Malware Analysis Report

2024-10-10 12:49

Sample ID 240602-xt3r9sbg4z
Target 2-FormBook.1-8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.zip
SHA256 8a14ac66303e93b5d62beb8517508b2416f01fc9414dd046db0d2fa616b9b2e7
Tags
rat dcrat discovery execution infostealer persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a14ac66303e93b5d62beb8517508b2416f01fc9414dd046db0d2fa616b9b2e7

Threat Level: Known bad

The file 2-FormBook.1-8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.zip was found to be: Known bad.

Malicious Activity Summary

rat dcrat discovery execution infostealer persistence spyware stealer

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

Modifies WinLogon for persistence

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 19:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 19:09

Reported

2024-06-02 19:12

Platform

win7-20240221-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\lsm.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\browserwinsvc = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Arcane CheatSetup = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Arcane CheatSetup = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Arcane CheatSetup.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\browserwinsvc = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\browserwinsvc.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Sidebar\\it-IT\\csrss.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\audiodg.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\winlogon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\services.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\is-E3K41.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-7L9M5.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-K2NOG.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OT7EI.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-DBHMB.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MK616.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-SC4GB.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-EL2NC.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-OV4QR.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\jfr\is-3Q8EN.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\csrss.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-JK2TC.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-AU1L9.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-A7V99.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-3M93G.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Windows Sidebar\it-IT\csrss.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\088424020bedd6 C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0M9SE.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\management\is-4D0KN.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-JIS1H.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-5OOQQ.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-M30UF.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-L4TA2.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\wsdetect.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\jp2iexp.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-FCV9T.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-0B9HQ.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6N051.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\plugin2\is-DLBVB.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-3CTSO.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\WindowsAccessBridge-32.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-96040.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Common Files\spoolsv.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\088424020bedd6 C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\jfxwebkit.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-DS524.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\lib\is-IIKPO.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-81UHL.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S3P5N.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-S6B4K.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\jaas_nt.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\sunec.dll C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-Q8V1A.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2IB3G.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-681FI.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-JGHQM.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MCA0H.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-D26NT.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-95TDU.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ITSK7.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-K988F.tmp C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Portable Devices\conhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 340 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 340 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 340 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 340 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 1732 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2960 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2620 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
PID 2620 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
PID 2620 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
PID 2620 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
PID 2568 wrote to memory of 1652 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1652 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1652 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2996 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2996 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2996 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1828 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1828 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1828 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2412 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2412 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2412 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1060 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1060 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1060 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1020 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1020 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1020 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3060 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3060 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 3060 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 776 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 776 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 776 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2836 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2836 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2836 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1752 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1752 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 1752 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2856 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2856 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2856 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2148 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe

"C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe"

C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe

"C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe"

C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe"

C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp" /SL5="$50146,46527891,119296,C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "

C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

"C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\browserwinsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "browserwinsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\browserwinsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "browserwinsvcb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\browserwinsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Arcane CheatSetupA" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Arcane CheatSetup.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Arcane CheatSetup" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Arcane CheatSetup.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Arcane CheatSetupA" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Arcane CheatSetup.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\it-IT\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\browserwinsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Arcane CheatSetup.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\conhost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\keIDo3UiRR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Portable Devices\conhost.exe

"C:\Program Files (x86)\Windows Portable Devices\conhost.exe"

C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe

"C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe"

C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe

"C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar" org.develnext.jphp.ext.javafx.FXLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
US 104.21.22.205:80 729231cm.n9shteam1.top tcp
US 104.21.22.205:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe

MD5 81e98d594505e0008d35ff1e1d2e4e41
SHA1 d1852f516c8ffb87ca8a7e8146eafcd8d8a57369
SHA256 152dbb49fb78f6daa7ff14b44ea558e5164041cd7fe8a372e41a6d9f0d382512
SHA512 f9e4a531d5ba36d9924f0fa230bda219e17bacadc0c6a0e9a4f0cc96f96ff92a775cf33a5fd81291165fa36c0031d16efbdf8bb4c499e20ebbcd30e60e515930

memory/1732-6-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe

MD5 593631a643aa6ab0af08189773812e6d
SHA1 6004dfe157f5be08b4591819bc7f76b5b12a08d9
SHA256 da0500db781ce974a0c4d9b6f245d2302f90dc932d23402d1441e3d5c77c6cd4
SHA512 057b00aa42a3b2da1dfaa646aa6bd0c8d9cdd3f34848f595b56aed2bf02f5d89092a7b2722bb24d3f860619fb305c994546ec6d43c6da1ef2fa82acc6cd5a643

C:\Users\Admin\AppData\Local\Temp\is-MP2VR.tmp\Arcane CheatSetup.tmp

MD5 129b8e200a6e90e813080c9ce0474063
SHA1 b5352cdae50e5ddf3eb62f75f2e77042386b8841
SHA256 cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839
SHA512 10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

memory/340-14-0x0000000000400000-0x0000000003281000-memory.dmp

C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe

MD5 3944ff0b2b8a1617f5e571ebc259a0e6
SHA1 17137e6ccd0437adecb866e9b44f94cebbbdd878
SHA256 693c79dbd630e1180ddb96b8d51895a9f27a01ae25c27aebbc55be5e4874335d
SHA512 0e76c530e8739f559989e3657ed06a91d121ba37dc18d15c2feca9ac986bad1adcfc6e86d54b097483f08c8bfd890079280c46029f71707c02d02af96d767b03

\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

MD5 e780bb029d808cb41937f4f7cd022b45
SHA1 ad1a7bc098d991e576cf59aa87d844e2991da43a
SHA256 772574576b825f97aa91ce0d24b0ba83fdb0de3a0545296e1d6d28f1349f1456
SHA512 0152df85a9ebe44f750bfbb53735400cb08b406dcde80c2fba7627d00533b485ae1b3cb419f9c895f22b05582fb25e0ae2f6b12e9afb78f721c75fe019e6dda5

C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat

MD5 6de687cf7ca366429c953cb49905b70a
SHA1 58e2c1823c038d8da8a2f042672027184066279e
SHA256 80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611
SHA512 6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

memory/2568-35-0x0000000000A20000-0x0000000000B92000-memory.dmp

memory/2568-36-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2568-37-0x0000000000910000-0x000000000092C000-memory.dmp

memory/2568-39-0x00000000009C0000-0x00000000009D6000-memory.dmp

memory/2568-41-0x00000000009F0000-0x00000000009FE000-memory.dmp

memory/2568-40-0x00000000009E0000-0x00000000009F0000-memory.dmp

memory/2568-38-0x0000000000930000-0x0000000000938000-memory.dmp

memory/2568-42-0x0000000000A00000-0x0000000000A0A000-memory.dmp

memory/2568-43-0x0000000000A10000-0x0000000000A1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e861a2762850ad809bb465f58ea6a230
SHA1 9c8c7ea70e6f9b394f96a5afbe210186a77a1236
SHA256 aec9e2fb680a700479f925470f5847e280bd854448348823d35b75cbbeebc700
SHA512 11ea0c97957387d8a83fcde27cc5e595ec43c1cc47f81811e215ba1f24771d40b413b500128d140981689ecee008e6fc20cb41da248d787c27c692d9c6461f26

memory/2996-90-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/2996-92-0x0000000001E00000-0x0000000001E08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keIDo3UiRR.bat

MD5 575fa89ca82a521796b313b9f1b886b0
SHA1 e5a73ec715aec476aa32aa170d39d724ae34dfb3
SHA256 6172ac2ddb5005517bacd3e4b96b47c3deaf1321f728c77a2e7ba4347cf46cff
SHA512 b425a22932bb966f3316fb31df0534d5fa5768cb0c7ec8259501664f88f374a45a6e9a72763edc2efd635b902576fe07b22f066840a77764b11cc210e8bbb2b8

memory/1268-134-0x0000000000020000-0x0000000000192000-memory.dmp

memory/2956-136-0x0000000000400000-0x000000000052C000-memory.dmp

memory/1732-135-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8GH81.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2956-148-0x0000000000400000-0x000000000052C000-memory.dmp

C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-SBPOG.tmp

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe

MD5 ca86297e7a02a2c1e91c4ecc897b7dcc
SHA1 a2e3eae2dd5bad41f349818f004dbe1ba89c1e89
SHA256 8c3e900295aa5a4571719ccf6ac6739febff2865755f1e75c38433c29283a67a
SHA512 6613575793250f50c9a319b6f1cd758d9d74651b1ab1da366a99d308c3384ecf4ad240a8aa14bc6d3c547dbe283fb8b9055aeda73573cd784a8aa43c79b97c2e

\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

memory/2956-608-0x0000000000400000-0x000000000052C000-memory.dmp

\Program Files (x86)\Arcane Cheat\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

memory/340-614-0x0000000000400000-0x0000000000415000-memory.dmp

\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\Arcane Cheat\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Program Files (x86)\Arcane Cheat\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Program Files (x86)\Arcane Cheat\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Program Files (x86)\Arcane Cheat\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Program Files (x86)\Arcane Cheat\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Program Files (x86)\Arcane Cheat\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Program Files (x86)\Arcane Cheat\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Program Files (x86)\Arcane Cheat\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Program Files (x86)\Arcane Cheat\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Program Files (x86)\Arcane Cheat\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Program Files (x86)\Arcane Cheat\lib\dn-compiled-module.jar

MD5 09a5796f0c8be8288067374a09ee5b61
SHA1 9ebf1f5cc79c49bca767db1640dbb8db6c9e500f
SHA256 2d1790ef6a7262dee38702feea2c8efe4b804b2da5983e598801f322ef0bf90f
SHA512 d9a63d01658d61e1adac17d792154c8f94d44998dc27a74e71547bb9ab3a56d5eb6adc5120cad9048e8a648c2e4958246a3da354fa9d52104165f494efd3ba12

C:\Program Files (x86)\Arcane Cheat\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

memory/960-670-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1732-687-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2956-685-0x0000000000400000-0x000000000052C000-memory.dmp

memory/960-707-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/960-708-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/960-709-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/960-713-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/960-716-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/960-746-0x00000000002B0000-0x00000000002BA000-memory.dmp

memory/960-747-0x00000000002B0000-0x00000000002BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 19:09

Reported

2024-06-02 19:12

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\sysmon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\sysmon.exe\", \"C:\\Users\\Admin\\explorer.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\sysmon.exe\", \"C:\\Users\\Admin\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\sysmon.exe\", \"C:\\Users\\Admin\\explorer.exe\", \"C:\\Program Files\\Windows Mail\\dllhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\winlogon.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Downloaded Program Files\\winlogon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\dllhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\Registration\\lsass.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\explorer.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Downloaded Program Files\\winlogon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\dllhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Surrogateprovidercomponentsessionmonitor\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\sysmon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\dllhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\Registry.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\sysmon.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\explorer.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Surrogateprovidercomponentsessionmonitor\\explorer.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Surrogateprovidercomponentsessionmonitor\\RuntimeBroker.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-MLROM.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-UVK3Q.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-F92L7.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-4KLC4.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-BD58T.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files\Java\RuntimeBroker.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\splashscreen.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-6V4R4.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-CUU2G.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-R7U1T.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\fonts\is-001NQ.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-K532M.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-EONNM.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-9MQPL.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-8CTRA.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-7UBMK.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-QMECI.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-JK3IB.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-5JNH9.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\fontmanager.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-JHUN8.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-F83A1.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-8OGSN.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-8KN66.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\lsass.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\bci.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-S281H.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-7IE9E.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-QI8F9.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-9HAVL.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\instrument.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-K6NUM.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-C05JO.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OL56R.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\is-8U4F4.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-2QAU1.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-OV51S.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\lib\is-8PVVM.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\jsound.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\JavaAccessBridge-32.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\is-DID3B.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\is-BOUO2.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\JAWTAccessBridge.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\javafx_font_t2k.dll C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-73C5A.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-MRGSK.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\lib\is-BG6LI.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\security\is-E31PV.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\lib\is-K2CGL.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-GORR5.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\bin\is-ULGQI.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\cmm\is-PI37A.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\deploy\is-9FPGB.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-M3IAR.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File created C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\is-393AD.tmp C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
File opened for modification C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\winlogon.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Windows\Downloaded Program Files\cc11b995f2a76d C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\Registry.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\ee2ad38f3d4382 C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 596 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 596 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 596 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe
PID 596 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 596 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 596 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe
PID 4788 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp
PID 4788 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp
PID 4788 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp
PID 840 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 840 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 840 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe C:\Windows\SysWOW64\WScript.exe
PID 1008 wrote to memory of 3752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 3752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1008 wrote to memory of 3752 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
PID 3752 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
PID 1084 wrote to memory of 2732 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2732 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3784 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3784 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3928 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3928 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3052 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3052 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1684 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1684 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1064 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1064 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 344 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 344 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2512 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2512 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4644 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4644 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4544 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4544 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 984 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 984 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3728 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 3728 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2812 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 2812 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1832 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1832 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4248 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 4248 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 820 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 820 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1084 wrote to memory of 1540 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\cmd.exe
PID 1084 wrote to memory of 1540 N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe C:\Windows\System32\cmd.exe
PID 1540 wrote to memory of 5656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1540 wrote to memory of 5656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1540 wrote to memory of 5224 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe
PID 1540 wrote to memory of 5224 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe
PID 4180 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe
PID 4180 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe
PID 4180 wrote to memory of 5352 N/A C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe
PID 5352 wrote to memory of 5452 N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe
PID 5352 wrote to memory of 5452 N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe
PID 5352 wrote to memory of 5452 N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe
PID 416 wrote to memory of 4836 N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe
PID 416 wrote to memory of 4836 N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe
PID 416 wrote to memory of 4836 N/A C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe

"C:\Users\Admin\AppData\Local\Temp\8342c29aacd500b5d424822648331736379f18bdb6bc27a7e7a579544570fa8a.exe"

C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe

"C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe"

C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe"

C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp" /SL5="$C0056,46527891,119296,C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat" "

C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

"C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Surrogateprovidercomponentsessionmonitor\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Surrogateprovidercomponentsessionmonitor\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T0cy42yCgC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe

"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sysmon.exe"

C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe

"C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe"

C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe

"C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe

"C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe"

C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe

"C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar" org.develnext.jphp.ext.javafx.FXLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
US 172.67.206.236:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 236.206.67.172.in-addr.arpa udp
US 172.67.206.236:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 74.83.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Arcane CheatSetup.exe

MD5 81e98d594505e0008d35ff1e1d2e4e41
SHA1 d1852f516c8ffb87ca8a7e8146eafcd8d8a57369
SHA256 152dbb49fb78f6daa7ff14b44ea558e5164041cd7fe8a372e41a6d9f0d382512
SHA512 f9e4a531d5ba36d9924f0fa230bda219e17bacadc0c6a0e9a4f0cc96f96ff92a775cf33a5fd81291165fa36c0031d16efbdf8bb4c499e20ebbcd30e60e515930

memory/4788-16-0x0000000000401000-0x0000000000412000-memory.dmp

memory/4788-11-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Arcane Cheat.exe

MD5 593631a643aa6ab0af08189773812e6d
SHA1 6004dfe157f5be08b4591819bc7f76b5b12a08d9
SHA256 da0500db781ce974a0c4d9b6f245d2302f90dc932d23402d1441e3d5c77c6cd4
SHA512 057b00aa42a3b2da1dfaa646aa6bd0c8d9cdd3f34848f595b56aed2bf02f5d89092a7b2722bb24d3f860619fb305c994546ec6d43c6da1ef2fa82acc6cd5a643

C:\Users\Admin\AppData\Local\Temp\is-97PB9.tmp\Arcane CheatSetup.tmp

MD5 129b8e200a6e90e813080c9ce0474063
SHA1 b5352cdae50e5ddf3eb62f75f2e77042386b8841
SHA256 cf0018affdd0b7921f922f1741ad229ec52c8a7d6c2b19889a149e0cc24aa839
SHA512 10949e7f0b6dd55e0a5d97e4531ef61427920cccc2136c0dd3607cdc79afa0d8a7178965a07039948da97f0200ead8fe5a54921620c943c7fc76dd5ef5a7c841

memory/596-22-0x0000000000400000-0x0000000003281000-memory.dmp

C:\Surrogateprovidercomponentsessionmonitor\lEI1Ux7.vbe

MD5 3944ff0b2b8a1617f5e571ebc259a0e6
SHA1 17137e6ccd0437adecb866e9b44f94cebbbdd878
SHA256 693c79dbd630e1180ddb96b8d51895a9f27a01ae25c27aebbc55be5e4874335d
SHA512 0e76c530e8739f559989e3657ed06a91d121ba37dc18d15c2feca9ac986bad1adcfc6e86d54b097483f08c8bfd890079280c46029f71707c02d02af96d767b03

C:\Surrogateprovidercomponentsessionmonitor\bjWdhUfYhC7CKzpdCHePv6eJ.bat

MD5 6de687cf7ca366429c953cb49905b70a
SHA1 58e2c1823c038d8da8a2f042672027184066279e
SHA256 80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611
SHA512 6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

MD5 e780bb029d808cb41937f4f7cd022b45
SHA1 ad1a7bc098d991e576cf59aa87d844e2991da43a
SHA256 772574576b825f97aa91ce0d24b0ba83fdb0de3a0545296e1d6d28f1349f1456
SHA512 0152df85a9ebe44f750bfbb53735400cb08b406dcde80c2fba7627d00533b485ae1b3cb419f9c895f22b05582fb25e0ae2f6b12e9afb78f721c75fe019e6dda5

memory/1084-38-0x00000000001E0000-0x0000000000352000-memory.dmp

memory/1084-39-0x0000000000C20000-0x0000000000C2E000-memory.dmp

memory/1084-43-0x000000001AEB0000-0x000000001AEC6000-memory.dmp

memory/1084-42-0x0000000002510000-0x0000000002518000-memory.dmp

memory/1084-45-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

memory/1084-44-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

memory/1084-41-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

memory/1084-40-0x000000001AE90000-0x000000001AEAC000-memory.dmp

memory/1084-47-0x000000001B010000-0x000000001B01C000-memory.dmp

memory/1084-46-0x000000001B000000-0x000000001B00A000-memory.dmp

memory/3928-87-0x00000222F09B0000-0x00000222F09D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3d1tv4ml.02t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\T0cy42yCgC.bat

MD5 6e71a4564772134b9ed144d01789a7fc
SHA1 fcdb38df3fbc350f6e68be5968a7b3ea2d1981a3
SHA256 3f31c61a52659f9830fcb7a5320f5761cf68fdd739367b9f22aa23531cddb6d1
SHA512 63683b17e068050fb4633d081f4013af5a268a5f2720eb384ac2b26376b28b3bcc2f3fdfe6de4a8b7cb949eaf66ee6dcfbfb7f953920f6fa5423df3e9a0ab354

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d2a7ed52551c3078061bf4511577bd04
SHA1 43f42e9a5b88e353096ca52dd2484dcfcce7d70a
SHA256 5acfeec2964f521516b2bca3d78b853807e7ea2189a6e38c9625234feba20608
SHA512 01b08438af25724fbae4490aa7bfd8396a7613032e245ba895d58c4ae0bb483f0059b297b4c1ce9e81077288ad064dfdf546faf647f6fbc5527d9bdd0110f09f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 440cb38dbee06645cc8b74d51f6e5f71
SHA1 d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA256 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA512 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/4788-269-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4180-270-0x0000000000400000-0x000000000052C000-memory.dmp

C:\Program Files (x86)\Arcane Cheat\jre\lib\images\cursors\is-K532M.tmp

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Program Files (x86)\Arcane Cheat\Arcane Cheat.exe

MD5 ca86297e7a02a2c1e91c4ecc897b7dcc
SHA1 a2e3eae2dd5bad41f349818f004dbe1ba89c1e89
SHA256 8c3e900295aa5a4571719ccf6ac6739febff2865755f1e75c38433c29283a67a
SHA512 6613575793250f50c9a319b6f1cd758d9d74651b1ab1da366a99d308c3384ecf4ad240a8aa14bc6d3c547dbe283fb8b9055aeda73573cd784a8aa43c79b97c2e

memory/5224-703-0x000000001CD20000-0x000000001CEE2000-memory.dmp

memory/5224-704-0x000000001D620000-0x000000001DB48000-memory.dmp

memory/4180-706-0x0000000000400000-0x000000000052C000-memory.dmp

C:\Program Files (x86)\Arcane Cheat\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

memory/5352-750-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Program Files (x86)\Arcane Cheat\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Program Files (x86)\Arcane Cheat\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Program Files (x86)\Arcane Cheat\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\Arcane Cheat\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Program Files (x86)\Arcane Cheat\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Program Files (x86)\Arcane Cheat\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Program Files (x86)\Arcane Cheat\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Program Files (x86)\Arcane Cheat\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Program Files (x86)\Arcane Cheat\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Program Files (x86)\Arcane Cheat\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Program Files (x86)\Arcane Cheat\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Program Files (x86)\Arcane Cheat\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Program Files (x86)\Arcane Cheat\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Program Files (x86)\Arcane Cheat\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Program Files (x86)\Arcane Cheat\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Program Files (x86)\Arcane Cheat\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Program Files (x86)\Arcane Cheat\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Program Files (x86)\Arcane Cheat\lib\dn-compiled-module.jar

MD5 09a5796f0c8be8288067374a09ee5b61
SHA1 9ebf1f5cc79c49bca767db1640dbb8db6c9e500f
SHA256 2d1790ef6a7262dee38702feea2c8efe4b804b2da5983e598801f322ef0bf90f
SHA512 d9a63d01658d61e1adac17d792154c8f94d44998dc27a74e71547bb9ab3a56d5eb6adc5120cad9048e8a648c2e4958246a3da354fa9d52104165f494efd3ba12

memory/5452-806-0x00000000011D0000-0x00000000011D1000-memory.dmp

C:\Program Files (x86)\Arcane Cheat\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Program Files (x86)\Arcane Cheat\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Program Files (x86)\Arcane Cheat\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

C:\Program Files (x86)\Arcane Cheat\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Program Files (x86)\Arcane Cheat\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Program Files (x86)\Arcane Cheat\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

memory/4180-836-0x0000000000400000-0x000000000052C000-memory.dmp

memory/4788-838-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5452-853-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/5452-857-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/5452-883-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/5452-897-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/5452-905-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/416-924-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4836-955-0x00000000014E0000-0x00000000014E1000-memory.dmp