d4dfc4be3d0cca82250c27
                        • Instruction Fuzzy Hash: 3941E472245B8586EA71EB12F4407EA77A4F789BD0F444225EF8D17BA6DB38C4A28700
                        Function 0000000140008D00 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$_lock$ErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 1575098132-0
                        • Opcode ID: 62627b433823d386537a654b219d860ae8d7c30fa77884fb431c4aef4a580d45
                        • Instruction ID: 96d6593a3fa4a79db719d122f461afcde06f7864e7a1d776ad58fd213976bbd0
                        • Opcode Fuzzy Hash: 62627b433823d386537a654b219d860ae8d7c30fa77884fb431c4aef4a580d45
                        • Instruction Fuzzy Hash: D33109B161264084FE6AEB63F061BFC1361BF8ABC0F441626BF4E176E6CE78C9418351
                        Function 000000014000E8F0 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000E946
                        • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000E965
                        • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EA0A
                        • malloc.LIBCMT ref: 000000014000EA21
                        • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EA69
                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EAA4
                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EAE0
                        • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EB20
                        • free.LIBCMT ref: 000000014000EB2E
                        • free.LIBCMT ref: 000000014000EB50
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$Infofree$malloc
                        • String ID:
                        • API String ID: 1309074677-0
                        • Opcode ID: fde0d328da79bf17c281ecad3b8224bc5219f49d839b3bcb3318655f7e3d1ab7
                        • Instruction ID: 74af14bb06a820b3063617f7b55946240b22efecd0e85ac0e4f58a2a3f6433e7
                        • Opcode Fuzzy Hash: fde0d328da79bf17c281ecad3b8224bc5219f49d839b3bcb3318655f7e3d1ab7
                        • Instruction Fuzzy Hash: 7D61AFB22006C086EB66CB26B8407EAB6D5F78D7E4F184625FB5A67BF4DB78C5418300
                        Function 0000000140004B80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CharNext
                        • String ID: '
                        • API String ID: 3213498283-1997036262
                        • Opcode ID: 0e6ded2558aacabd075a1b17af776be4bfc9a755cb72b628663e67427d2967ff
                        • Instruction ID: b64bcd3b1c09598002f4f60942271453c3cd8730bd64f8bfe81f92d9ec6a9a95
                        • Opcode Fuzzy Hash: 0e6ded2558aacabd075a1b17af776be4bfc9a755cb72b628663e67427d2967ff
                        • Instruction Fuzzy Hash: A85151B6201A5481EB62CF16F5443AD73A5F76CBC8F549412FB89873B6EB79C890C308
                        Function 000000014000C1F0 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$ErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 1012874770-0
                        • Opcode ID: 4358f57d0e295694d605f874f1cbf1a7fd68dea9e3487841cd4a87c289e8253f
                        • Instruction ID: 56ad933bf91817ce6327eb374a1c6172d5f27e7827888fe5a92640bb60b87dc2
                        • Opcode Fuzzy Hash: 4358f57d0e295694d605f874f1cbf1a7fd68dea9e3487841cd4a87c289e8253f
                        • Instruction Fuzzy Hash: 9741DAB262268084FF56DF67E451BEC23A0AB8DBD4F584435BB0D4B6A5CF78C9918310
                        Function 000000014000DAE8 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,000000014000DDBA), ref: 000000014000DB48
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,000000014000DDBA), ref: 000000014000DB5A
                        • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,000000014000DDBA), ref: 000000014000DBBA
                        • malloc.LIBCMT ref: 000000014000DC26
                        • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,000000014000DDBA), ref: 000000014000DC70
                        • GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,000000014000DDBA), ref: 000000014000DC87
                        • free.LIBCMT ref: 000000014000DC98
                        • GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,000000014000DDBA), ref: 000000014000DD15
                        • free.LIBCMT ref: 000000014000DD25
                          • Part of subcall function 000000014000E8F0: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000E946
                          • Part of subcall function 000000014000E8F0: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000E965
                          • Part of subcall function 000000014000E8F0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EA69
                          • Part of subcall function 000000014000E8F0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 000000014000EAA4
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
                        • String ID:
                        • API String ID: 3804003340-0
                        • Opcode ID: f2f3bf7c34cd13633bb1380339f3195d64577aad6335747b2f6ba3b570a5d046
                        • Instruction ID: cab85fc238418ec976bf301ebaf6f74cf56dc6d435efe584e054c2169caed09c
                        • Opcode Fuzzy Hash: f2f3bf7c34cd13633bb1380339f3195d64577aad6335747b2f6ba3b570a5d046
                        • Instruction Fuzzy Hash: AC61AFB260068486EB22DF26E540BDD7792F74CBE8F544626FF1957BA8DBB4C840C350
                        Function 00000001400064F0 Relevance: 12.1, APIs: 8, Instructions: 80memoryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: String$AllocFree$CloseOpen
                        • String ID:
                        • API String ID: 2642695901-0
                        • Opcode ID: 68c6b1cc41f599b406cc5914f14598145bd948cd27f6acc84c7cec185ad1da02
                        • Instruction ID: ea616666b6e2f61425ff325b76587b7726ec7a38bd78109e6b2d8fa9203de7bb
                        • Opcode Fuzzy Hash: 68c6b1cc41f599b406cc5914f14598145bd948cd27f6acc84c7cec185ad1da02
                        • Instruction Fuzzy Hash: C5316CB1241F5182EA66DB62B9583A862A6FB4CBC5F240114FF8A27B6CDF78C850C344
                        Function 0000000140006390 Relevance: 10.6, APIs: 7, Instructions: 91librarystringloaderCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Library$Free$AddressByteCharErrorLastLoadMultiProcWidelstrlen
                        • String ID:
                        • API String ID: 3778413393-0
                        • Opcode ID: 49835e31d37fd752eb4ecd8de971fa9f82d5c83a7a29c42762e4dd7f15a00a60
                        • Instruction ID: acd532ba863be1c7bcd3007121607070e3b0e9c9fdc9593c5502ec0fd2b1d1be
                        • Opcode Fuzzy Hash: 49835e31d37fd752eb4ecd8de971fa9f82d5c83a7a29c42762e4dd7f15a00a60
                        • Instruction Fuzzy Hash: 57316071304B9085E752DF72A8547D923A1F74CBE4F484225BB9E577A4DF39C545C300
                        Function 000000014000B0F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd$ExceptionRaise
                        • String ID: csm
                        • API String ID: 2255768072-1018135373
                        • Opcode ID: 85e021c1cf15b837442737425ff74368fab25fdd73c0e90eefd894568a3e8b92
                        • Instruction ID: 7834f7b1a417e502361a51dcb3367f281ffcacd5a829dde570f4ab484c457edc
                        • Opcode Fuzzy Hash: 85e021c1cf15b837442737425ff74368fab25fdd73c0e90eefd894568a3e8b92
                        • Instruction Fuzzy Hash: B8313E76240685C6E671DF12F0507DE7764F788BA1F404226EF9A13BA5CB39D985CB01
                        Function 000000014000C0C4 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _FF_MSGBANNER.LIBCMT ref: 000000014000C0EB
                          • Part of subcall function 000000014000961C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000140009878,?,?,?,?,000000014000C0F0,?,?,?,000000014000C1CF), ref: 00000001400096DF
                          • Part of subcall function 00000001400090E8: ExitProcess.KERNEL32 ref: 00000001400090F7
                          • Part of subcall function 0000000140008EBC: malloc.LIBCMT ref: 0000000140008EDB
                          • Part of subcall function 0000000140008EBC: Sleep.KERNEL32(?,?,00000000,000000014000C125,?,?,?,000000014000C1CF,?,?,00000000,0000000140008BF9,?,?,00000000,0000000140008CB0), ref: 0000000140008EF2
                        • _errno.LIBCMT ref: 000000014000C12D
                        • _lock.LIBCMT ref: 000000014000C141
                        • free.LIBCMT ref: 000000014000C163
                        • _errno.LIBCMT ref: 000000014000C168
                        • LeaveCriticalSection.KERNEL32(?,?,?,000000014000C1CF,?,?,00000000,0000000140008BF9,?,?,00000000,0000000140008CB0,?,?,00000000,0000000140008AC1), ref: 000000014000C18E
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
                        • String ID:
                        • API String ID: 1024173049-0
                        • Opcode ID: 27328bd3c37525a16da653f5624db51b334cf35f8d4b93e75faabd07a2e7061a
                        • Instruction ID: a459ecb661e264d81968177394fb0841a67272d0fcd7c351f488746f679228cb
                        • Opcode Fuzzy Hash: 27328bd3c37525a16da653f5624db51b334cf35f8d4b93e75faabd07a2e7061a
                        • Instruction Fuzzy Hash: 61218EB162664082F662EB13B805BEE62A5EB8E7C4F544025BB4A4B7F3CF7CC8408340
                        Function 000000014000CC64 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • _getptd.LIBCMT ref: 000000014000CC83
                          • Part of subcall function 000000014000C95C: GetOEMCP.KERNEL32 ref: 000000014000C986
                          • Part of subcall function 0000000140008EBC: malloc.LIBCMT ref: 0000000140008EDB
                          • Part of subcall function 0000000140008EBC: Sleep.KERNEL32(?,?,00000000,000000014000C125,?,?,?,000000014000C1CF,?,?,00000000,0000000140008BF9,?,?,00000000,0000000140008CB0), ref: 0000000140008EF2
                        • free.LIBCMT ref: 000000014000CD0F
                          • Part of subcall function 0000000140007398: HeapFree.KERNEL32(?,?,00000000,0000000140008CC4,?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000), ref: 00000001400073AE
                          • Part of subcall function 0000000140007398: _errno.LIBCMT ref: 00000001400073B8
                          • Part of subcall function 0000000140007398: GetLastError.KERNEL32(?,?,00000000,0000000140008CC4,?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000), ref: 00000001400073C0
                        • _lock.LIBCMT ref: 000000014000CD47
                        • free.LIBCMT ref: 000000014000CDF7
                        • free.LIBCMT ref: 000000014000CE27
                        • _errno.LIBCMT ref: 000000014000CE2C
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                        • String ID:
                        • API String ID: 2878544890-0
                        • Opcode ID: 4ffe022ba510d5618aff1731b833a035a863fc98d5603c194fd9b1b589509ede
                        • Instruction ID: 729266b367a9acadb76e510206d03886aa791f85ad191b3d94257b74e8d0af1f
                        • Opcode Fuzzy Hash: 4ffe022ba510d5618aff1731b833a035a863fc98d5603c194fd9b1b589509ede
                        • Instruction Fuzzy Hash: B6519EB161268086E766DB27F4407E9BBA1F78CBD4F644226FB9A473B5DB38C442C710
                        Function 00000001400048A0 Relevance: 9.1, APIs: 6, Instructions: 93registryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Close$Enum$Open
                        • String ID:
                        • API String ID: 4245071059-0
                        • Opcode ID: 6b27da36c03dc189b13cc3fc719a83d315f55ae3f45d5c4ca58aa036d5068959
                        • Instruction ID: 66739259efcb7cf610d53dcf62e1f4f3b598e0703dc97c14d406df7e91f72b85
                        • Opcode Fuzzy Hash: 6b27da36c03dc189b13cc3fc719a83d315f55ae3f45d5c4ca58aa036d5068959
                        • Instruction Fuzzy Hash: 38411672209B8186EB62CB56F89039AB7E4FBCC7D4F100125FB8D87A69DF78C4458B00
                        Function 0000000140008C58 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000,00000001400073F7), ref: 0000000140008C62
                        • FlsGetValue.KERNEL32(?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000,00000001400073F7), ref: 0000000140008C70
                        • SetLastError.KERNEL32(?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000,00000001400073F7), ref: 0000000140008CC8
                          • Part of subcall function 0000000140008F28: Sleep.KERNEL32(?,?,00000000,0000000140008C8B,?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000), ref: 0000000140008F6D
                        • FlsSetValue.KERNEL32(?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000,00000001400073F7), ref: 0000000140008C9C
                        • free.LIBCMT ref: 0000000140008CBF
                        • GetCurrentThreadId.KERNEL32 ref: 0000000140008CB0
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                        • String ID:
                        • API String ID: 3106088686-0
                        • Opcode ID: 83e5c8f28edd488bb586a77fb23812abd2622481f1c1e1bf039117adda3e93b5
                        • Instruction ID: 6943dabb5a8c28a8a6b8719798e64d2a641102e6684dc43baf1e331fb3e6e0bb
                        • Opcode Fuzzy Hash: 83e5c8f28edd488bb586a77fb23812abd2622481f1c1e1bf039117adda3e93b5
                        • Instruction Fuzzy Hash: FD01217060174182FB57DB67B944BA822A2BB8C7E0F184228FF99473F1EE7CC5458310
                        Function 00000001400066B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: DriverPackageInstallW
                        • API String ID: 145871493-1557024896
                        • Opcode ID: 06898464406e56f7c49107d1d52abf3077fc6534b014ff019eb78fcc24f1b6f7
                        • Instruction ID: e6090650b5da9845b7b647930ee2fbfc1c5c9c7a2d3d279e6188ef2b8700c45a
                        • Opcode Fuzzy Hash: 06898464406e56f7c49107d1d52abf3077fc6534b014ff019eb78fcc24f1b6f7
                        • Instruction Fuzzy Hash: 7B213975209B8586DA61CB2AB4503AA73E1F74CBD4F544125FF8D97B28EF3CC9448B40
                        Function 00000001400067B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: DriverPackageUninstallW
                        • API String ID: 145871493-4209722632
                        • Opcode ID: 2fccdce5eaa761393539b991b21593147892889562b044c7766234b3e4124e58
                        • Instruction ID: 1d03c2be80ddb3689b6e782ac2bc9dc50387c9c5d39cb900616ffb64ce7251f1
                        • Opcode Fuzzy Hash: 2fccdce5eaa761393539b991b21593147892889562b044c7766234b3e4124e58
                        • Instruction Fuzzy Hash: D4213972609B8586DA61CB26B8503AA73E1F74CBD4F548225FF8D97B28EF38C5448B40
                        Function 0000000140006610 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Library$AddressFreeLoadProc
                        • String ID: DriverPackagePreinstallW
                        • API String ID: 145871493-4107050277
                        • Opcode ID: 6ba2c980b17703929eadda4c4f7273af0fb2cecb180e951db7d5aa7915ea6531
                        • Instruction ID: d9aa6b7dedc5d6099b38ff628ff4d8a1496697f4b307a4f4530b7f8f26d22b0a
                        • Opcode Fuzzy Hash: 6ba2c980b17703929eadda4c4f7273af0fb2cecb180e951db7d5aa7915ea6531
                        • Instruction Fuzzy Hash: 8401B571719B9182EB86CB5BB59036953A0F78CBD4F485024FF4E5B728EE3DC8968700
                        Function 000000014000D974 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: free$ErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 1012874770-0
                        • Opcode ID: 3cca06d8e3bf9a3713f966f07bb8bb3718331e0fbae277c8b9b49ab32aabf939
                        • Instruction ID: 2145a17a23cdd023243b8bcbe047b7ca5d80e31c4ef3d8716a82684131bcfb00
                        • Opcode Fuzzy Hash: 3cca06d8e3bf9a3713f966f07bb8bb3718331e0fbae277c8b9b49ab32aabf939
                        • Instruction Fuzzy Hash: 1C01ADB260050091FB53EB63F492BED2371A7CE7C4F440416BB0E5B5B5CE79D9819361
                        Function 000000014000ACC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd
                        • String ID: MOC$csm
                        • API String ID: 3186804695-1389381023
                        • Opcode ID: bc2323d3ee3df84e0aa3928afe37143f4d3522527c0845f9e5bd94596c0b7c31
                        • Instruction ID: 3aa5a0e8cf80a6e70265197e5a9df1865b83e6168b1c95c143dd321bc9a731e2
                        • Opcode Fuzzy Hash: bc2323d3ee3df84e0aa3928afe37143f4d3522527c0845f9e5bd94596c0b7c31
                        • Instruction Fuzzy Hash: 55E04875501200CAF727FB52A0057DD35E0F79D756F86C071A784433A2C7BC4490CB11
                        Function 000000014000A4C4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                        Download Yara Rule
                        APIs
                        • GetStartupInfoA.KERNEL32 ref: 000000014000A4E9
                          • Part of subcall function 0000000140008F28: Sleep.KERNEL32(?,?,00000000,0000000140008C8B,?,?,00000000,0000000140008AC1,?,?,?,?,0000000140007762,?,?,00000000), ref: 0000000140008F6D
                        • GetFileType.KERNEL32 ref: 000000014000A666
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: FileInfoSleepStartupType
                        • String ID:
                        • API String ID: 1527402494-0
                        • Opcode ID: 251b22781a8bed187218fd6f99c950f5ffda652357fdfb7a9b45b7507ab7663a
                        • Instruction ID: f1a4cc58452895f8ecabbee7fc04da0b3070f15edfd3bdd4804f75d1c2ee8532
                        • Opcode Fuzzy Hash: 251b22781a8bed187218fd6f99c950f5ffda652357fdfb7a9b45b7507ab7663a
                        • Instruction Fuzzy Hash: 14915DB261468085EB12CB26E84879836E5F30A7F4F698725E7B9473F1DB7EC842C711
                        Function 00000001400074B8 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • DecodePointer.KERNEL32(?,?,00000000,00000001400075C9,?,?,?,?,0000000140007449), ref: 00000001400074E1
                        • DecodePointer.KERNEL32(?,?,00000000,00000001400075C9,?,?,?,?,0000000140007449), ref: 00000001400074F0
                        • EncodePointer.KERNEL32(?,?,00000000,00000001400075C9,?,?,?,?,0000000140007449), ref: 000000014000756D
                          • Part of subcall function 0000000140008FAC: realloc.LIBCMT ref: 0000000140008FD7
                          • Part of subcall function 0000000140008FAC: Sleep.KERNEL32(?,?,00000000,000000014000755D,?,?,00000000,00000001400075C9,?,?,?,?,0000000140007449), ref: 0000000140008FF3
                        • EncodePointer.KERNEL32(?,?,00000000,00000001400075C9,?,?,?,?,0000000140007449), ref: 000000014000757C
                        • EncodePointer.KERNEL32(?,?,00000000,00000001400075C9,?,?,?,?,0000000140007449), ref: 0000000140007588
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                        • String ID:
                        • API String ID: 1310268301-0
                        • Opcode ID: 5e85352ea3328edc7a216b42e29695b01e4e5a847025ff0e929179526e54d913
                        • Instruction ID: 6cd1af15e87afbe952b9f477314331f12dd8beeea221fddc429617c45dbd875d
                        • Opcode Fuzzy Hash: 5e85352ea3328edc7a216b42e29695b01e4e5a847025ff0e929179526e54d913
                        • Instruction Fuzzy Hash: 78216DB1701A4480EA12EB63F9443DAA391B78CBC1F444825FB4E0B7BAEABCC085C345
                        Function 000000014000B5A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd$CallTranslator
                        • String ID: MOC
                        • API String ID: 3569367362-624257665
                        • Opcode ID: 04df5c5e1e2076b2249b6c941c7c70ae2ac4259a1e13be1024252e866a7979be
                        • Instruction ID: 504180437007703d3da7f54a7c0a24b6b739d7cd428bf268837928b5220591e0
                        • Opcode Fuzzy Hash: 04df5c5e1e2076b2249b6c941c7c70ae2ac4259a1e13be1024252e866a7979be
                        • Instruction Fuzzy Hash: 6A6190B2204BC496DB31DB16F4807EEB7A0F788BC8F044526EB9D47AA9DB78C155CB00
                        Function 0000000140004AD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Advapi32.dll$RegDeleteKeyExW
                        • API String ID: 1646373207-2191092095
                        • Opcode ID: ba2d829cebd6b487d60ee0deaf7004dfa47d5afa8726728c944fe30236e214ef
                        • Instruction ID: 462ee25dd716abb96fc04bf8f2c598cfe9262d5ff41b4f641db104fb3e694699
                        • Opcode Fuzzy Hash: ba2d829cebd6b487d60ee0deaf7004dfa47d5afa8726728c944fe30236e214ef
                        • Instruction Fuzzy Hash: 0501E2B1619A8080EB57CF57E8847D527A0EB4CBC4F885065EB4D0B7BADB7AC494C704
                        Function 00000001400090AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetModuleHandleW.KERNEL32(?,?,000000FF,00000001400090F5,?,?,00000000,000000014000C102,?,?,?,000000014000C1CF,?,?,00000000,0000000140008BF9), ref: 00000001400090BB
                        • GetProcAddress.KERNEL32(?,?,000000FF,00000001400090F5,?,?,00000000,000000014000C102,?,?,?,000000014000C1CF,?,?,00000000,0000000140008BF9), ref: 00000001400090D0
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: CorExitProcess$mscoree.dll
                        • API String ID: 1646373207-1276376045
                        • Opcode ID: ae92f531f47ebb245147c041da5d04b1de0f7ba00532cfa74997367f00670beb
                        • Instruction ID: bd44a2196b5c310ae1a0f19dda9ad44ff415f0a3e7d637001e16db04d52139ff
                        • Opcode Fuzzy Hash: ae92f531f47ebb245147c041da5d04b1de0f7ba00532cfa74997367f00670beb
                        • Instruction Fuzzy Hash: C0E0127071661542FE9B9B92B8843A412919B4C780F485028A79E0B3F1EE7A9999C700
                        Function 000000014000AD10 Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd$BaseImage
                        • String ID:
                        • API String ID: 2482573191-0
                        • Opcode ID: 98a5a6a917ddd4be4fca11f54d82e087a7ecbe56627acb91d98cb70d4dc990ef
                        • Instruction ID: db1282a9764c579a757e51b53515a999351e9a52606167c5de47e02bd004f7b0
                        • Opcode Fuzzy Hash: 98a5a6a917ddd4be4fca11f54d82e087a7ecbe56627acb91d98cb70d4dc990ef
                        • Instruction Fuzzy Hash: 304163B2600A4585EA26E757F4817ED6690B74EBD8F558222FF59477F2DB38C442C700
                        Function 00000001400036F0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: ExceptionRaisefree
                        • String ID:
                        • API String ID: 501637548-0
                        • Opcode ID: dafb5da48201dce4baf7c8ff6607bf8fea63bcc6beef1ff0bd367b6192d39cd7
                        • Instruction ID: fafe504ed305d800c50ee4d728a906ad5c677b67aa98a7fd24dbcfceddb15717
                        • Opcode Fuzzy Hash: dafb5da48201dce4baf7c8ff6607bf8fea63bcc6beef1ff0bd367b6192d39cd7
                        • Instruction Fuzzy Hash: 6E219DB2604A50C2FB66DF22F191BED73A0FB88FC4F008515EB9907A69CF79C8418781
                        Function 0000000140008B7C Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                        Download Yara Rule
                        APIs
                        • FlsFree.KERNEL32(?,?,?,?,0000000140008EB1,?,?,00000000,0000000140007C12), ref: 0000000140008B8B
                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140008EB1), ref: 000000014000C05E
                        • free.LIBCMT ref: 000000014000C067
                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140008EB1), ref: 000000014000C087
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: CriticalDeleteSection$Freefree
                        • String ID:
                        • API String ID: 1250194111-0
                        • Opcode ID: a3176ef91523f80b145836236767eea2317155b237430114f4e431af4d8ba0ab
                        • Instruction ID: 24949af41600a50218b7ba83c01f318ba3bcce0f53689542d12ca2586d092747
                        • Opcode Fuzzy Hash: a3176ef91523f80b145836236767eea2317155b237430114f4e431af4d8ba0ab
                        • Instruction Fuzzy Hash: 16118871A16A40C2FA2ACB17F8447987360F74DBD4F584211FB990BAB5CB39C496C700
                        Function 0000000140002A90 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: FreeString
                        • String ID:
                        • API String ID: 3341692771-0
                        • Opcode ID: b5e704aaa25ec80050bffbaab756e7269d2974b30e33d70d5be437bf872a4c96
                        • Instruction ID: 2460d78c275cdd5aba3c75697fa967caff103665d156fc7b4d197c2ee54207d4
                        • Opcode Fuzzy Hash: b5e704aaa25ec80050bffbaab756e7269d2974b30e33d70d5be437bf872a4c96
                        • Instruction Fuzzy Hash: 1801EC31204A0186D7129F1BE9983997370FB88FE4F144211EBAE47BB5DF7AD4A5C300
                        Function 00000001400023A0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: FreeString
                        • String ID:
                        • API String ID: 3341692771-0
                        • Opcode ID: e8a3a9a07525436b146ad32b67b240c06138c429e22b6ce2f8afbaa00471f732
                        • Instruction ID: c7f1c6efbe32ed7523752ccb910b43a785a44d6dba67ad8cd7571bb3764643f5
                        • Opcode Fuzzy Hash: e8a3a9a07525436b146ad32b67b240c06138c429e22b6ce2f8afbaa00471f732
                        • Instruction Fuzzy Hash: D3F0C432214A0196EB069B27E9983A86370FB8CFC0F144021EB4E47B70CF79C4A5C340
                        Function 000000014000BD6C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd
                        • String ID: csm$csm
                        • API String ID: 3186804695-3733052814
                        • Opcode ID: 5558db94516e4555785c3016d45f11891a141cde8e88e727fe663a89f03799f2
                        • Instruction ID: 02180cf6eb52865928f417daec28905aa01ff43f23aafe2298e435bb3e352a72
                        • Opcode Fuzzy Hash: 5558db94516e4555785c3016d45f11891a141cde8e88e727fe663a89f03799f2
                        • Instruction Fuzzy Hash: D2518FB220468086EB76CE27F4407E9B6A0F35DBC4F148125FF9957BA9CB38C891CB05
                        Function 000000014000F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.3073780559.0000000140001000.00000020.00000001.01000000.00000009.sdmp, Offset: 0000000140000000, based on PE: true
                        • Associated: 00000003.00000002.3073689091.0000000140000000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073858819.0000000140010000.00000002.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3073935163.0000000140017000.00000004.00000001.01000000.00000009.sdmpDownload File
                        • Associated: 00000003.00000002.3074008214.000000014001A000.00000002.00000001.01000000.00000009.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_140000000_ISBEW64.jbxd
                        Similarity
                        • API ID: _getptd
                        • String ID: csm
                        • API String ID: 3186804695-1018135373
                        • Opcode ID: 5fb5f516ece612a840ad19b53f9db860e8904185b01b90d7810ceb371c965011
                        • Instruction ID: ce4c0d6d623976e352da637ade08d3c0661dd96a3736f888ca5ddf5caa442b5d
                        • Opcode Fuzzy Hash: 5fb5f516ece612a840ad19b53f9db860e8904185b01b90d7810ceb371c965011
                        • Instruction Fuzzy Hash: 03014CB2101641C9EB72DF72E8503F823A4E79CB99F498125EF4D0BBA5CB30C981E701

                        Execution Graph

                        Execution Coverage:12.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:13
                        Total number of Limit Nodes:1
                        execution_graph 542 1eba4cf 543 1eba4e2 WriteFile 542->543 545 1eba569 543->545 530 1eba25e 531 1eba28a SetErrorMode 530->531 532 1eba2b3 530->532 533 1eba29f 531->533 532->531 538 1eba23c 539 1eba25e SetErrorMode 538->539 541 1eba29f 539->541 534 1eba502 537 1eba537 WriteFile 534->537 536 1eba569 537->536

                        Callgraph

                        Executed Functions

                        Function 04AA0070 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 4aa0070-4aa008e 1 4aa0330-4aa0337 0->1 2 4aa0094-4aa0098 0->2 3 4aa0338-4aa03ac 2->3 4 4aa009e-4aa00a8 2->4 23 4aa03b4-4aa03de 3->23 5 4aa00ae-4aa00b7 4->5 6 4aa02ff-4aa0302 4->6 5->6 7 4aa00bd-4aa00d9 5->7 96 4aa0305 call 1ee0606 6->96 97 4aa0305 call 4aa0070 6->97 98 4aa0305 call 4aa0007 6->98 99 4aa0305 call 1ee05e1 6->99 17 4aa00db 7->17 18 4aa00e0-4aa00fd 7->18 9 4aa030b-4aa030f 11 4aa031f-4aa0323 9->11 12 4aa0311-4aa0314 9->12 11->1 14 4aa0325-4aa0328 11->14 12->11 14->1 17->18 24 4aa00ff-4aa0104 18->24 25 4aa0106-4aa011c 18->25 52 4aa03e0-4aa03f2 23->52 53 4aa03f4-4aa0400 23->53 26 4aa0144-4aa0146 24->26 41 4aa011e 25->41 42 4aa0123-4aa013f 25->42 29 4aa019a-4aa019c 26->29 30 4aa0148-4aa014f 26->30 31 4aa019f-4aa01a6 29->31 32 4aa0158-4aa016e 30->32 33 4aa0151-4aa0156 30->33 35 4aa01a8-4aa01ad 31->35 36 4aa01af-4aa01c5 31->36 54 4aa0170 32->54 55 4aa0175-4aa0191 32->55 34 4aa0196-4aa0198 33->34 34->29 34->31 40 4aa01ed-4aa01ef 35->40 62 4aa01cc-4aa01e8 36->62 63 4aa01c7 36->63 44 4aa0243 40->44 45 4aa01f1-4aa01f8 40->45 41->42 42->26 50 4aa024a-4aa0251 44->50 48 4aa01fa-4aa01ff 45->48 49 4aa0201-4aa0217 45->49 57 4aa023f-4aa0241 48->57 79 4aa0219 49->79 80 4aa021e-4aa023a 49->80 58 4aa025a-4aa0270 50->58 59 4aa0253-4aa0258 50->59 68 4aa0410-4aa041c 52->68 53->68 54->55 55->34 57->44 57->50 84 4aa0272 58->84 85 4aa0277-4aa0293 58->85 64 4aa0298-4aa029a 59->64 62->40 63->62 70 4aa02ee 64->70 71 4aa029c-4aa02a3 64->71 72 4aa02f5-4aa02f9 70->72 76 4aa02ac-4aa02c2 71->76 77 4aa02a5-4aa02aa 71->77 72->6 72->7 90 4aa02c9-4aa02e5 76->90 91 4aa02c4 76->91 82 4aa02ea-4aa02ec 77->82 79->80 80->57 82->70 82->72 84->85 85->64 90->82 91->90 96->9 97->9 98->9 99->9
                        Strings
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2730089445.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4aa0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j$dSk
                        • API String ID: 0-4078699674
                        • Opcode ID: 8c6c6b6d2fdc0ff611cde22b7fa455ca0cc1971bab206b4ea99e350d35092edb
                        • Instruction ID: 15b53b249d06d9c7292e4ca19169ad3281d3f71d06840bf41c27f6144efc5ab0
                        • Opcode Fuzzy Hash: 8c6c6b6d2fdc0ff611cde22b7fa455ca0cc1971bab206b4ea99e350d35092edb
                        • Instruction Fuzzy Hash: 8CA17C307052058FDB18AFB8C4587AE77F6EF89308F208479D605CF2A5DB7A9895CB91
                        Function 01EBA4CF Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 100 1eba4cf-1eba559 105 1eba55b-1eba57b WriteFile 100->105 106 1eba59d-1eba5a2 100->106 109 1eba57d-1eba59a 105->109 110 1eba5a4-1eba5a9 105->110 106->105 110->109
                        APIs
                        • WriteFile.KERNEL32(?,00000E84,3525C6B7,00000000,00000000,00000000,00000000), ref: 01EBA561
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726523312.0000000001EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1eba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: c745fb1fda0f48ec53501c8c13a8dbaf52122a7d55f4d5bb66673f5f602532b8
                        • Instruction ID: 210934036ccaf7aa567b2696aad1ed7ca91abfd98cc175a3925a959990bcce04
                        • Opcode Fuzzy Hash: c745fb1fda0f48ec53501c8c13a8dbaf52122a7d55f4d5bb66673f5f602532b8
                        • Instruction Fuzzy Hash: 3821B5714093806FDB228F61DC45F96BFB8EF46314F0884DBE9858B153D329A909C772
                        Function 01EBA502 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 113 1eba502-1eba559 116 1eba55b-1eba563 WriteFile 113->116 117 1eba59d-1eba5a2 113->117 118 1eba569-1eba57b 116->118 117->116 120 1eba57d-1eba59a 118->120 121 1eba5a4-1eba5a9 118->121 121->120
                        APIs
                        • WriteFile.KERNEL32(?,00000E84,3525C6B7,00000000,00000000,00000000,00000000), ref: 01EBA561
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726523312.0000000001EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1eba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 38f1a50c8f0b331f6c6086cc9fb7d49ee1ebbb91f097f6189d662e5cb806b6a4
                        • Instruction ID: a6775bf243241798607c3167a83d0094658644c4b579c0330d2fd49cfdaf826b
                        • Opcode Fuzzy Hash: 38f1a50c8f0b331f6c6086cc9fb7d49ee1ebbb91f097f6189d662e5cb806b6a4
                        • Instruction Fuzzy Hash: 8E11B672500200AFDB21CF65DC85FAAFBA8EF44314F04846AEA459B151D375E5448BB1
                        Function 01EBA23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 124 1eba23c-1eba288 126 1eba28a-1eba29d SetErrorMode 124->126 127 1eba2b3-1eba2b8 124->127 128 1eba2ba-1eba2bf 126->128 129 1eba29f-1eba2b2 126->129 127->126 128->129
                        APIs
                        • SetErrorMode.KERNEL32(?,3525C6B7,00000000,?,?,?,?,?,?,?,?,6B9D3C58), ref: 01EBA290
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726523312.0000000001EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1eba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 330f64d6b587cf0e05c779424f4e44254ec0db7cb0f3ad4329ec6cd341d6e0c4
                        • Instruction ID: 968cd92ff51ba4f76de7adeda21bb02d360424615327cb63ad134aa7897779ff
                        • Opcode Fuzzy Hash: 330f64d6b587cf0e05c779424f4e44254ec0db7cb0f3ad4329ec6cd341d6e0c4
                        • Instruction Fuzzy Hash: FE1188714093849FDB128F15DC44B62FFB4DF46624F0880DAED858B253D275A908CB72
                        Function 01EBA25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 132 1eba25e-1eba288 133 1eba28a-1eba29d SetErrorMode 132->133 134 1eba2b3-1eba2b8 132->134 135 1eba2ba-1eba2bf 133->135 136 1eba29f-1eba2b2 133->136 134->133 135->136
                        APIs
                        • SetErrorMode.KERNEL32(?,3525C6B7,00000000,?,?,?,?,?,?,?,?,6B9D3C58), ref: 01EBA290
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726523312.0000000001EBA000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1eba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: e0f740ffda52c9a654f485dd997a9524b1653c59d008e3f5bb7e359e0367378a
                        • Instruction ID: bf5e0cdcd41e6fccf88debb167c5c51394c22249c2581203840bde2e969f4cb0
                        • Opcode Fuzzy Hash: e0f740ffda52c9a654f485dd997a9524b1653c59d008e3f5bb7e359e0367378a
                        • Instruction Fuzzy Hash: 95F0C8358046508FDB51CF56D8857A6FBA4DF45724F08C0AADD494B352D37AE408CFA2
                        Function 04AA0007 Relevance: .1, Instructions: 142COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 139 4aa0007-4aa008e 140 4aa0330-4aa0337 139->140 141 4aa0094-4aa0098 139->141 142 4aa0338-4aa03ac 141->142 143 4aa009e-4aa00a8 141->143 162 4aa03b4-4aa03de 142->162 144 4aa00ae-4aa00b7 143->144 145 4aa02ff-4aa0302 143->145 144->145 146 4aa00bd-4aa00d9 144->146 235 4aa0305 call 1ee0606 145->235 236 4aa0305 call 4aa0070 145->236 237 4aa0305 call 4aa0007 145->237 238 4aa0305 call 1ee05e1 145->238 156 4aa00db 146->156 157 4aa00e0-4aa00fd 146->157 148 4aa030b-4aa030f 150 4aa031f-4aa0323 148->150 151 4aa0311-4aa0314 148->151 150->140 153 4aa0325-4aa0328 150->153 151->150 153->140 156->157 163 4aa00ff-4aa0104 157->163 164 4aa0106-4aa011c 157->164 191 4aa03e0-4aa03f2 162->191 192 4aa03f4-4aa0400 162->192 165 4aa0144-4aa0146 163->165 180 4aa011e 164->180 181 4aa0123-4aa013f 164->181 168 4aa019a-4aa019c 165->168 169 4aa0148-4aa014f 165->169 170 4aa019f-4aa01a6 168->170 171 4aa0158-4aa016e 169->171 172 4aa0151-4aa0156 169->172 174 4aa01a8-4aa01ad 170->174 175 4aa01af-4aa01c5 170->175 193 4aa0170 171->193 194 4aa0175-4aa0191 171->194 173 4aa0196-4aa0198 172->173 173->168 173->170 179 4aa01ed-4aa01ef 174->179 201 4aa01cc-4aa01e8 175->201 202 4aa01c7 175->202 183 4aa0243 179->183 184 4aa01f1-4aa01f8 179->184 180->181 181->165 189 4aa024a-4aa0251 183->189 187 4aa01fa-4aa01ff 184->187 188 4aa0201-4aa0217 184->188 196 4aa023f-4aa0241 187->196 218 4aa0219 188->218 219 4aa021e-4aa023a 188->219 197 4aa025a-4aa0270 189->197 198 4aa0253-4aa0258 189->198 207 4aa0410-4aa041c 191->207 192->207 193->194 194->173 196->183 196->189 223 4aa0272 197->223 224 4aa0277-4aa0293 197->224 203 4aa0298-4aa029a 198->203 201->179 202->201 209 4aa02ee 203->209 210 4aa029c-4aa02a3 203->210 211 4aa02f5-4aa02f9 209->211 215 4aa02ac-4aa02c2 210->215 216 4aa02a5-4aa02aa 210->216 211->145 211->146 229 4aa02c9-4aa02e5 215->229 230 4aa02c4 215->230 221 4aa02ea-4aa02ec 216->221 218->219 219->196 221->209 221->211 223->224 224->203 229->221 230->229 235->148 236->148 237->148 238->148
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2730089445.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_4aa0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5a0a9d98e9ce02610d37a1f655dc178f4d0af41b489976eaeccbc286795e41f9
                        • Instruction ID: f506e2557291d250ad5a8ea732283d0cbff7881024fee59076e1527608815f71
                        • Opcode Fuzzy Hash: 5a0a9d98e9ce02610d37a1f655dc178f4d0af41b489976eaeccbc286795e41f9
                        • Instruction Fuzzy Hash: 8751F87090D386CFDB159F74C8583AABBB1BF42318F1481BAC141CB192D37D98A5CB52
                        Function 01EE05E1 Relevance: .0, Instructions: 42COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 239 1ee05e1-1ee0620 242 1ee0626-1ee0643 239->242
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726959641.0000000001EE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 01EE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1ee0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d513c47c4c3197f8159c3eaf82f2a97001cc21b25a6d2a4aca9284e94cc0351b
                        • Instruction ID: 46c493cf8bf090822b118351dab767f2874566ccde0b60a8a7b7a13f185dea21
                        • Opcode Fuzzy Hash: d513c47c4c3197f8159c3eaf82f2a97001cc21b25a6d2a4aca9284e94cc0351b
                        • Instruction Fuzzy Hash: 54F0F4B64097806FC3118B66AC41853FFF8DF86230709C4ABEC498B252D139B909CBB2
                        Function 01EE0606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 243 1ee0606-1ee0620 244 1ee0626-1ee0643 243->244
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726959641.0000000001EE0000.00000040.00000020.00020000.00000000.sdmp, Offset: 01EE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1ee0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1b79e558918d9f6181bc00015acbabf1bca8e9541cdb73dffc26182725c35f2d
                        • Instruction ID: f08fd31e4d6a547da1c96cb8069b11423f5555e867ef9b8ec37080090c324556
                        • Opcode Fuzzy Hash: 1b79e558918d9f6181bc00015acbabf1bca8e9541cdb73dffc26182725c35f2d
                        • Instruction Fuzzy Hash: 38E012B66046045B9750CF0AEC46462F7E4EB84630B18C47FDC4D8B711E67AF509CBB6
                        Function 01EB23F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 245 1eb23f4-1eb23ff 246 1eb2412-1eb2417 245->246 247 1eb2401-1eb240e 245->247 248 1eb241a 246->248 249 1eb2419 246->249 247->246 250 1eb2420-1eb2421 248->250
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726347463.0000000001EB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EB2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1eb2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 825e43207aa856efd7773507bbf11fea808c7a60f153493f424528c8d0a2994b
                        • Instruction ID: d1d40704406a240ca1c21d10a67ba4b6eb717b14655e913080bd8ae785a8a397
                        • Opcode Fuzzy Hash: 825e43207aa856efd7773507bbf11fea808c7a60f153493f424528c8d0a2994b
                        • Instruction Fuzzy Hash: 0AD05B752046814FE7168E1CD595BDA3FA4AF51709F4644F99D408B763C75CE5C5D200
                        Function 01EB23BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 251 1eb23bc-1eb23c3 252 1eb23d6-1eb23db 251->252 253 1eb23c5-1eb23d2 251->253 254 1eb23dd-1eb23e0 252->254 255 1eb23e1 252->255 253->252 256 1eb23e7-1eb23e8 255->256
                        Memory Dump Source
                        • Source File: 0000000A.00000002.2726347463.0000000001EB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EB2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_10_2_1eb2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 91c8a7fe09e583f3af8cdee49668a2e794a8f58cc16faf8c49dccc333adfe4b1
                        • Instruction ID: da1997d9ed5aa264176084ea98dca2d963943a86b6abe7919d1236b305e903f4
                        • Opcode Fuzzy Hash: 91c8a7fe09e583f3af8cdee49668a2e794a8f58cc16faf8c49dccc333adfe4b1
                        • Instruction Fuzzy Hash: E7D05E342416824BDB25DE1CD6D4F9E37D4AF40B08F0644E8AD108B262CBA8E9C0CA00

                        Execution Graph

                        Execution Coverage:5.6%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:13
                        Total number of Limit Nodes:1
                        execution_graph 632 5ea25e 633 5ea28a SetErrorMode 632->633 634 5ea2b3 632->634 635 5ea29f 633->635 634->633 640 5ea4cf 641 5ea4e2 WriteFile 640->641 643 5ea569 641->643 644 5ea23c 645 5ea25e SetErrorMode 644->645 647 5ea29f 645->647 636 5ea502 638 5ea537 WriteFile 636->638 639 5ea569 638->639

                        Callgraph

                        Executed Functions

                        Function 02220070 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 2220070-222008e 1 2220330-2220337 0->1 2 2220094-2220098 0->2 3 2220338-22203ac 2->3 4 222009e-22200a8 2->4 23 22203b4-22203de 3->23 5 22200ae-22200b7 4->5 6 22202ff-2220302 4->6 5->6 7 22200bd-22200d9 5->7 96 2220305 call 21e05df 6->96 97 2220305 call 2220070 6->97 98 2220305 call 21e0606 6->98 17 22200e0-22200fd 7->17 18 22200db 7->18 9 222030b-222030f 11 2220311-2220314 9->11 12 222031f-2220323 9->12 11->12 12->1 14 2220325-2220328 12->14 14->1 24 2220106-222011c 17->24 25 22200ff-2220104 17->25 18->17 49 22203e0-22203f2 23->49 50 22203f4-2220400 23->50 40 2220123-222013f 24->40 41 222011e 24->41 26 2220144-2220146 25->26 29 222019a-222019c 26->29 30 2220148-222014f 26->30 31 222019f-22201a6 29->31 32 2220151-2220156 30->32 33 2220158-222016e 30->33 36 22201a8-22201ad 31->36 37 22201af-22201c5 31->37 38 2220196-2220198 32->38 55 2220170 33->55 56 2220175-2220191 33->56 42 22201ed-22201ef 36->42 63 22201c7 37->63 64 22201cc-22201e8 37->64 38->29 38->31 40->26 41->40 45 2220243 42->45 46 22201f1-22201f8 42->46 51 222024a-2220251 45->51 52 2220201-2220217 46->52 53 22201fa-22201ff 46->53 68 2220410-222041c 49->68 50->68 57 2220253-2220258 51->57 58 222025a-2220270 51->58 79 2220219 52->79 80 222021e-222023a 52->80 59 222023f-2220241 53->59 55->56 56->38 60 2220298-222029a 57->60 84 2220272 58->84 85 2220277-2220293 58->85 59->45 59->51 70 22202ee 60->70 71 222029c-22202a3 60->71 63->64 64->42 75 22202f5-22202f9 70->75 76 22202a5-22202aa 71->76 77 22202ac-22202c2 71->77 75->6 75->7 78 22202ea-22202ec 76->78 90 22202c4 77->90 91 22202c9-22202e5 77->91 78->70 78->75 79->80 80->59 84->85 85->60 90->91 91->78 96->9 97->9 98->9
                        Strings
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2753670122.0000000002220000.00000040.00000800.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_2220000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j$dSk
                        • API String ID: 0-4078699674
                        • Opcode ID: 9ab374c1078c84433b90983d490fa7e608a1777d94eeb6f29a73476b770e9f83
                        • Instruction ID: e459d69401b21a00253d7a4abfa55ac2ff126666b98eb94e5cb6f41488892c69
                        • Opcode Fuzzy Hash: 9ab374c1078c84433b90983d490fa7e608a1777d94eeb6f29a73476b770e9f83
                        • Instruction Fuzzy Hash: 2DA1A230714229DFDB18ABB8C51577E77F6EF88308F10817AD105CB2A9DB7A8985CB91
                        Function 005EA4CF Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 99 5ea4cf-5ea559 104 5ea59d-5ea5a2 99->104 105 5ea55b-5ea57b WriteFile 99->105 104->105 108 5ea57d-5ea59a 105->108 109 5ea5a4-5ea5a9 105->109 109->108
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,7D6C5AFC,00000000,00000000,00000000,00000000), ref: 005EA561
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2750957432.00000000005EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005EA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_5ea000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 1cc040a8ef51ba3b9456e23959ed0638aea615e2cbee561587d033754ca43710
                        • Instruction ID: e2ddd0587f6e2b7fad0a2f819e369933392ff5ab4810c84098a814c9afb0cbd2
                        • Opcode Fuzzy Hash: 1cc040a8ef51ba3b9456e23959ed0638aea615e2cbee561587d033754ca43710
                        • Instruction Fuzzy Hash: 8521B5714093806FDB228F61DC45FA6BFB8EF06314F08849BE9858F193D269A909C772
                        Function 005EA502 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 112 5ea502-5ea559 115 5ea59d-5ea5a2 112->115 116 5ea55b-5ea563 WriteFile 112->116 115->116 118 5ea569-5ea57b 116->118 119 5ea57d-5ea59a 118->119 120 5ea5a4-5ea5a9 118->120 120->119
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,7D6C5AFC,00000000,00000000,00000000,00000000), ref: 005EA561
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2750957432.00000000005EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005EA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_5ea000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 0fd0962a325aff8264ae12469964f3da70be3221784c7c28fa70742054196efa
                        • Instruction ID: b3848a5625905d0e2d1466dc98a922307f68e2d4fd1b3cb643eefa4babc2be2f
                        • Opcode Fuzzy Hash: 0fd0962a325aff8264ae12469964f3da70be3221784c7c28fa70742054196efa
                        • Instruction Fuzzy Hash: 5F11B272500240AFEB21CF62DC45F66FBA8EF05314F14885AEA459B151D378E4448BB2
                        Function 005EA23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 123 5ea23c-5ea288 125 5ea28a-5ea29d SetErrorMode 123->125 126 5ea2b3-5ea2b8 123->126 127 5ea29f-5ea2b2 125->127 128 5ea2ba-5ea2bf 125->128 126->125 128->127
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 005EA290
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2750957432.00000000005EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005EA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_5ea000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: dfddd8f25fc17428adf80fb7849c4a7bf73656c02716875e0182812ff5083471
                        • Instruction ID: 62a93a039ee7cf3c88547fe4025e5550c272da287fd604d9cdd466b15cf16dbe
                        • Opcode Fuzzy Hash: dfddd8f25fc17428adf80fb7849c4a7bf73656c02716875e0182812ff5083471
                        • Instruction Fuzzy Hash: E71165754093C4AFD7128B15DC44B62FFB4DF56624F0880DAED858B253D265A808CB72
                        Function 005EA25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 131 5ea25e-5ea288 132 5ea28a-5ea29d SetErrorMode 131->132 133 5ea2b3-5ea2b8 131->133 134 5ea29f-5ea2b2 132->134 135 5ea2ba-5ea2bf 132->135 133->132 135->134
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 005EA290
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2750957432.00000000005EA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005EA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_5ea000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: d344cd21b2c2bc342b722dd636ed4701df06607d8ac54b0616a93fcd43abe51a
                        • Instruction ID: b1b9b2c8f79d45dd31ff318d4cbfaedb73bd2e99268b3bf3dee3b30cf89ae858
                        • Opcode Fuzzy Hash: d344cd21b2c2bc342b722dd636ed4701df06607d8ac54b0616a93fcd43abe51a
                        • Instruction Fuzzy Hash: DFF081399046409FDB508F16D885761FF90EF15724F08C09ADE495B252D279F404CAA2
                        Function 021E05DF Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 138 21e05df-21e0620 140 21e0626-21e0643 138->140
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2753303219.00000000021E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_21e0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5637b180f65a9dee07fab17e5e0baaf536526e189a49b8887894249d99d2afa
                        • Instruction ID: 341a2e28d8dbd53df631d8c1f640d6466df88f5b6b4f015eee4b5630ac4e960d
                        • Opcode Fuzzy Hash: f5637b180f65a9dee07fab17e5e0baaf536526e189a49b8887894249d99d2afa
                        • Instruction Fuzzy Hash: 1D0186B650D7806FD7128B169C41863FFB8DF86630709C49FEC498B653D629A909CB72
                        Function 021E0606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 141 21e0606-21e0620 142 21e0626-21e0643 141->142
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2753303219.00000000021E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_21e0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cbeeb7ba18008deb3e91d675b6e40fcd6f2bd2e901ab6e4008be68471a58089d
                        • Instruction ID: 4169b9141389019ed11bd61413568376a77e830a31150e9bdbafc181f41d686f
                        • Opcode Fuzzy Hash: cbeeb7ba18008deb3e91d675b6e40fcd6f2bd2e901ab6e4008be68471a58089d
                        • Instruction Fuzzy Hash: 4CE092B66046045B9750CF0BEC82462FBD4EB84630708C17FDC0D8B701E679F505CBA5
                        Function 005E23F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 143 5e23f4-5e23ff 144 5e2412-5e2417 143->144 145 5e2401-5e240e 143->145 146 5e241a 144->146 147 5e2419 144->147 145->144 148 5e2420-5e2421 146->148
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2750838943.00000000005E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_5e2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c67993ccbecd7f38cb2b4dfa48f2fcb472315c723370aa3a9120ac589df823d6
                        • Instruction ID: 4ff7bc58726a6a9062aaecb12174d068f39f0ef087f206b1dd095ce9fbb6dc31
                        • Opcode Fuzzy Hash: c67993ccbecd7f38cb2b4dfa48f2fcb472315c723370aa3a9120ac589df823d6
                        • Instruction Fuzzy Hash: E1D05E792047C14FDB2A8F1DD6A5B953BD8BB51708F4A44F9AC808B7A7CB68D9C1D200
                        Function 005E23BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 149 5e23bc-5e23c3 150 5e23d6-5e23db 149->150 151 5e23c5-5e23d2 149->151 152 5e23dd-5e23e0 150->152 153 5e23e1 150->153 151->150 154 5e23e7-5e23e8 153->154
                        Memory Dump Source
                        • Source File: 0000000C.00000002.2750838943.00000000005E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 005E2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_12_2_5e2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2b83687008c79025c6eeaf8aad6fca6e686d2e0d6cceb64d4cc73b5e56bf4744
                        • Instruction ID: 479620423da344dbb8abc3a126ac185cc57d3354a3def82896fe1e3aa11dc8c0
                        • Opcode Fuzzy Hash: 2b83687008c79025c6eeaf8aad6fca6e686d2e0d6cceb64d4cc73b5e56bf4744
                        • Instruction Fuzzy Hash: 98D05E342406814BCB29CE1DD6D4F5937D8BB44B04F1A48E8AC508B266CBACD9C0CA00

                        Executed Functions

                        Function 02160070 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2774073561.0000000002160000.00000040.00000800.00020000.00000000.sdmp, Offset: 02160000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_2160000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j$dSk
                        • API String ID: 0-4078699674
                        • Opcode ID: 7249af9755f474f7d7169bea488cf71ff8a5914e319ac7ca1bea59ad17813362
                        • Instruction ID: 54e9cb96f935ac66112fea6bc9b91586559a0a718fc9a3a62f8a655041079e58
                        • Opcode Fuzzy Hash: 7249af9755f474f7d7169bea488cf71ff8a5914e319ac7ca1bea59ad17813362
                        • Instruction Fuzzy Hash: 91A178307402058FDB18ABB9C41977E77E6FF88309F20806DD506DB6A5DB7AC895CB91
                        Function 01FA05E0 Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2773824832.0000000001FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_1fa0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 66b4057711c1ed0295900655b40e856fd682f1bd30e7a8568a89f92264bfb8e3
                        • Instruction ID: fa699e876d0762e9aa2dfa8ad1f2b15e7d13f92a18dcff8f8b955af9e09bfc24
                        • Opcode Fuzzy Hash: 66b4057711c1ed0295900655b40e856fd682f1bd30e7a8568a89f92264bfb8e3
                        • Instruction Fuzzy Hash: 32F0F9B64083806FD7128F16EC44862FFB8EF86620749C09FEC498B612D229B908C771
                        Function 01FA0606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2773824832.0000000001FA0000.00000040.00000020.00020000.00000000.sdmp, Offset: 01FA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_1fa0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 82e7e94aaae185ed2929f389bb743060184608cab363e9eb1017961076317cf7
                        • Instruction ID: 1c2001e26f90e7616419fda739f8de0f6a523722387bdab831ae1f3b16eb298b
                        • Opcode Fuzzy Hash: 82e7e94aaae185ed2929f389bb743060184608cab363e9eb1017961076317cf7
                        • Instruction Fuzzy Hash: 58E092B66006044B9750CF0AEC42452F7E4EB84630708C57FDC0D8B701E639F505CBA5
                        Function 004E23F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2768680913.00000000004E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_4e2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7a81ba44155044cd4e4160c3d7573aab190ee15e29928443ca521f97762fd023
                        • Instruction ID: f756e009019b866bb0e00641a4f5198ff30171b24610d6a1cdb06b05ec78fb4e
                        • Opcode Fuzzy Hash: 7a81ba44155044cd4e4160c3d7573aab190ee15e29928443ca521f97762fd023
                        • Instruction Fuzzy Hash: 76D05E792046D14FD7268F1CD6A5B9637D8AB51709F4A44FAAC408B7A3CBACD9C1D200
                        Function 004E23BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 0000000E.00000002.2768680913.00000000004E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_14_2_4e2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ac2a1b185f113c31664c67f028af253b4aa350abb7643b8af8dcf3c8c19c8971
                        • Instruction ID: 13a343d6dfe5f05505eec5a14ac727c02f21d0d05f8c248f3a16f1b99cae2f9b
                        • Opcode Fuzzy Hash: ac2a1b185f113c31664c67f028af253b4aa350abb7643b8af8dcf3c8c19c8971
                        • Instruction Fuzzy Hash: 74D05E342406814BCB25CE2DD7D4F5A33D8AB40B05F1A44E9AC108B362CBACD9C0CA00

                        Execution Graph

                        Execution Coverage:4.2%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:13
                        Total number of Limit Nodes:1
                        execution_graph 639 6ba4cf 641 6ba4e2 WriteFile 639->641 642 6ba569 641->642 631 6ba25e 632 6ba28a SetErrorMode 631->632 633 6ba2b3 631->633 634 6ba29f 632->634 633->632 643 6ba23c 644 6ba25e SetErrorMode 643->644 646 6ba29f 644->646 635 6ba502 637 6ba537 WriteFile 635->637 638 6ba569 637->638

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_049A7518 1 Function_049A7F99 30 Function_049A8031 1->30 2 Function_006B24EF 3 Function_049A891F 4 Function_049A2B91 5 Function_006BA5E6 6 Function_049A8E17 7 Function_006B2264 8 Function_006B2364 9 Function_006BA37B 10 Function_04990409 11 Function_02110000 12 Function_006BA078 13 Function_02110606 14 Function_006BA2F2 15 Function_04990402 16 Function_049A3D81 17 Function_049A7781 18 Function_006B21F0 19 Function_006BA676 20 Function_0211000C 21 Function_006B23F4 22 Function_006B24C8 23 Function_006BA4CF 24 Function_006BA64F 25 Function_049A873E 26 Function_049A8BB2 27 Function_006BA2C1 28 Function_049A87B0 29 Function_006BA140 31 Function_021105BF 32 Function_049A8834 33 Function_049A7A35 34 Function_006B2458 35 Function_006BA25E 36 Function_006B20D0 37 Function_006BA456 38 Function_006BA5AB 39 Function_049A3D58 40 Function_006BA02E 41 Function_006BA422 42 Function_049A3C57 43 Function_021105DF 44 Function_049A3A4E 45 Function_006BA0BE 46 Function_006BA23C 47 Function_006B23BC 48 Function_006B213C 49 Function_049A87C2 50 Function_006BA3B2 51 Function_02110648 75 Function_0211066A 51->75 52 Function_049A68C3 53 Function_049A5541 54 Function_006B2430 55 Function_049A5D46 56 Function_021105CF 57 Function_049A797A 58 Function_049A92FB 59 Function_02110074 60 Function_049A8C7F 61 Function_006BA20C 62 Function_006BA502 63 Function_04990070 63->13 63->43 63->63 64 Function_006BA186 65 Function_049A88F7 66 Function_006B2006 67 Function_006BA005 68 Function_0211067F 69 Function_049A5275 70 Function_049A7575 71 Function_049A50EA 72 Function_049A65EA 73 Function_006B2098 74 Function_049A796D 76 Function_0211026D 77 Function_049A3DE4 78 Function_006B2194

                        Executed Functions

                        Function 04990070 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 4990070-499008e 1 4990330-4990337 0->1 2 4990094-4990098 0->2 3 4990338-49903ac 2->3 4 499009e-49900a8 2->4 23 49903b4-49903de 3->23 5 49902ff-4990302 4->5 6 49900ae-49900b7 4->6 96 4990305 call 2110606 5->96 97 4990305 call 4990070 5->97 98 4990305 call 21105df 5->98 6->5 8 49900bd-49900d9 6->8 17 49900db 8->17 18 49900e0-49900fd 8->18 9 499030b-499030f 11 499031f-4990323 9->11 12 4990311-4990314 9->12 11->1 14 4990325-4990328 11->14 12->11 14->1 17->18 24 49900ff-4990104 18->24 25 4990106-499011c 18->25 48 49903e0-49903f2 23->48 49 49903f4-4990400 23->49 26 4990144-4990146 24->26 41 499011e 25->41 42 4990123-499013f 25->42 28 4990148-499014f 26->28 29 499019a-499019c 26->29 31 4990158-499016e 28->31 32 4990151-4990156 28->32 33 499019f-49901a6 29->33 58 4990170 31->58 59 4990175-4990191 31->59 35 4990196-4990198 32->35 36 49901a8-49901ad 33->36 37 49901af-49901c5 33->37 35->29 35->33 39 49901ed-49901ef 36->39 65 49901cc-49901e8 37->65 66 49901c7 37->66 44 49901f1-49901f8 39->44 45 4990243 39->45 41->42 42->26 50 49901fa-49901ff 44->50 51 4990201-4990217 44->51 52 499024a-4990251 45->52 71 4990410-499041c 48->71 49->71 54 499023f-4990241 50->54 81 4990219 51->81 82 499021e-499023a 51->82 55 499025a-4990270 52->55 56 4990253-4990258 52->56 54->45 54->52 83 4990272 55->83 84 4990277-4990293 55->84 62 4990298-499029a 56->62 58->59 59->35 68 499029c-49902a3 62->68 69 49902ee 62->69 65->39 66->65 73 49902ac-49902c2 68->73 74 49902a5-49902aa 68->74 75 49902f5-49902f9 69->75 90 49902c9-49902e5 73->90 91 49902c4 73->91 79 49902ea-49902ec 74->79 75->5 75->8 79->69 79->75 81->82 82->54 83->84 84->62 90->79 91->90 96->9 97->9 98->9
                        Strings
                        Memory Dump Source
                        • Source File: 00000010.00000002.2789340823.0000000004990000.00000040.00000800.00020000.00000000.sdmp, Offset: 04990000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_4990000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j$dSk
                        • API String ID: 0-4078699674
                        • Opcode ID: 6f08d88b261092be256b21a71539d576370a2380198157dd02c80817fa82c1af
                        • Instruction ID: 519be5d92ba0e4c2d6c9066f0bb8009001fed64455909a6532fdf27b225ce551
                        • Opcode Fuzzy Hash: 6f08d88b261092be256b21a71539d576370a2380198157dd02c80817fa82c1af
                        • Instruction Fuzzy Hash: 6EA16C317002058FDF18AFB8C46576E77EAEF89309F208479D515CB2A5DB7A9C81CB91
                        Function 006BA4CF Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 99 6ba4cf-6ba559 104 6ba55b-6ba57b WriteFile 99->104 105 6ba59d-6ba5a2 99->105 108 6ba57d-6ba59a 104->108 109 6ba5a4-6ba5a9 104->109 105->104 109->108
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,EDA93AA5,00000000,00000000,00000000,00000000), ref: 006BA561
                        Memory Dump Source
                        • Source File: 00000010.00000002.2784685022.00000000006BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6ba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: d8944f68bbcfe27552063e11529bf760b0113831de80cb880bfffa0920e1e304
                        • Instruction ID: 618f841af77629635ca059d65b06ee645655ce1dfc5c09c9664a99c38c65c734
                        • Opcode Fuzzy Hash: d8944f68bbcfe27552063e11529bf760b0113831de80cb880bfffa0920e1e304
                        • Instruction Fuzzy Hash: DF21B7B24093806FDB22CF61DC45F96BFB8EF06314F0884DBE9858B153D225A949C772
                        Function 006BA502 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 112 6ba502-6ba559 115 6ba55b-6ba563 WriteFile 112->115 116 6ba59d-6ba5a2 112->116 117 6ba569-6ba57b 115->117 116->115 119 6ba57d-6ba59a 117->119 120 6ba5a4-6ba5a9 117->120 120->119
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,EDA93AA5,00000000,00000000,00000000,00000000), ref: 006BA561
                        Memory Dump Source
                        • Source File: 00000010.00000002.2784685022.00000000006BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6ba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 04ae52364aaf89ea1e647ef47ea905dc0111b472e920d439e4cd292ca82c653f
                        • Instruction ID: d2b9be18f387527fac9d2c4394f8796ff3e9af13a64ff694693cf1296cff3fa4
                        • Opcode Fuzzy Hash: 04ae52364aaf89ea1e647ef47ea905dc0111b472e920d439e4cd292ca82c653f
                        • Instruction Fuzzy Hash: 3C11C1B2500200AFEB21CF65DD45FA6FBA9EF04324F18C85AEA459B251D379E544CBB2
                        Function 006BA23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 123 6ba23c-6ba288 125 6ba28a-6ba29d SetErrorMode 123->125 126 6ba2b3-6ba2b8 123->126 127 6ba2ba-6ba2bf 125->127 128 6ba29f-6ba2b2 125->128 126->125 127->128
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 006BA290
                        Memory Dump Source
                        • Source File: 00000010.00000002.2784685022.00000000006BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6ba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 0e754d52be768c64fb54d5045db60a069764a680fcf0d6d2b318d456eeab6bad
                        • Instruction ID: 8fff501de0583b9112acc41476a674f99e6383e4e756e3b947c8c3a756291a1c
                        • Opcode Fuzzy Hash: 0e754d52be768c64fb54d5045db60a069764a680fcf0d6d2b318d456eeab6bad
                        • Instruction Fuzzy Hash: 311184B1409384AFD7228F15DC44B62FFB4DF46724F0880DAED858B663D275A948CB72
                        Function 006BA25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 131 6ba25e-6ba288 132 6ba28a-6ba29d SetErrorMode 131->132 133 6ba2b3-6ba2b8 131->133 134 6ba2ba-6ba2bf 132->134 135 6ba29f-6ba2b2 132->135 133->132 134->135
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 006BA290
                        Memory Dump Source
                        • Source File: 00000010.00000002.2784685022.00000000006BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 006BA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6ba000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: c0cc7da9c54c1d2144cd9a715c882c186cf90e8380b7f730dbc7f283625d1839
                        • Instruction ID: eab043d8d164d8c201cb3de808ed31198a301d9cbf824ec45eef9a701bf0fe80
                        • Opcode Fuzzy Hash: c0cc7da9c54c1d2144cd9a715c882c186cf90e8380b7f730dbc7f283625d1839
                        • Instruction Fuzzy Hash: 8EF0FF758046008FEB10CF46D8857A1FBA0EF05324F0CC09ADD484B352E27AE948CFA2
                        Function 021105DF Relevance: .0, Instructions: 44COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 138 21105df-2110620 140 2110626-2110643 138->140
                        Memory Dump Source
                        • Source File: 00000010.00000002.2787531125.0000000002110000.00000040.00000020.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_2110000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0a487c632a832fc227b2ee11d18d23810b3804a9798564e2889ba474e6a59127
                        • Instruction ID: bf4f9a60ec838067f436743d694e70b20436e09776bde08de002e2d7769f94fb
                        • Opcode Fuzzy Hash: 0a487c632a832fc227b2ee11d18d23810b3804a9798564e2889ba474e6a59127
                        • Instruction Fuzzy Hash: EB01D67650D7846FD7128F16AC45862FFB8DF86620709C4AFEC898B612D229B909C772
                        Function 02110606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 141 2110606-2110620 142 2110626-2110643 141->142
                        Memory Dump Source
                        • Source File: 00000010.00000002.2787531125.0000000002110000.00000040.00000020.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_2110000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b6862b47eb03f04553583cbea615135c763c50642e16ef500fe106dce0531576
                        • Instruction ID: 862179564c68be604347b74b10e5c24b1b61ea108aa60748b4e1d505df667c35
                        • Opcode Fuzzy Hash: b6862b47eb03f04553583cbea615135c763c50642e16ef500fe106dce0531576
                        • Instruction Fuzzy Hash: 1DE092B66006044B9750CF0AFC46462F7E4EB84630708C47FDC4D8B701E63AF505CBA5
                        Function 006B23F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 143 6b23f4-6b23ff 144 6b2412-6b2417 143->144 145 6b2401-6b240e 143->145 146 6b241a 144->146 147 6b2419 144->147 145->144 148 6b2420-6b2421 146->148
                        Memory Dump Source
                        • Source File: 00000010.00000002.2784580939.00000000006B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6b2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9605fe24395c69c0c50b966a21546dfd0c64995195f162c1555cc1c965eae970
                        • Instruction ID: 8026bdb62873160ed0e5d713f723bc953e7c7ddb15ee709a152a836aa54aa75b
                        • Opcode Fuzzy Hash: 9605fe24395c69c0c50b966a21546dfd0c64995195f162c1555cc1c965eae970
                        • Instruction Fuzzy Hash: 48D02EB92046924FD3268E1CC2A4BC53BD0AF40708F4A40F9AC008BB63CB28D8C0C300
                        Function 006B23BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 149 6b23bc-6b23c3 150 6b23d6-6b23db 149->150 151 6b23c5-6b23d2 149->151 152 6b23dd-6b23e0 150->152 153 6b23e1 150->153 151->150 154 6b23e7-6b23e8 153->154
                        Memory Dump Source
                        • Source File: 00000010.00000002.2784580939.00000000006B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_16_2_6b2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d1d7c84a963c81a488a4854d5a996ef5922527325766b6ed9fa482872762c9c6
                        • Instruction ID: 6e00dd7b7181ed14cf4014fe574e11ff56a75c90f27c0735f2a29ab2501d70a4
                        • Opcode Fuzzy Hash: d1d7c84a963c81a488a4854d5a996ef5922527325766b6ed9fa482872762c9c6
                        • Instruction Fuzzy Hash: 64D05E742406824BCB25DE1CD6E4F9933D5AB40B04F0644E8AC108B362CBACDDC0CB00

                        Execution Graph

                        Execution Coverage:11.5%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:13
                        Total number of Limit Nodes:1
                        execution_graph 457 5aa25e 458 5aa28a SetErrorMode 457->458 459 5aa2b3 457->459 460 5aa29f 458->460 459->458 465 5aa4cf 466 5aa4e2 WriteFile 465->466 468 5aa569 466->468 469 5aa23c 471 5aa25e SetErrorMode 469->471 472 5aa29f 471->472 461 5aa502 463 5aa537 WriteFile 461->463 464 5aa569 463->464

                        Callgraph

                        Executed Functions

                        Function 005AA4CF Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 5aa4cf-5aa559 5 5aa55b-5aa57b WriteFile 0->5 6 5aa59d-5aa5a2 0->6 9 5aa57d-5aa59a 5->9 10 5aa5a4-5aa5a9 5->10 6->5 10->9
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,A9400475,00000000,00000000,00000000,00000000), ref: 005AA561
                        Memory Dump Source
                        • Source File: 00000012.00000002.2804547685.00000000005AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5aa000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 54c530d182af9e5f93777e2c46d0fc720911009e8d1628faa3eff1257dde927f
                        • Instruction ID: 26cd16bbdba06a3c57c50b1ac6ac71734b7ed261b2963177cd70c977f8a19513
                        • Opcode Fuzzy Hash: 54c530d182af9e5f93777e2c46d0fc720911009e8d1628faa3eff1257dde927f
                        • Instruction Fuzzy Hash: DA21E5764093846FDB228F61DC44F96BFB8EF06314F08849BE9858F153D328A908CB76
                        Function 005AA502 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 13 5aa502-5aa559 16 5aa55b-5aa563 WriteFile 13->16 17 5aa59d-5aa5a2 13->17 19 5aa569-5aa57b 16->19 17->16 20 5aa57d-5aa59a 19->20 21 5aa5a4-5aa5a9 19->21 21->20
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,A9400475,00000000,00000000,00000000,00000000), ref: 005AA561
                        Memory Dump Source
                        • Source File: 00000012.00000002.2804547685.00000000005AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5aa000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: 615a4c5877f3cb87a8781edb42a4ca26a7dbc44948521c42bbc693e8ddc034ad
                        • Instruction ID: bedf3b318ab806da5dd296874495ebf62554d0eb99c6d2a411d525287f9c4276
                        • Opcode Fuzzy Hash: 615a4c5877f3cb87a8781edb42a4ca26a7dbc44948521c42bbc693e8ddc034ad
                        • Instruction Fuzzy Hash: EB11C871500204AFEF21CF65DC45F6AFBE8EF15324F04885AE9458B151D374E444CBB6
                        Function 005AA23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 24 5aa23c-5aa288 26 5aa28a-5aa29d SetErrorMode 24->26 27 5aa2b3-5aa2b8 24->27 28 5aa2ba-5aa2bf 26->28 29 5aa29f-5aa2b2 26->29 27->26 28->29
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 005AA290
                        Memory Dump Source
                        • Source File: 00000012.00000002.2804547685.00000000005AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5aa000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: a5ee0784fa03006bc37ad876a65de2c52419fd621a907d02bd31621a14eec732
                        • Instruction ID: 0255cb036673bd09db37d6cad5a6220e21614ae0c980772e13c5b587d76c3422
                        • Opcode Fuzzy Hash: a5ee0784fa03006bc37ad876a65de2c52419fd621a907d02bd31621a14eec732
                        • Instruction Fuzzy Hash: 16116575409384AFD7228F15DC44B62FFB4DF46624F0880DAED858B252D265A818CB72
                        Function 04970070 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 32 4970070-497008e 33 4970094-4970098 32->33 34 4970330-4970337 32->34 35 497009e-49700a8 33->35 36 4970338-49703ac 33->36 37 49702ff-4970302 35->37 38 49700ae-49700b7 35->38 55 49703b4-49703de 36->55 128 4970305 call 5d0648 37->128 129 4970305 call 4970070 37->129 130 4970305 call 5d0606 37->130 131 4970305 call 5d05e1 37->131 38->37 39 49700bd-49700d9 38->39 49 49700e0-49700fd 39->49 50 49700db 39->50 41 497030b-497030f 42 4970311-4970314 41->42 43 497031f-4970323 41->43 42->43 43->34 46 4970325-4970328 43->46 46->34 56 4970106-497011c 49->56 57 49700ff-4970104 49->57 50->49 81 49703f4-4970400 55->81 82 49703e0-49703f2 55->82 72 4970123-497013f 56->72 73 497011e 56->73 58 4970144-4970146 57->58 61 497019a-497019c 58->61 62 4970148-497014f 58->62 63 497019f-49701a6 61->63 64 4970151-4970156 62->64 65 4970158-497016e 62->65 68 49701af-49701c5 63->68 69 49701a8-49701ad 63->69 70 4970196-4970198 64->70 87 4970175-4970191 65->87 88 4970170 65->88 95 49701c7 68->95 96 49701cc-49701e8 68->96 74 49701ed-49701ef 69->74 70->61 70->63 72->58 73->72 77 4970243 74->77 78 49701f1-49701f8 74->78 83 497024a-4970251 77->83 84 4970201-4970217 78->84 85 49701fa-49701ff 78->85 100 4970410-497041c 81->100 82->100 89 4970253-4970258 83->89 90 497025a-4970270 83->90 111 497021e-497023a 84->111 112 4970219 84->112 91 497023f-4970241 85->91 87->70 88->87 92 4970298-497029a 89->92 116 4970277-4970293 90->116 117 4970272 90->117 91->77 91->83 102 49702ee 92->102 103 497029c-49702a3 92->103 95->96 96->74 107 49702f5-49702f9 102->107 108 49702a5-49702aa 103->108 109 49702ac-49702c2 103->109 107->37 107->39 110 49702ea-49702ec 108->110 122 49702c4 109->122 123 49702c9-49702e5 109->123 110->102 110->107 111->91 112->111 116->92 117->116 122->123 123->110 128->41 129->41 130->41 131->41
                        Strings
                        Memory Dump Source
                        • Source File: 00000012.00000002.2809787411.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_4970000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j
                        • API String ID: 0-4039273937
                        • Opcode ID: bd21bfd28b0b7933bb5d8f3f83d99113e19f516efc1e47e4eb4e9a2dba4faaf7
                        • Instruction ID: 492af204c7b1411eeb304de5c799c19f313ff0a755f92ca27fe08575a7a687a8
                        • Opcode Fuzzy Hash: bd21bfd28b0b7933bb5d8f3f83d99113e19f516efc1e47e4eb4e9a2dba4faaf7
                        • Instruction Fuzzy Hash: 53A18D307042058FDB18BF78C45976E7BEAEF89349F208479D105CF2A5DB7A9886CB91
                        Function 005AA25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 132 5aa25e-5aa288 133 5aa28a-5aa29d SetErrorMode 132->133 134 5aa2b3-5aa2b8 132->134 135 5aa2ba-5aa2bf 133->135 136 5aa29f-5aa2b2 133->136 134->133 135->136
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 005AA290
                        Memory Dump Source
                        • Source File: 00000012.00000002.2804547685.00000000005AA000.00000040.00000800.00020000.00000000.sdmp, Offset: 005AA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5aa000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 9b02d9401a2eebcb64e82ced8216534ed0ec888a919f02e2f571c5cc8a5d5d5d
                        • Instruction ID: d99785c57bd0eb836de5df32f705247003a70f038df7f6a0e723fde8e60d1f1d
                        • Opcode Fuzzy Hash: 9b02d9401a2eebcb64e82ced8216534ed0ec888a919f02e2f571c5cc8a5d5d5d
                        • Instruction Fuzzy Hash: 6BF0AF799046409FDB608F15D885765FFE4EF16724F08C09ADD494B352D3BAE818CFA2
                        Function 005D05E1 Relevance: .1, Instructions: 85COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 139 5d05e1-5d05e2 140 5d056b-5d05be 139->140 141 5d05e4-5d0620 139->141 145 5d0626-5d0643 141->145
                        Memory Dump Source
                        • Source File: 00000012.00000002.2805021515.00000000005D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5d0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 689849a63b8b28f5a0a237e4e323f4c20d109e9a29b605dc3fc0375803f0f6f6
                        • Instruction ID: 3b592ec7531bd25a69980520188bcd17a36020bf22491b5fd1aa3656b0686330
                        • Opcode Fuzzy Hash: 689849a63b8b28f5a0a237e4e323f4c20d109e9a29b605dc3fc0375803f0f6f6
                        • Instruction Fuzzy Hash: 7801DDB550D7906FD7128B15AC50926BFB8DFC6620F09C0DBEC49CB253D128A808CB72
                        Function 005D0648 Relevance: .1, Instructions: 59COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 146 5d0648-5d064a 147 5d064c-5d0665 call 5d066a 146->147 148 5d05df-5d05e2 146->148 151 5d056b-5d05be 148->151 152 5d05e4-5d0620 148->152 157 5d0626-5d0643 152->157
                        Memory Dump Source
                        • Source File: 00000012.00000002.2805021515.00000000005D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5d0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d93a1c605e5b014d567ad674dd6bbfd6575a7333a46e203a23dc543e96292943
                        • Instruction ID: fc99035ec918ee8150a6c6b47fa1f317ce0fdc51c9e1037e2f40e636f51537d5
                        • Opcode Fuzzy Hash: d93a1c605e5b014d567ad674dd6bbfd6575a7333a46e203a23dc543e96292943
                        • Instruction Fuzzy Hash: C911C0B550D7C45FD7138B25AC51962BFB4EF83620B0984DFE845CB253D519E809C772
                        Function 005D0606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 158 5d0606-5d0620 159 5d0626-5d0643 158->159
                        Memory Dump Source
                        • Source File: 00000012.00000002.2805021515.00000000005D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5d0000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 61b37f84e6de52c344af32eebac1ae1eb9e398c7738bb947172abab864250d42
                        • Instruction ID: 0ef52ec82ca2365d20f83942622b4375d92e2427994fce130c6947137c656425
                        • Opcode Fuzzy Hash: 61b37f84e6de52c344af32eebac1ae1eb9e398c7738bb947172abab864250d42
                        • Instruction Fuzzy Hash: 41E092B66006045B9650CF0AFC41462FBD4EB84630B08C07FDC0D8B701E679B504CBA5
                        Function 005A23F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 160 5a23f4-5a23ff 161 5a2412-5a2417 160->161 162 5a2401-5a240e 160->162 163 5a241a 161->163 164 5a2419 161->164 162->161 165 5a2420-5a2421 163->165
                        Memory Dump Source
                        • Source File: 00000012.00000002.2804432386.00000000005A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 005A2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5a2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 856610cd52cedddf5a83decc948632f6f0f4264a55cfe7ba0becb7bfa707cbb3
                        • Instruction ID: e337c96f20c51a8cbf2a61e1510449552424b0d2bf1f8d973fa28ef8071f867c
                        • Opcode Fuzzy Hash: 856610cd52cedddf5a83decc948632f6f0f4264a55cfe7ba0becb7bfa707cbb3
                        • Instruction Fuzzy Hash: 75D05E792047814FDB268B1CC6A6B9A3BD4BB56704F4A44F9AC40CB763C768D9C1D200
                        Function 005A23BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 166 5a23bc-5a23c3 167 5a23d6-5a23db 166->167 168 5a23c5-5a23d2 166->168 169 5a23dd-5a23e0 167->169 170 5a23e1 167->170 168->167 171 5a23e7-5a23e8 170->171
                        Memory Dump Source
                        • Source File: 00000012.00000002.2804432386.00000000005A2000.00000040.00000800.00020000.00000000.sdmp, Offset: 005A2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_18_2_5a2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 23bfd7db2a9668f020c161f7f4c0570e063e9f9fcb7f67483a2cb0a24dca1d9f
                        • Instruction ID: 45fb0f2ae47dda4606e2518da8f7f137e65a54cd15539b4eda8eb789fc78219f
                        • Opcode Fuzzy Hash: 23bfd7db2a9668f020c161f7f4c0570e063e9f9fcb7f67483a2cb0a24dca1d9f
                        • Instruction Fuzzy Hash: F6D05E342006814BCF25CA1CC6E5F5D37D4BB42704F0A48E9AC108B262C7BCD8C0DA00

                        Execution Graph

                        Execution Coverage:5.3%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:13
                        Total number of Limit Nodes:1
                        execution_graph 460 48a23c 461 48a25e SetErrorMode 460->461 463 48a29f 461->463 448 48a25e 449 48a28a SetErrorMode 448->449 450 48a2b3 448->450 451 48a29f 449->451 450->449 456 48a4cf 458 48a4e2 WriteFile 456->458 459 48a569 458->459 452 48a502 455 48a537 WriteFile 452->455 454 48a569 455->454

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_04965114 1 Function_004705C0 2 Function_0048A4CF 3 Function_0048A64F 4 Function_0048A140 5 Function_0048A2C1 6 Function_00470649 25 Function_0047066A 6->25 7 Function_00482458 8 Function_04964884 9 Function_0048255B 10 Function_004824DC 11 Function_04970402 12 Function_0048A25E 13 Function_04962A80 14 Function_004705D0 15 Function_004820D0 16 Function_0048A456 17 Function_04970409 18 Function_04965108 19 Function_049650B3 20 Function_0496543E 21 Function_0047026D 22 Function_004829E3 23 Function_00482264 24 Function_00482364 26 Function_0048A5E6 27 Function_00482978 28 Function_0048A078 29 Function_004824FA 30 Function_00470074 31 Function_0048A37B 32 Function_004825FE 33 Function_0047067F 34 Function_004821F0 35 Function_0048A2F2 36 Function_004823F4 37 Function_0048A676 38 Function_00470606 39 Function_0048A20C 40 Function_0048280D 43 Function_00482881 40->43 41 Function_049650D0 42 Function_00470000 44 Function_0048A502 45 Function_0047000C 46 Function_00482704 47 Function_0048A005 48 Function_0048A186 49 Function_00482006 50 Function_00482098 51 Function_049654C1 52 Function_00482194 53 Function_0048A5AB 54 Function_0048A02E 55 Function_049650F0 56 Function_04970070 56->38 56->56 57 Function_0048A422 58 Function_049650E4 59 Function_0048263B 60 Function_004823BC 61 Function_0048213C 62 Function_0048A23C 63 Function_0048A0BE 64 Function_00482430 65 Function_0496496E 67 Function_04964DE8 65->67 66 Function_0048A3B2

                        Executed Functions

                        Function 0048A4CF Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 48a4cf-48a559 5 48a55b-48a57b WriteFile 0->5 6 48a59d-48a5a2 0->6 9 48a57d-48a59a 5->9 10 48a5a4-48a5a9 5->10 6->5 10->9
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,61D0A62F,00000000,00000000,00000000,00000000), ref: 0048A561
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817702676.000000000048A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0048A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_48a000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: dec695b38401fdc4f8d6708f255ebaac1fff7c62030bc6a6ff93049ecb2391b2
                        • Instruction ID: 1f13d754818614a1540d95d7c3c1df8909bbe40123b56e754510642ce5b53395
                        • Opcode Fuzzy Hash: dec695b38401fdc4f8d6708f255ebaac1fff7c62030bc6a6ff93049ecb2391b2
                        • Instruction Fuzzy Hash: 3821E5764093846FEB228F61DC44F96BFB8EF06314F08849BE9848B153D268A958C776
                        Function 0048A502 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 13 48a502-48a559 16 48a55b-48a563 WriteFile 13->16 17 48a59d-48a5a2 13->17 18 48a569-48a57b 16->18 17->16 20 48a57d-48a59a 18->20 21 48a5a4-48a5a9 18->21 21->20
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,61D0A62F,00000000,00000000,00000000,00000000), ref: 0048A561
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817702676.000000000048A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0048A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_48a000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: a003cc38b7a01c2581f454eab0ed31de1a309775f657c67d59918fd744b7dc92
                        • Instruction ID: 66f6f9b7df681d75f1aeb1bb54b55e0c495637d2fb624f793e44a77bcf7d8aff
                        • Opcode Fuzzy Hash: a003cc38b7a01c2581f454eab0ed31de1a309775f657c67d59918fd744b7dc92
                        • Instruction Fuzzy Hash: BF11E7B2500204AFEB21CF65DC45F6AFBA8EF14324F08885BEE458B251D378E455CBB6
                        Function 0048A23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 24 48a23c-48a288 26 48a28a-48a29d SetErrorMode 24->26 27 48a2b3-48a2b8 24->27 28 48a2ba-48a2bf 26->28 29 48a29f-48a2b2 26->29 27->26 28->29
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 0048A290
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817702676.000000000048A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0048A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_48a000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 2ea4d88708bb6596d15ab728ed8cb54a9e10b68a1c40617ac633f96b9cdb48ec
                        • Instruction ID: 2315fc705d08036cf5317c39c3d7999e634ae0270977dd76f4b7f10e19900d20
                        • Opcode Fuzzy Hash: 2ea4d88708bb6596d15ab728ed8cb54a9e10b68a1c40617ac633f96b9cdb48ec
                        • Instruction Fuzzy Hash: 2F116175409784AFDB228F15DC44B62FFB4DF46624F0880DBED858B262D269A818CB72
                        Function 04970070 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 32 4970070-497008e 33 4970094-4970098 32->33 34 4970330-4970337 32->34 35 497009e-49700a8 33->35 36 4970338-49703ac 33->36 37 49702ff-4970302 35->37 38 49700ae-49700b7 35->38 57 49703b4-49703de 36->57 128 4970305 call 470606 37->128 129 4970305 call 4970070 37->129 38->37 40 49700bd-49700d9 38->40 49 49700e0-49700fd 40->49 50 49700db 40->50 41 497030b-497030f 43 4970311-4970314 41->43 44 497031f-4970323 41->44 43->44 44->34 46 4970325-4970328 44->46 46->34 55 4970106-497011c 49->55 56 49700ff-4970104 49->56 50->49 73 4970123-497013f 55->73 74 497011e 55->74 58 4970144-4970146 56->58 79 49703f4-4970400 57->79 80 49703e0-49703f2 57->80 59 497019a-497019c 58->59 60 4970148-497014f 58->60 63 497019f-49701a6 59->63 64 4970151-4970156 60->64 65 4970158-497016e 60->65 67 49701af-49701c5 63->67 68 49701a8-49701ad 63->68 69 4970196-4970198 64->69 90 4970175-4970191 65->90 91 4970170 65->91 97 49701c7 67->97 98 49701cc-49701e8 67->98 71 49701ed-49701ef 68->71 69->59 69->63 76 4970243 71->76 77 49701f1-49701f8 71->77 73->58 74->73 81 497024a-4970251 76->81 82 4970201-4970217 77->82 83 49701fa-49701ff 77->83 102 4970410-497041c 79->102 80->102 86 4970253-4970258 81->86 87 497025a-4970270 81->87 113 497021e-497023a 82->113 114 4970219 82->114 88 497023f-4970241 83->88 94 4970298-497029a 86->94 117 4970277-4970293 87->117 118 4970272 87->118 88->76 88->81 90->69 91->90 99 49702ee 94->99 100 497029c-49702a3 94->100 97->98 98->71 104 49702f5-49702f9 99->104 105 49702a5-49702aa 100->105 106 49702ac-49702c2 100->106 104->37 104->40 111 49702ea-49702ec 105->111 123 49702c4 106->123 124 49702c9-49702e5 106->124 111->99 111->104 113->88 114->113 117->94 118->117 123->124 124->111 128->41 129->41
                        Strings
                        Memory Dump Source
                        • Source File: 00000014.00000002.2821294062.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_4970000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j
                        • API String ID: 0-4039273937
                        • Opcode ID: f5f0e69fc50f299d894181912826b932a142e4a7f99430be047079fbde1daf99
                        • Instruction ID: 76e371573bfcbc2a079004e43317ea92bedd48929b5c209c3bf6cd53bf7b697f
                        • Opcode Fuzzy Hash: f5f0e69fc50f299d894181912826b932a142e4a7f99430be047079fbde1daf99
                        • Instruction Fuzzy Hash: 51A18E307042058FDB18BF74C529B6E77EAEF85348F208479E506CB2A5EB79D885CB91
                        Function 0048A25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 130 48a25e-48a288 131 48a28a-48a29d SetErrorMode 130->131 132 48a2b3-48a2b8 130->132 133 48a2ba-48a2bf 131->133 134 48a29f-48a2b2 131->134 132->131 133->134
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 0048A290
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817702676.000000000048A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0048A000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_48a000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 73f4d9ed5f8f8c9e29ba708c3d94072bec8b9c067d8e13afd89c1a3ff7890390
                        • Instruction ID: a5943854868b9f314e75462d4bddafe8e7e244b03f16d79180c99d4af9720698
                        • Opcode Fuzzy Hash: 73f4d9ed5f8f8c9e29ba708c3d94072bec8b9c067d8e13afd89c1a3ff7890390
                        • Instruction Fuzzy Hash: CBF0DC74804600CFEB208F05D885726FBA4EF05324F08C4DBDD080B352D2BAE829CBA3
                        Function 00470606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 137 470606-470620 138 470626-470643 137->138
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817542641.0000000000470000.00000040.00000020.00020000.00000000.sdmp, Offset: 00470000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_470000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d2b99469dd28a1f4ca03ab2a428828193467a917c982fa6f24cc3022589d1565
                        • Instruction ID: 54cbb883bdcfc03fafe9fb1472a919d4738835d58ae461817c53a33968ae5b15
                        • Opcode Fuzzy Hash: d2b99469dd28a1f4ca03ab2a428828193467a917c982fa6f24cc3022589d1565
                        • Instruction Fuzzy Hash: 15E092B6600A044B9650CF0BFC41452F7E4EB88630B08C07FDC0D8B711E639B508CBA5
                        Function 004823F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 139 4823f4-4823ff 140 482401-48240e 139->140 141 482412-482417 139->141 140->141 142 482419 141->142 143 48241a 141->143 144 482420-482421 143->144
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817656397.0000000000482000.00000040.00000800.00020000.00000000.sdmp, Offset: 00482000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_482000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cdf57410e5a57524721965516f3248feb09b1ffb3615c995af9dad492ebe70e2
                        • Instruction ID: a123d4183bef457a8df1984ce75aa618a48c95b04c091c7a7d083b8d8e76fb95
                        • Opcode Fuzzy Hash: cdf57410e5a57524721965516f3248feb09b1ffb3615c995af9dad492ebe70e2
                        • Instruction Fuzzy Hash: 9FD05E792046914FD7269B1CC6A5B9A3794AB51B04F4A48FAAC40CB763C7ACD9C1D310
                        Function 004823BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 145 4823bc-4823c3 146 4823c5-4823d2 145->146 147 4823d6-4823db 145->147 146->147 148 4823dd-4823e0 147->148 149 4823e1 147->149 150 4823e7-4823e8 149->150
                        Memory Dump Source
                        • Source File: 00000014.00000002.2817656397.0000000000482000.00000040.00000800.00020000.00000000.sdmp, Offset: 00482000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_20_2_482000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b35f6202fa14172b00e1b49dc45c6db6a7a0c39da9ef0597379e73216e79eda1
                        • Instruction ID: b291dcf3ee25faea3b9575032ae07f3e7f855e9f4fab04a29f9e6789cfddbdc6
                        • Opcode Fuzzy Hash: b35f6202fa14172b00e1b49dc45c6db6a7a0c39da9ef0597379e73216e79eda1
                        • Instruction Fuzzy Hash: 66D05E346006814BCB26DA2CC7E4F5E33D4AB40704F0A48E9BC108B762C7BCD9C0DB00

                        Callgraph

                        Executed Functions

                        Function 004CA4CF Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 4ca4cf-4ca559 5 4ca59d-4ca5a2 0->5 6 4ca55b-4ca57b WriteFile 0->6 5->6 9 4ca57d-4ca59a 6->9 10 4ca5a4-4ca5a9 6->10 10->9
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,4D9569B2,00000000,00000000,00000000,00000000), ref: 004CA561
                        Memory Dump Source
                        • Source File: 00000016.00000002.2832343335.00000000004CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 004CA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4ca000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: ee2fe4ce109e2293203530c897b03bca67ea3e3b6db03249a0833457fd31ff7d
                        • Instruction ID: e2649c3945dcfc8cffb8ea51f858ec210ed788803e1e910277efbcab8163c6db
                        • Opcode Fuzzy Hash: ee2fe4ce109e2293203530c897b03bca67ea3e3b6db03249a0833457fd31ff7d
                        • Instruction Fuzzy Hash: B121E5764093846FDB22CF61CC44F96BFB8EF46314F08849BE9848B153D228A909C776
                        Function 004CA502 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 13 4ca502-4ca559 16 4ca59d-4ca5a2 13->16 17 4ca55b-4ca563 WriteFile 13->17 16->17 19 4ca569-4ca57b 17->19 20 4ca57d-4ca59a 19->20 21 4ca5a4-4ca5a9 19->21 21->20
                        APIs
                        • WriteFile.KERNELBASE(?,00000E84,4D9569B2,00000000,00000000,00000000,00000000), ref: 004CA561
                        Memory Dump Source
                        • Source File: 00000016.00000002.2832343335.00000000004CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 004CA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4ca000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: FileWrite
                        • String ID:
                        • API String ID: 3934441357-0
                        • Opcode ID: d01ad1d30694444f0b5a210388ad146b0a29ef37cb0e6a00af804e4a5cd06520
                        • Instruction ID: ddbdf49393fe064b3f5c8b9223e53ced791cf5c15a50affaae7867adae297a34
                        • Opcode Fuzzy Hash: d01ad1d30694444f0b5a210388ad146b0a29ef37cb0e6a00af804e4a5cd06520
                        • Instruction Fuzzy Hash: 991104B6500204AFEB21CF61CC45F66FBA8EF44328F08C45AEE058B251D338E455CBB6
                        Function 004CA23C Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 24 4ca23c-4ca288 26 4ca28a-4ca29d SetErrorMode 24->26 27 4ca2b3-4ca2b8 24->27 28 4ca29f-4ca2b2 26->28 29 4ca2ba-4ca2bf 26->29 27->26 29->28
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 004CA290
                        Memory Dump Source
                        • Source File: 00000016.00000002.2832343335.00000000004CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 004CA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4ca000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: 001fb27749149c8af8a6946f6d7ba103a7b8037778dcc1090e859e9722e1a3ba
                        • Instruction ID: 6034f4f0147290bd7a1a0230b87aa8bc9a18ec59d4513edadb7c7f9922aead8f
                        • Opcode Fuzzy Hash: 001fb27749149c8af8a6946f6d7ba103a7b8037778dcc1090e859e9722e1a3ba
                        • Instruction Fuzzy Hash: A1116175409384AFD7228B15DC44B62FFB4DF46624F0880DAED858B263D269A818CB72
                        Function 04A80070 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 32 4a80070-4a8008e 33 4a80330-4a80337 32->33 34 4a80094-4a80098 32->34 35 4a80338-4a803ac 34->35 36 4a8009e-4a800a8 34->36 55 4a803b4-4a803de 35->55 37 4a800ae-4a800b7 36->37 38 4a802ff-4a80302 36->38 37->38 40 4a800bd-4a800d9 37->40 128 4a80305 call 2050606 38->128 129 4a80305 call 4a80070 38->129 130 4a80305 call 20505df 38->130 131 4a80305 call 4a80006 38->131 49 4a800db 40->49 50 4a800e0-4a800fd 40->50 41 4a8030b-4a8030f 44 4a8031f-4a80323 41->44 45 4a80311-4a80314 41->45 44->33 46 4a80325-4a80328 44->46 45->44 46->33 49->50 56 4a800ff-4a80104 50->56 57 4a80106-4a8011c 50->57 84 4a803e0-4a803f2 55->84 85 4a803f4-4a80400 55->85 58 4a80144-4a80146 56->58 71 4a8011e 57->71 72 4a80123-4a8013f 57->72 60 4a80148-4a8014f 58->60 61 4a8019a-4a8019c 58->61 63 4a80158-4a8016e 60->63 64 4a80151-4a80156 60->64 65 4a8019f-4a801a6 61->65 86 4a80170 63->86 87 4a80175-4a80191 63->87 68 4a80196-4a80198 64->68 69 4a801a8-4a801ad 65->69 70 4a801af-4a801c5 65->70 68->61 68->65 74 4a801ed-4a801ef 69->74 94 4a801cc-4a801e8 70->94 95 4a801c7 70->95 71->72 72->58 75 4a801f1-4a801f8 74->75 76 4a80243 74->76 80 4a801fa-4a801ff 75->80 81 4a80201-4a80217 75->81 82 4a8024a-4a80251 76->82 88 4a8023f-4a80241 80->88 111 4a80219 81->111 112 4a8021e-4a8023a 81->112 90 4a8025a-4a80270 82->90 91 4a80253-4a80258 82->91 100 4a80410-4a8041c 84->100 85->100 86->87 87->68 88->76 88->82 116 4a80272 90->116 117 4a80277-4a80293 90->117 96 4a80298-4a8029a 91->96 94->74 95->94 102 4a8029c-4a802a3 96->102 103 4a802ee 96->103 106 4a802ac-4a802c2 102->106 107 4a802a5-4a802aa 102->107 108 4a802f5-4a802f9 103->108 122 4a802c9-4a802e5 106->122 123 4a802c4 106->123 114 4a802ea-4a802ec 107->114 108->38 108->40 111->112 112->88 114->103 114->108 116->117 117->96 122->114 123->122 128->41 129->41 130->41 131->41
                        Strings
                        Memory Dump Source
                        • Source File: 00000016.00000002.2836862405.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4a80000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID: :@j
                        • API String ID: 0-4039273937
                        • Opcode ID: 48433615b5e68186cd61fcc2445bde3e40a7e26fea66ef5425c3dffd1ccedb57
                        • Instruction ID: 55a2f5b4aaba3b6471a4e41d2eb9fdf7c1fc3ebb1ec352bfe6d783e0a09c5c04
                        • Opcode Fuzzy Hash: 48433615b5e68186cd61fcc2445bde3e40a7e26fea66ef5425c3dffd1ccedb57
                        • Instruction Fuzzy Hash: B0A14A307042048FDB18BFB4C45576E76F6EF89348F21807DD505CB2A5EBBA988ADB91
                        Function 004CA25E Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 132 4ca25e-4ca288 133 4ca28a-4ca29d SetErrorMode 132->133 134 4ca2b3-4ca2b8 132->134 135 4ca29f-4ca2b2 133->135 136 4ca2ba-4ca2bf 133->136 134->133 136->135
                        APIs
                        • SetErrorMode.KERNELBASE(?), ref: 004CA290
                        Memory Dump Source
                        • Source File: 00000016.00000002.2832343335.00000000004CA000.00000040.00000800.00020000.00000000.sdmp, Offset: 004CA000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4ca000_dotnetinstaller.jbxd
                        Similarity
                        • API ID: ErrorMode
                        • String ID:
                        • API String ID: 2340568224-0
                        • Opcode ID: f3eeeaca371f92fe23918ca0e517da03801439c20934572405f3b03c3a972dd3
                        • Instruction ID: a5e14fa93d733a98bd5cbf11570b9fbccfcb38878026d4a69aa6b67b4e7d51c5
                        • Opcode Fuzzy Hash: f3eeeaca371f92fe23918ca0e517da03801439c20934572405f3b03c3a972dd3
                        • Instruction Fuzzy Hash: DFF0D1798042188FDB60CF15D885B21FB94DF45328F08C0DADD094B352D279E818CAA3
                        Function 04A80006 Relevance: .1, Instructions: 145COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 139 4a80006-4a8008e 141 4a80330-4a80337 139->141 142 4a80094-4a80098 139->142 143 4a80338-4a803ac 142->143 144 4a8009e-4a800a8 142->144 163 4a803b4-4a803de 143->163 145 4a800ae-4a800b7 144->145 146 4a802ff-4a80302 144->146 145->146 148 4a800bd-4a800d9 145->148 236 4a80305 call 2050606 146->236 237 4a80305 call 4a80070 146->237 238 4a80305 call 20505df 146->238 239 4a80305 call 4a80006 146->239 157 4a800db 148->157 158 4a800e0-4a800fd 148->158 149 4a8030b-4a8030f 152 4a8031f-4a80323 149->152 153 4a80311-4a80314 149->153 152->141 154 4a80325-4a80328 152->154 153->152 154->141 157->158 164 4a800ff-4a80104 158->164 165 4a80106-4a8011c 158->165 192 4a803e0-4a803f2 163->192 193 4a803f4-4a80400 163->193 166 4a80144-4a80146 164->166 179 4a8011e 165->179 180 4a80123-4a8013f 165->180 168 4a80148-4a8014f 166->168 169 4a8019a-4a8019c 166->169 171 4a80158-4a8016e 168->171 172 4a80151-4a80156 168->172 173 4a8019f-4a801a6 169->173 194 4a80170 171->194 195 4a80175-4a80191 171->195 176 4a80196-4a80198 172->176 177 4a801a8-4a801ad 173->177 178 4a801af-4a801c5 173->178 176->169 176->173 182 4a801ed-4a801ef 177->182 202 4a801cc-4a801e8 178->202 203 4a801c7 178->203 179->180 180->166 183 4a801f1-4a801f8 182->183 184 4a80243 182->184 188 4a801fa-4a801ff 183->188 189 4a80201-4a80217 183->189 190 4a8024a-4a80251 184->190 196 4a8023f-4a80241 188->196 219 4a80219 189->219 220 4a8021e-4a8023a 189->220 198 4a8025a-4a80270 190->198 199 4a80253-4a80258 190->199 208 4a80410-4a8041c 192->208 193->208 194->195 195->176 196->184 196->190 224 4a80272 198->224 225 4a80277-4a80293 198->225 204 4a80298-4a8029a 199->204 202->182 203->202 210 4a8029c-4a802a3 204->210 211 4a802ee 204->211 214 4a802ac-4a802c2 210->214 215 4a802a5-4a802aa 210->215 216 4a802f5-4a802f9 211->216 230 4a802c9-4a802e5 214->230 231 4a802c4 214->231 222 4a802ea-4a802ec 215->222 216->146 216->148 219->220 220->196 222->211 222->216 224->225 225->204 230->222 231->230 236->149 237->149 238->149 239->149
                        Memory Dump Source
                        • Source File: 00000016.00000002.2836862405.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4a80000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 59ea419616bf4bdf45563c657026a75ec024f85d807e113f7c44b5d31ef54c03
                        • Instruction ID: ce05b7b2df0beda531635f022700a2e2f2101caa42cb6b7e4b4bdde0d6f56d0b
                        • Opcode Fuzzy Hash: 59ea419616bf4bdf45563c657026a75ec024f85d807e113f7c44b5d31ef54c03
                        • Instruction Fuzzy Hash: B851A77090E3858FE721BF64C8543AA7BB1FF42354F0640AEC555CB192E778A88EDB51
                        Function 020505DF Relevance: .0, Instructions: 45COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 240 20505df-2050620 242 2050626-2050643 240->242
                        Memory Dump Source
                        • Source File: 00000016.00000002.2835311392.0000000002050000.00000040.00000020.00020000.00000000.sdmp, Offset: 02050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_2050000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 582f8b25a8185da513b7665f9fbbf585f6ebde9f1610e46b38e398c290421a53
                        • Instruction ID: 96b5a2066d35dd3a9e147de5a889d878e80c51993b5f6c097f351ef79d7b6b25
                        • Opcode Fuzzy Hash: 582f8b25a8185da513b7665f9fbbf585f6ebde9f1610e46b38e398c290421a53
                        • Instruction Fuzzy Hash: C001D6B640D7806FD7228F15AC40863FFB8EF86220709C49FEC8987612D329A809C772
                        Function 02050606 Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 243 2050606-2050620 244 2050626-2050643 243->244
                        Memory Dump Source
                        • Source File: 00000016.00000002.2835311392.0000000002050000.00000040.00000020.00020000.00000000.sdmp, Offset: 02050000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_2050000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3c5a7625ad8173490699847aa90cba0aabe1198da269e746e82d45b31c57856f
                        • Instruction ID: 36db6d88c6334315915ee0e47239b943decbeb07636bea2b0babbbe57bf91bf7
                        • Opcode Fuzzy Hash: 3c5a7625ad8173490699847aa90cba0aabe1198da269e746e82d45b31c57856f
                        • Instruction Fuzzy Hash: 54E092B66046044B9660CF0AFC41462F7D4EBC4630B08C07FDC0D8B711E639B944CBA5
                        Function 004C23F4 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 245 4c23f4-4c23ff 246 4c2401-4c240e 245->246 247 4c2412-4c2417 245->247 246->247 248 4c2419 247->248 249 4c241a 247->249 250 4c2420-4c2421 249->250
                        Memory Dump Source
                        • Source File: 00000016.00000002.2832274131.00000000004C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4c2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 30d1fa2dacb9c95c74c5a07400d462fd3677693f1a5a06998bc7f099b5265489
                        • Instruction ID: a6b845caa4f6248ee645e125a098dd9418c867cf2eee1a491e7720eac34fcfd2
                        • Opcode Fuzzy Hash: 30d1fa2dacb9c95c74c5a07400d462fd3677693f1a5a06998bc7f099b5265489
                        • Instruction Fuzzy Hash: 7BD05E7E2046914FD72A8B1CC6A5F9637A4AB51704F4A44FEAC40CB763C7BCD9C1D204
                        Function 004C23BC Relevance: .0, Instructions: 14COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 251 4c23bc-4c23c3 252 4c23c5-4c23d2 251->252 253 4c23d6-4c23db 251->253 252->253 254 4c23dd-4c23e0 253->254 255 4c23e1 253->255 256 4c23e7-4c23e8 255->256
                        Memory Dump Source
                        • Source File: 00000016.00000002.2832274131.00000000004C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 004C2000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_22_2_4c2000_dotnetinstaller.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4b391850c4c6d71029b6b3aa6e53d04551bdb05d8b52d69ae34e7c168b5bba45
                        • Instruction ID: 3dcfd03411ae61c939e1a3644f4dcb084cac68df7305c5819c7db5a09792137e
                        • Opcode Fuzzy Hash: 4b391850c4c6d71029b6b3aa6e53d04551bdb05d8b52d69ae34e7c168b5bba45
                        • Instruction Fuzzy Hash: 52D017382006814BCB65CA2CC6E4F5A3394AB40704F0A44ADAC108B362C7ECD8C0DA00