Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report br4Cu3BycW.exe

Overview

General Information

Sample Name:br4Cu3BycW.exe
Analysis ID:492023
MD5:ec72a93f6279b16006f2196f330166ee
SHA1:74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
SHA256:4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Vidar
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
.NET source code contains in memory code execution
Found many strings related to Crypto-Wallets (likely being stolen)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Yara detected Credential Stealer
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • br4Cu3BycW.exe (PID: 4352 cmdline: 'C:\Users\user\Desktop\br4Cu3BycW.exe' MD5: EC72A93F6279B16006F2196F330166EE)
    • br4Cu3BycW.tmp (PID: 5816 cmdline: 'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' MD5: EEB69F7B86959AE72B9D37443FB7F3D0)
      • br4Cu3BycW.exe (PID: 5092 cmdline: 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT MD5: EC72A93F6279B16006F2196F330166EE)
        • br4Cu3BycW.tmp (PID: 5636 cmdline: 'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT MD5: EEB69F7B86959AE72B9D37443FB7F3D0)
          • CrystalReports.exe (PID: 6532 cmdline: 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe' MD5: 11DD538F1BF5F174834DBA334964A691)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.562826054.0000000002670000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: CrystalReports.exe PID: 6532JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: CrystalReports.exe PID: 6532JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: br4Cu3BycW.exeReversingLabs: Detection: 28%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)ReversingLabs: Detection: 11%
        Source: br4Cu3BycW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
        Source: br4Cu3BycW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: Microsoft.ReportViewer.ProcessingObjectModel.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp
        Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmp
        Source: Binary string: C:\lib\source\Programming\pdb\V\qt\YordansDev\SoftwareIdeasMod.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb, source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060C2B0 FindFirstFileW,GetLastError,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E6A0 FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040AEF4 FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
        Source: global trafficTCP traffic: 192.168.2.3:49750 -> 147.135.170.166:80
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.170.166
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.170.166
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.170.166
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.MPEGLA.COM
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.MPEGLA.COM.
        Source: CrystalReports.exe, 00000007.00000002.562905629.000000000298E000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.562973809.00000000029C9000.00000004.00000001.sdmpString found in binary or memory: http://147.135.170.166/
        Source: CrystalReports.exe, 00000007.00000002.562956056.00000000029BC000.00000004.00000001.sdmpString found in binary or memory: http://147.135.170.166/public/sqlite3.dll
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://alioth.debian.org/forum/?group_id=31080
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yes
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://fsf.org/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://s.symcd.com06
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFL
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sdlpango.sourceforge.net
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sources.redhat.com/pthreads-win32/d&
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/extra/matrix.html
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.alioth.debian.org
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.net/~jdandr2)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: http://www.elecard.com
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.com
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.com0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.com4
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.comg
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.galuzzi.it.
        Source: CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: http://www.iisc.ernet.in
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/download-1.2.php
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_image
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_image/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.tux4kids.com.
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
        Source: br4Cu3BycW.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
        Source: br4Cu3BycW.exe, 00000001.00000000.291530207.0000000000401000.00000020.00020000.sdmp, br4Cu3BycW.exe, 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: br4Cu3BycW.tmp, br4Cu3BycW.tmp, 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://www.innosetup.com/
        Source: br4Cu3BycW.tmpString found in binary or memory: https://www.remobjects.com/ps

        System Summary:

        barindex
        PE file has a writeable .text sectionShow sources
        Source: is-7MTO8.tmp.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: br4Cu3BycW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004323DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004255DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040E9C4
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006B786C
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040C938
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004323DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004255DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040E9C4
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006B786C
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040C938
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: String function: 00427848 appears 42 times
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: String function: 0040CC60 appears 34 times
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: String function: 0040873C appears 36 times
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: String function: 005F5C7C appears 50 times
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: String function: 005F5F60 appears 62 times
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: String function: 005DE888 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 0060CD28 appears 31 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 005F5C7C appears 50 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 005F5F60 appears 62 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 005DE888 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 006163B4 appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 00616130 appears 39 times
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: br4Cu3BycW.exe, 00000001.00000003.292227773.00000000025F0000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exe, 00000001.00000003.302497238.0000000002378000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exe, 00000005.00000000.298033659.00000000004C6000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exe, 00000005.00000003.320593435.0000000000A68000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: is-7MTO8.tmp.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeSection loaded: sqlite3.dll
        Source: is-33ENG.tmp.6.drStatic PE information: Number of sections : 13 > 10
        Source: is-5P6B9.tmp.6.drStatic PE information: Number of sections : 14 > 10
        Source: is-KTI9L.tmp.6.drStatic PE information: Number of sections : 13 > 10
        Source: is-VO510.tmp.6.drStatic PE information: Number of sections : 12 > 10
        Source: is-FCT1V.tmp.6.drStatic PE information: Number of sections : 13 > 10
        Source: br4Cu3BycW.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile read: C:\Users\user\Desktop\br4Cu3BycW.exeJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe'
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe'
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe'
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe'
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe'
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile created: C:\Users\user\AppData\Local\Temp\is-I744N.tmpJump to behavior
        Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@9/191@0/1
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0062CFB8 GetVersion,CoCreateInstance,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0041A4DC GetDiskFreeSpaceW,
        Source: CrystalReports.exe, 00000007.00000002.562307914.00000000007A7000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: CrystalReports.exe, 00000007.00000002.562307914.00000000007A7000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
        Source: CrystalReports.exe, 00000007.00000002.562307914.00000000007A7000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,
        Source: br4Cu3BycW.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
        Source: br4Cu3BycW.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpWindow found: window name: TMainForm
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: br4Cu3BycW.exeStatic file information: File size 5124457 > 1048576
        Source: br4Cu3BycW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: Microsoft.ReportViewer.ProcessingObjectModel.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp
        Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmp
        Source: Binary string: C:\lib\source\Programming\pdb\V\qt\YordansDev\SoftwareIdeasMod.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb, source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains in memory code executionShow sources
        Source: is-N95UU.tmp.6.dr, FileHelpers/RunTime/ClassBuilder.cs.Net Code: CompilerParametersGenerateInMemory(true) and CompilerParameters.GenerateExecutable(false)
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B5000 push 004B50DEh; ret
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B5980 push 004B5A48h; ret
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B1084 push 004B10ECh; ret
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004270BC push 00427104h; ret
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049A260 push 0049A378h; ret
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004592FC push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00430358 push ecx; mov dword ptr [esp], eax
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00430370 push ecx; mov dword ptr [esp], eax
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004224F0 push 004225F4h; ret
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00499490 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458564 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458574 push ecx; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx
        Source: br4Cu3BycW.exeStatic PE information: section name: .didata
        Source: br4Cu3BycW.tmp.1.drStatic PE information: section name: .didata
        Source: br4Cu3BycW.tmp.5.drStatic PE information: section name: .didata
        Source: is-KTI9L.tmp.6.drStatic PE information: section name: /4
        Source: is-KTI9L.tmp.6.drStatic PE information: section name: .xdata
        Source: is-KTI9L.tmp.6.drStatic PE information: section name: /14
        Source: is-VO510.tmp.6.drStatic PE information: section name: .xdata
        Source: is-5P6B9.tmp.6.drStatic PE information: section name: /4
        Source: is-5P6B9.tmp.6.drStatic PE information: section name: .xdata
        Source: is-5P6B9.tmp.6.drStatic PE information: section name: /14
        Source: is-33ENG.tmp.6.drStatic PE information: section name: /4
        Source: is-33ENG.tmp.6.drStatic PE information: section name: .xdata
        Source: is-33ENG.tmp.6.drStatic PE information: section name: /14
        Source: is-FCT1V.tmp.6.drStatic PE information: section name: /4
        Source: is-FCT1V.tmp.6.drStatic PE information: section name: .xdata
        Source: is-FCT1V.tmp.6.drStatic PE information: section name: /14
        Source: is-TECE4.tmp.6.drStatic PE information: section name: /4
        Source: is-D43R5.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x1a0ba
        Source: br4Cu3BycW.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x315aa3
        Source: br4Cu3BycW.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x315aa3
        Source: is-7MTO8.tmp.6.drStatic PE information: real checksum: 0x4ae8ac should be: 0x4b55ab
        Source: is-Q7NRR.tmp.6.drStatic PE information: real checksum: 0x4351e8 should be: 0x4554a2
        Source: br4Cu3BycW.exeStatic PE information: real checksum: 0x0 should be: 0x4ec8cf
        Source: is-5P6B9.tmp.6.drStatic PE information: 0xA5E8A5E0 [Sat Mar 16 06:57:36 2058 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qjpeg4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qgif4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-1UL10.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-N95UU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-KTI9L.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-GS64B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5P6B9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-L6ITB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-HRO44.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libtasn1-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-7MTO8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-FCT1V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\pthreadGC2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-TECE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libssl-40.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\mingwm10.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-MMNOC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-AFSCM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-33ENG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libmongoc-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgthread-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libbson-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-B5IQO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5F8P5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-0V44S.tmpJump to dropped file
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile created: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-OSEV1.tmpJump to dropped file
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile created: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-VO510.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\tsharkdecode.dll (copy)
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgpg-error6-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-Q7NRR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libnettle-4-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libffi-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crystal Reports ExtraJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crystal Reports Extra\Crystal Reports Extra.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe TID: 5404Thread sleep time: -35000s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qjpeg4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qgif4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-1UL10.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-KTI9L.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-N95UU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-GS64B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5P6B9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-L6ITB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-HRO44.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libtasn1-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\pthreadGC2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-FCT1V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-TECE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\mingwm10.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-MMNOC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-AFSCM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-33ENG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libmongoc-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgthread-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libbson-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-B5IQO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5F8P5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-0V44S.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-OSEV1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-VO510.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\tsharkdecode.dll (copy)
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgpg-error6-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-Q7NRR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libnettle-4-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libffi-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060C2B0 FindFirstFileW,GetLastError,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E6A0 FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040AEF4 FindFirstFileW,FindClose,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeThread delayed: delay time: 35000
        Source: CrystalReports.exe, 00000007.00000002.562973809.00000000029C9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeCode function: 7_2_6E2BEB08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe'
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: GetLocaleInfoW,
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00405AE0 cpuid
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0041C3D8 GetLocalTime,
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

        Stealing of Sensitive Information:

        barindex
        Yara detected Vidar stealerShow sources
        Source: Yara matchFile source: Process Memory Space: CrystalReports.exe PID: 6532, type: MEMORYSTR
        Found many strings related to Crypto-Wallets (likely being stolen)Show sources
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: ElectronCash
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: window-state.json
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: exodus.conf.json
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: \Exodus\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: info.seco
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: passphrase.json
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: \Exodus\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: default_wallet
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: file__0.localstorage
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: \MultiDoge\
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Exodus\exodus.wallet\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: seed.seco
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Electrum-LTC\wallets\
        Source: Yara matchFile source: 00000007.00000002.562826054.0000000002670000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CrystalReports.exe PID: 6532, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Yara detected Vidar stealerShow sources
        Source: Yara matchFile source: Process Memory Space: CrystalReports.exe PID: 6532, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/JobDLL Side-Loading1Access Token Manipulation1Virtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Process Injection13Access Token Manipulation1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Process Injection13NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptDLL Side-Loading1Deobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemSystem Information Discovery35Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 492023 Sample: br4Cu3BycW.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 76 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Vidar stealer 2->44 46 3 other signatures 2->46 9 br4Cu3BycW.exe 2 2->9         started        process3 file4 32 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 9->32 dropped 12 br4Cu3BycW.tmp 3 13 9->12         started        process5 file6 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->34 dropped 15 br4Cu3BycW.exe 2 12->15         started        process7 file8 36 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 15->36 dropped 18 br4Cu3BycW.tmp 5 127 15->18         started        process9 file10 24 C:\Users\user\AppData\...\is-7MTO8.tmp, PE32 18->24 dropped 26 C:\Users\user\...\CrystalReports.exe (copy), PE32 18->26 dropped 28 C:\Users\user\...\tsharkdecode.dll (copy), PE32+ 18->28 dropped 30 38 other files (none is malicious) 18->30 dropped 21 CrystalReports.exe 13 18->21         started        process11 dnsIp12 38 147.135.170.166, 80 OVHFR France 21->38

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        br4Cu3BycW.exe6%VirustotalBrowse
        br4Cu3BycW.exe29%ReversingLabsWin32.Trojan.Sabsik

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-7MTO8.tmp100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmp0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmp0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)11%ReversingLabsWin32.Trojan.Sabsik
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)2%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmp0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmp0%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.elecard.com1%VirustotalBrowse
        http://www.elecard.com0%Avira URL Cloudsafe
        http://www.filehelpers.com00%Avira URL Cloudsafe
        http://www.filehelpers.comg0%Avira URL Cloudsafe
        http://147.135.170.166/0%Avira URL Cloudsafe
        http://147.135.170.166/public/sqlite3.dll0%Avira URL Cloudsafe
        http://www.tux4kids.com.0%Avira URL Cloudsafe
        http://www.filehelpers.com0%Avira URL Cloudsafe
        http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco0%Avira URL Cloudsafe
        http://translationproject.org/extra/matrix.html0%Avira URL Cloudsafe
        http://translationproject.org/0%Avira URL Cloudsafe
        https://www.remobjects.com/ps0%URL Reputationsafe
        http://www.galuzzi.it.0%Avira URL Cloudsafe
        https://www.innosetup.com/0%URL Reputationsafe
        http://tux4kids.net/~jdandr2)0%Avira URL Cloudsafe
        http://www.filehelpers.com40%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.elecard.combr4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUbr4Cu3BycW.exe, 00000001.00000000.291530207.0000000000401000.00000020.00020000.sdmp, br4Cu3BycW.exe, 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmpfalse
          		high
          http://www.filehelpers.com0br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tux4kids.alioth.debian.orgbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
            		high
            HTTP://WWW.MPEGLA.COM.br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
              		high
              http://www.libsdl.orgbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                		high
                http://www.gnu.org/philosophy/why-not-lgpl.htmlbr4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpfalse
                  		high
                  http://sources.redhat.com/pthreads-win32/d&br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                    		high
                    http://www.filehelpers.comgbr4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.libsdl.org/projects/SDL_mixer/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                      		high
                      http://147.135.170.166/CrystalReports.exe, 00000007.00000002.562905629.000000000298E000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.562973809.00000000029C9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                        		high
                        http://www.iisc.ernet.inbr4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
                          		high
                          http://147.135.170.166/public/sqlite3.dllCrystalReports.exe, 00000007.00000002.562956056.00000000029BC000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tux4kids.com.br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.filehelpers.combr4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.libsdl.org/projects/SDL_imagebr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                            		high
                            http://www.libsdl.org/projects/SDL_image/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                              		high
                              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlinebr4Cu3BycW.exefalse
                                		high
                                http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xcobr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://translationproject.org/extra/matrix.htmlbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://translationproject.org/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yesbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.libsdl.org/projects/SDL_ttfbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.libsdl.org/projects/SDL_ttf/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.remobjects.com/psbr4Cu3BycW.tmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galuzzi.it.br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.innosetup.com/br4Cu3BycW.tmp, br4Cu3BycW.tmp, 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tux4kids.net/~jdandr2)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fsf.org/br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://scripts.sil.org/OFLbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.libsdl.org/projects/SDL_mixerbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                		high
                                                http://alioth.debian.org/forum/?group_id=31080br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.libsdl.org/download-1.2.phpbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://sdlpango.sourceforge.netbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                      		high
                                                      HTTP://WWW.MPEGLA.COMbr4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.filehelpers.com4br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gnu.org/licenses/CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          147.135.170.166
                                                          		unknownFrance
                                                          		16276OVHFRfalse

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:492023
                                                          Start date:28.09.2021
                                                          Start time:09:30:50
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 13m 58s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:br4Cu3BycW.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:22
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal76.troj.spyw.evad.winEXE@9/191@0/1
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 33.6% (good quality ratio 32.8%)
                                                          • Quality average: 79.9%
                                                          • Quality standard deviation: 23.8%
                                                          HCA Information:Failed
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Created / dropped Files have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 20.54.110.249, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.199.120.151, 80.67.82.211, 80.67.82.235, 20.199.120.85
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:32:02API Interceptor1x Sleep call for process: CrystalReports.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6144
                                                          Entropy (8bit):4.720366600008286
                                                          Encrypted:false
                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6144
                                                          Entropy (8bit):4.720366600008286
                                                          Encrypted:false
                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp
                                                          Process:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3194368
                                                          Entropy (8bit):6.32732791778373
                                                          Encrypted:false
                                                          SSDEEP:49152:qEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:692bz2Eb6pd7B6bAGx7s333T
                                                          MD5:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          SHA1:EA687885FF8711724639134819BFFFE3934E0CC1
                                                          SHA-256:5A3CCC92F7966F8A3F8D0FBC50CEF8452560341F4E23C769247B3CDD0818AF11
                                                          SHA-512:0EB7B152B595154B5221CC916A5AA79181E5EC5CF87D9CBEE734A2DD7E1512504AF19D2B857337A4CE956935E0A1C0E9E6BABB91AE5855EB9952523497538374
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          Process:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3194368
                                                          Entropy (8bit):6.32732791778373
                                                          Encrypted:false
                                                          SSDEEP:49152:qEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:692bz2Eb6pd7B6bAGx7s333T
                                                          MD5:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          SHA1:EA687885FF8711724639134819BFFFE3934E0CC1
                                                          SHA-256:5A3CCC92F7966F8A3F8D0FBC50CEF8452560341F4E23C769247B3CDD0818AF11
                                                          SHA-512:0EB7B152B595154B5221CC916A5AA79181E5EC5CF87D9CBEE734A2DD7E1512504AF19D2B857337A4CE956935E0A1C0E9E6BABB91AE5855EB9952523497538374
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4910592
                                                          Entropy (8bit):6.572031041695352
                                                          Encrypted:false
                                                          SSDEEP:49152:dYQUcTX0/fq7b81I89fNkiiD3khqwqREQDfqtd4keAG4/lqQNOhw5XlAzmGLateC:5zB7b8O8QZrjwwhw5XlACGm8CtxARti
                                                          MD5:11DD538F1BF5F174834DBA334964A691
                                                          SHA1:3B080FA94C71CFAB65A0CD407EACAC4C2B1B2378
                                                          SHA-256:1BC4B73613228169EF7F57222EF36A6D9B3A2F3347EFA2228C53DC3B83559888
                                                          SHA-512:8E0A0455BDECBA073B06BE610917C71B6082745DF91B34C2663BC8D86361E71EA8FFF3D222E087AA3560A1AEE3455CA1DC7F2957726D86B001F4124DE220F911
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......!...ep.ep.ep.l.A.up.../.ap.7..zp.7..ip.7..bp..-.vp.7..ap.q..ip....tp.ep.9y....dp.3..eq.3.-.dp.epE.dp.3..dp.Richep.9;..N..Rich.N..........PE..L.....Ra.................T6.........dQ(......p6...@..........................@K.......J.......................................G.P....pH.H.............................D.p.....................D.....@.D.@............p6..............................text....S6......T6................. ....rdata.......p6......X6.............@..@.data....4...0G.......G.............@....rsrc...H....pH......(H.............@..@........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Docs\Quick Start.pdf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PDF document, version 1.4
                                                          Category:dropped
                                                          Size (bytes):101222
                                                          Entropy (8bit):6.983769460731426
                                                          Encrypted:false
                                                          SSDEEP:1536:loTqjohGkVSC9aZHu40Y7w58PxeVPM6b24k8frIP4T8m0qd4gBE:1lHfEU03kPm8m0qzBE
                                                          MD5:1BDDB792FEC19750CCBBB8352B2B8FFE
                                                          SHA1:DD300CB011E0D9ABD57F41503E31367167FDDD68
                                                          SHA-256:58045223424D936ADCEFC09C06F635C30A1AABA0335FC5D5954B43833B53FD72
                                                          SHA-512:1438030735AA9549E13B2E275210A9C6BB825329ACD568D8C38F8DEBE04474CE01BE5E44EF6B76913D47B59D33C58954615754CFFBCE67DE04F9CCBAA8341631
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: %PDF-1.4.%......1 0 obj.<</Metadata 2 0 R/Pages 3 0 R/Type/Catalog/ViewerPreferences<</Direction/L2R>>>>.endobj.2 0 obj.<</Length 43322/Subtype/XML/Type/Metadata>>stream..<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/">. <xmp:CreateDate>2010-05-21T13:47:48-04:00</xmp:CreateDate>. <xmp:MetadataDate>2010-05-21T13:47:48-04:00</xmp:MetadataDate>. <xmp:ModifyDate>2010-05-21T13:47:48-04:00</xmp:ModifyDate>. <xmp:CreatorTool>Adobe InCopy CS5 (7.0)</xmp:CreatorTool>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:stRef="http://ns.ad
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Docs\is-PSH61.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PDF document, version 1.4
                                                          Category:dropped
                                                          Size (bytes):101222
                                                          Entropy (8bit):6.983769460731426
                                                          Encrypted:false
                                                          SSDEEP:1536:loTqjohGkVSC9aZHu40Y7w58PxeVPM6b24k8frIP4T8m0qd4gBE:1lHfEU03kPm8m0qzBE
                                                          MD5:1BDDB792FEC19750CCBBB8352B2B8FFE
                                                          SHA1:DD300CB011E0D9ABD57F41503E31367167FDDD68
                                                          SHA-256:58045223424D936ADCEFC09C06F635C30A1AABA0335FC5D5954B43833B53FD72
                                                          SHA-512:1438030735AA9549E13B2E275210A9C6BB825329ACD568D8C38F8DEBE04474CE01BE5E44EF6B76913D47B59D33C58954615754CFFBCE67DE04F9CCBAA8341631
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: %PDF-1.4.%......1 0 obj.<</Metadata 2 0 R/Pages 3 0 R/Type/Catalog/ViewerPreferences<</Direction/L2R>>>>.endobj.2 0 obj.<</Length 43322/Subtype/XML/Type/Metadata>>stream..<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/">. <xmp:CreateDate>2010-05-21T13:47:48-04:00</xmp:CreateDate>. <xmp:MetadataDate>2010-05-21T13:47:48-04:00</xmp:MetadataDate>. <xmp:ModifyDate>2010-05-21T13:47:48-04:00</xmp:ModifyDate>. <xmp:CreatorTool>Adobe InCopy CS5 (7.0)</xmp:CreatorTool>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:stRef="http://ns.ad
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):147456
                                                          Entropy (8bit):5.132194016685221
                                                          Encrypted:false
                                                          SSDEEP:3072:Ju6aJX0iugleTtmPzeLmQlV9MxSh356/JwQ3QklkuSmpKFb4NbkR2:9aJX0i9PaLmQlVxhw53w5bsbk
                                                          MD5:D817A6EC84CC47899F249B2C03B5F985
                                                          SHA1:5EBF96041A694C85BAD7F71F0679F64700EE272E
                                                          SHA-256:0A5DC4026BCEEB4AFDDDD73E3E16CC7224B2640E86A379D9AFE6E5A81CE1ECDC
                                                          SHA-512:96D161C7844304D4466384F5A25E27E54F0A79FEFC51E0656746837D31772EB84AB203E13686391B5FA0126F0F3C705876C1C1AE8EEF4E4F0EC67C8C379918A2
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9..F...........!......... ......n-... ...@....... .......................................................................-..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):77824
                                                          Entropy (8bit):5.10431466984057
                                                          Encrypted:false
                                                          SSDEEP:1536:amAnsoKlNNzfkEMqqU+2bbbAV2/S2eVLVUJfKFjJ:aooKlNNQEMqqDL2/MJUJfKFjJ
                                                          MD5:6316C4082CACF8F3F4F22DAEF56CB15C
                                                          SHA1:CEA3DE90B20396B092797EC8C7E241E822C8FAED
                                                          SHA-256:5594B08C79A4D188A674713011CD516618FA36D2F988F7D353FB3370939A4062
                                                          SHA-512:E1E0A6440F91B208B61775E30D8FC1BE299A298E00ED564CA7C74FA8728738AF66E6C3C0805553ABBC4A8D2838CD21BFDE61AC2322FFF4E62AC4D6796A0821BC
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.u.3.u.3.u.3^i.3.u.3.u.3.u.3.j.3.u.3.u.3.u.3.j.3.u.3.V.3.u.3.i.3.u.35j.3.u.35j.3.u.3es.3.u.35j.3.u.3Rich.u.3................PE..L...V.jD...........!.....p...........f.......................................0............................................................................... ..........................................................P............................text....a.......p.................. ..`.rdata..ke.......p..................@..@.data...L...........................@....CRT................................@....rsrc...............................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\License.rtf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:Rich Text Format data, version 1, ANSI
                                                          Category:dropped
                                                          Size (bytes):64156
                                                          Entropy (8bit):5.315320157680189
                                                          Encrypted:false
                                                          SSDEEP:768:zgv96cAAxEzYDlHnnDx2QAAw44RmkXOQQrWU0CW246jm/grBT8UojwKA7npBL4Cc:apRyHEQmtmMy4uIxju0TfTRY
                                                          MD5:8B1E3300D8671530E75C4EA201945457
                                                          SHA1:A7933AE925175F0CF6876506F56583CBBC18E966
                                                          SHA-256:AB5E632345D9CED4F8BCB210BF6E0922A18479E0620943ACD613D7B5C68F473D
                                                          SHA-512:A58A7A2C473CF5E9D81664C30904C18A593C57A873EE9DFA20610594885BE54FB92DEC628DD3DC3D73C7D7F266B20C771447D9B1CD7D3FBA7B66526AE6157184
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: {\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f43\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Garamond;}{\f75\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial (W1){\*\falt Arial};}..{\f78\froman\fcharset0\fprq2 Times New Roman;}{\f76\froman\fcharset238\fprq2 Times New Roman CE;}{\f79\froman\fcharset161\fprq2 Times New Roman Greek;}{\f80\froman\fcharset162\fprq2 Times New Roman Tur;}..{\f81\froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f82\froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f83\froman\fcharset186\fprq2 Times New Roman Baltic;}{\f84\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}..{\f88\fswiss\fcharset0\fprq2 Arial;}{\f86\fswiss\fcharset238\fprq2 Arial CE;}{\f89\fswiss\fcharset161\fprq2 Arial Greek;}{\f90\fswiss\fcharset16
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-BME18.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):98
                                                          Entropy (8bit):4.1287617936786605
                                                          Encrypted:false
                                                          SSDEEP:3:5lF5lvXJlFQIdwqBlFQJUmdUlFQJoGLEd:NWId1e6qnKGwd
                                                          MD5:DB1BD76FF52FE427A03204673A307B12
                                                          SHA1:72232D601DBEEE8E448AF0CC41D2D517AA56296D
                                                          SHA-256:6C3CEFCA10C5E5676A6EF14E8CA472F8F0A11C3DED7391B14ACB24BF3D7B727C
                                                          SHA-512:1BD2065AC82F7D858EDED6EF3348D9D3CD5F5DFB2772D351B77F737A2378EAA7D7E05D6008A36A852647446FC60C9A388FA51E7A8F401C6C43FC287D70F10A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /u /s LC.dll..regsvr32 /u /s em2vd.ax..regsvr32 /u /s el2ad.ax..regsvr32 /u /s elaudec.ax
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):77824
                                                          Entropy (8bit):5.10431466984057
                                                          Encrypted:false
                                                          SSDEEP:1536:amAnsoKlNNzfkEMqqU+2bbbAV2/S2eVLVUJfKFjJ:aooKlNNQEMqqDL2/MJUJfKFjJ
                                                          MD5:6316C4082CACF8F3F4F22DAEF56CB15C
                                                          SHA1:CEA3DE90B20396B092797EC8C7E241E822C8FAED
                                                          SHA-256:5594B08C79A4D188A674713011CD516618FA36D2F988F7D353FB3370939A4062
                                                          SHA-512:E1E0A6440F91B208B61775E30D8FC1BE299A298E00ED564CA7C74FA8728738AF66E6C3C0805553ABBC4A8D2838CD21BFDE61AC2322FFF4E62AC4D6796A0821BC
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.u.3.u.3.u.3^i.3.u.3.u.3.u.3.j.3.u.3.u.3.u.3.j.3.u.3.V.3.u.3.i.3.u.35j.3.u.35j.3.u.3es.3.u.35j.3.u.3Rich.u.3................PE..L...V.jD...........!.....p...........f.......................................0............................................................................... ..........................................................P............................text....a.......p.................. ..`.rdata..ke.......p..................@..@.data...L...........................@....CRT................................@....rsrc...............................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-NST0V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:Rich Text Format data, version 1, ANSI
                                                          Category:dropped
                                                          Size (bytes):64156
                                                          Entropy (8bit):5.315320157680189
                                                          Encrypted:false
                                                          SSDEEP:768:zgv96cAAxEzYDlHnnDx2QAAw44RmkXOQQrWU0CW246jm/grBT8UojwKA7npBL4Cc:apRyHEQmtmMy4uIxju0TfTRY
                                                          MD5:8B1E3300D8671530E75C4EA201945457
                                                          SHA1:A7933AE925175F0CF6876506F56583CBBC18E966
                                                          SHA-256:AB5E632345D9CED4F8BCB210BF6E0922A18479E0620943ACD613D7B5C68F473D
                                                          SHA-512:A58A7A2C473CF5E9D81664C30904C18A593C57A873EE9DFA20610594885BE54FB92DEC628DD3DC3D73C7D7F266B20C771447D9B1CD7D3FBA7B66526AE6157184
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: {\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f43\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Garamond;}{\f75\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial (W1){\*\falt Arial};}..{\f78\froman\fcharset0\fprq2 Times New Roman;}{\f76\froman\fcharset238\fprq2 Times New Roman CE;}{\f79\froman\fcharset161\fprq2 Times New Roman Greek;}{\f80\froman\fcharset162\fprq2 Times New Roman Tur;}..{\f81\froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f82\froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f83\froman\fcharset186\fprq2 Times New Roman Baltic;}{\f84\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}..{\f88\fswiss\fcharset0\fprq2 Arial;}{\f86\fswiss\fcharset238\fprq2 Arial CE;}{\f89\fswiss\fcharset161\fprq2 Arial Greek;}{\f90\fswiss\fcharset16
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-UREBA.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):88
                                                          Entropy (8bit):4.147114079371796
                                                          Encrypted:false
                                                          SSDEEP:3:5jFPvXJjFPwqBjFjmdUjFLGLEU:7b1/qKGwU
                                                          MD5:26CB1034EDD008ABD00D7A1F935B61C5
                                                          SHA1:2E45FDDD2280A14A96B8CB1ED8B8E4C9707F9C41
                                                          SHA-256:F4E0FBC265020D01AAF4F451FFD9319AB3742AEEF949AF7A38260790FF6E4670
                                                          SHA-512:EA300163B36C9EE397812B6DC4FBA07849014F6C57D5C2F07E243414C4EE1E156A4100D7EB4BC555AC48B3EDA2C7990D0329D3C1ADEDE29F54AE1FF7C17FB480
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /s LC.dll..regsvr32 /s em2vd.ax..regsvr32 /s el2ad.ax..regsvr32 /s elaudec.ax..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\register.cmd (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):88
                                                          Entropy (8bit):4.147114079371796
                                                          Encrypted:false
                                                          SSDEEP:3:5jFPvXJjFPwqBjFjmdUjFLGLEU:7b1/qKGwU
                                                          MD5:26CB1034EDD008ABD00D7A1F935B61C5
                                                          SHA1:2E45FDDD2280A14A96B8CB1ED8B8E4C9707F9C41
                                                          SHA-256:F4E0FBC265020D01AAF4F451FFD9319AB3742AEEF949AF7A38260790FF6E4670
                                                          SHA-512:EA300163B36C9EE397812B6DC4FBA07849014F6C57D5C2F07E243414C4EE1E156A4100D7EB4BC555AC48B3EDA2C7990D0329D3C1ADEDE29F54AE1FF7C17FB480
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /s LC.dll..regsvr32 /s em2vd.ax..regsvr32 /s el2ad.ax..regsvr32 /s elaudec.ax..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\unregister.cmd (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):98
                                                          Entropy (8bit):4.1287617936786605
                                                          Encrypted:false
                                                          SSDEEP:3:5lF5lvXJlFQIdwqBlFQJUmdUlFQJoGLEd:NWId1e6qnKGwd
                                                          MD5:DB1BD76FF52FE427A03204673A307B12
                                                          SHA1:72232D601DBEEE8E448AF0CC41D2D517AA56296D
                                                          SHA-256:6C3CEFCA10C5E5676A6EF14E8CA472F8F0A11C3DED7391B14ACB24BF3D7B727C
                                                          SHA-512:1BD2065AC82F7D858EDED6EF3348D9D3CD5F5DFB2772D351B77F737A2378EAA7D7E05D6008A36A852647446FC60C9A388FA51E7A8F401C6C43FC287D70F10A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /u /s LC.dll..regsvr32 /u /s em2vd.ax..regsvr32 /u /s el2ad.ax..regsvr32 /u /s elaudec.ax
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\License.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):15099
                                                          Entropy (8bit):4.490145322936716
                                                          Encrypted:false
                                                          SSDEEP:192:s4HVPM3N2zi6547iYOE6k+jLPv4IdQQXyAOiDaoL8HZwM3fxEq/Sl4eAxjf+6:s4Hmv7iE6kY4I9yAO2NL8OMBI4eAxTV
                                                          MD5:D13ADE1829C8B1A1621DB24D91F2D082
                                                          SHA1:A7BD24E809EF9BE6A37EF2BD01D23D4465E979DD
                                                          SHA-256:079952DC637DBAA9806C40A001BF5837079ADE9066F8AA18C80D23507B7E3DA3
                                                          SHA-512:33FCD64FB4881801AC269A4065C2223C0A02EEDD1132EDC0E92EF35CDCC96DB669676681C26FBF3605DD1E8982919BECA1E644935F0C2B39537CD8D2886F41BC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE....Version 2, June 1991....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth..Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute..verbatim copies of this license document, but changing it is not allowed.....Preamble....The licenses for most software are designed to take away your freedom to share..and change it. By contrast, the GNU General Public License is intended to..guarantee your freedom to share and change free software--to make sure the..software is free for all its users. This General Public License applies to most..of the Free Software Foundation's software and to any other program whose..authors commit to using it. (Some other Free Software Foundation software is..covered by the GNU Library General Public License instead.) You can apply it to..your programs, too.....When we speak of free software, we are referring to freedom, not price. Our..General Public Licenses are designed to make sure tha
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):53248
                                                          Entropy (8bit):4.571289360851901
                                                          Encrypted:false
                                                          SSDEEP:384:Lo5zW/Z0L39rAzRdjfNnCuYE0myI+Stu1OooEoZj1ofV5dkn67vc6ea3bKyEeJPG:LorLSpl2HJ3orWB3F9JUsm/n
                                                          MD5:253BC53169AD46B1EAFB92982BA7268E
                                                          SHA1:3F2F8C6324480B1F39C7BC06B8503FEEDFE5DEF4
                                                          SHA-256:CA513F09B64F8E3DC8EE09663854ADF7E4E84544133D07A3A2EF55701ABFAD4C
                                                          SHA-512:AB6847F2B7E07E85D555B313D63F74D4E74E50EA09EF32FE427822A25ECA12264A49347428D32F42ED65C669C28DAC426310BBD401A21C03177BD9729CFB5E08
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...YA1G...........!......... ........... ........... ....................................@.....................................S.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\PDF_32x32.ico (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):4.039276211338556
                                                          Encrypted:false
                                                          SSDEEP:96:Vlc4sGlhLesCncGE45m8sPaxrOSzv1H29K1KgoJC+t6szu0NO0IPENMx9x4alGJa:DtrJZ6serDeJqMUf4JkYl6
                                                          MD5:0BF18ABDC53FC1AE4DB2545ABBB486FA
                                                          SHA1:A333D0AEB07C3996E65BB9DC0682415026131F99
                                                          SHA-256:D85FEE8448F26FC990D3C54CAED42CFFB98C06109F2D55F645FD0490E0DC25BA
                                                          SHA-512:AD8B1D960236A41290BE9A063B8FF1E2174DD1659C96B2A1712F8CEC39C28E073DE50AA1A087800FA7830796B42BC64CBD537354C33DE42D0151AB61B8237BE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......wG7g.swRu7ewCv.aw.......................7.......................w.........x..x.x..w.....G.........w.tw.px.Sx.RW.7.......v...x7.xw..'.w..w.......sww..G..G..W.xx..........xw.x7.x7.x.....g........7...W.qx..x..x.w........u...7....w.............................g........a...w..........w..............................................g..............................................w.......................w...............................................w.......................w...............................................g.......................w...............................................w.......................g.......................w...............................................g......wwwwwwwww.ww.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\enc.ico (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):3.9681804468286277
                                                          Encrypted:false
                                                          SSDEEP:192:FzvfVE74IjYKZ4FQfJ43urjtpQqP7xTTqWV:hC4IjYKZ4Fs7rjtpQa3
                                                          MD5:E149094555DD89FE88D8836A51090DE6
                                                          SHA1:EECE6539C9FAD65B0DAC035AEF6B9920866941B0
                                                          SHA-256:7D6206D8F7DA57BC2E4A69804CC5796A146AF98C920BB6801BBEBE4335B09E32
                                                          SHA-512:58524DAB052147CA5162F0992ED030FEC1203726DB1634FAFB0B92802787374EFCD0F5E4D2F20DD7A58C38F49D01A98E9C00FDA03E6370BA73F83A922BB54F14
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......xwwwwwwwwwwww.wxw.........@...@....@....w.......................w.......................w...............................................w........~......~.......w.....................w............................................w........~.............w.......................w.......................w......................w...............................~..............w.......................w.......................w.......................w.......................w...............................................w.......................w.......................w.......................w.......................w.......................w.......................w..............................wwwwxwwwwwxw.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\ico48.ico (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):15086
                                                          Entropy (8bit):5.750409332348987
                                                          Encrypted:false
                                                          SSDEEP:96:VFv6swSQHlNxbFlswv1EhGRjI5iMGgqexHw3eugeEeNesDeP4eTe02eVtVe7eEDu:tOzVFlssuIlvMvQwXeuD0Udl47m6zk
                                                          MD5:423CA0B47B073150089226A3E616702E
                                                          SHA1:62C33784525890C31C6AC65E29D22E4D304025B3
                                                          SHA-256:1732898BCCE38FC7724677F884C7643BBA1CA690302831557A134E18035C4718
                                                          SHA-512:A9E94F8F9376DC3D736D9AB458A2F3DCBC753311849B69A927ABA969874A2B4CC78648247D4D44B407140FB884BDE69F3DFEE6B6AC0622B4C949B85642E59416
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................wwwwwwwwwwwwwwwwwwwwww...wGf|gVvvtwgegegggggg.p.~f..gf.f~^f.~.nv..v.v.p.lxh~.......~.....w.h.p.h....~.x..w.~~..~.p..~...~..lw.l~~~..~...p.h.h.~x..............p.f~.x.........N..h..p.h...g..........n..~x.p.l........vVGg.....~...p.h~~~x...d|G.G...~...p.|....l|fvtvV....xg..p.n~....|gGD.LlfV...n..p.g.....Gdl....GgG....~.p.l.h...|e......Lv.....p.v....teh......vdw.....p.n.....l...fW...|d..~|.p.|~x..lg..ltv...FV....p.h...vGH..VG.V..Glx..~.p.|~..|v...g.Gd..leh....p.g..dt..vGF|gGlvV....p.^w..V...G.|el|V|dg..~.p.n~...d..FGFVGfFGG.....p.|...d|..vV.lv.g.dv....p.g..GF....dteg.V.....P..~..lg..vVV.ddefVW..~.p.g....Fx..fGd|x.V.h....p.|...vV...tt|v..dg....p.g....fW.....H...F..~x.p.h....el...wH...Vl.....p.n~...Lth......G.X...x.p.hh....gFx.....vG...h.p.l.x...|v.x...g.F...x.p.h....td|GlvVVF...v...p.g
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\is-5TG90.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):4.039276211338556
                                                          Encrypted:false
                                                          SSDEEP:96:Vlc4sGlhLesCncGE45m8sPaxrOSzv1H29K1KgoJC+t6szu0NO0IPENMx9x4alGJa:DtrJZ6serDeJqMUf4JkYl6
                                                          MD5:0BF18ABDC53FC1AE4DB2545ABBB486FA
                                                          SHA1:A333D0AEB07C3996E65BB9DC0682415026131F99
                                                          SHA-256:D85FEE8448F26FC990D3C54CAED42CFFB98C06109F2D55F645FD0490E0DC25BA
                                                          SHA-512:AD8B1D960236A41290BE9A063B8FF1E2174DD1659C96B2A1712F8CEC39C28E073DE50AA1A087800FA7830796B42BC64CBD537354C33DE42D0151AB61B8237BE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......wG7g.swRu7ewCv.aw.......................7.......................w.........x..x.x..w.....G.........w.tw.px.Sx.RW.7.......v...x7.xw..'.w..w.......sww..G..G..W.xx..........xw.x7.x7.x.....g........7...W.qx..x..x.w........u...7....w.............................g........a...w..........w..............................................g..............................................w.......................w...............................................w.......................w...............................................g.......................w...............................................w.......................g.......................w...............................................g......wwwwwwwww.ww.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\is-60EIS.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):3.9681804468286277
                                                          Encrypted:false
                                                          SSDEEP:192:FzvfVE74IjYKZ4FQfJ43urjtpQqP7xTTqWV:hC4IjYKZ4Fs7rjtpQa3
                                                          MD5:E149094555DD89FE88D8836A51090DE6
                                                          SHA1:EECE6539C9FAD65B0DAC035AEF6B9920866941B0
                                                          SHA-256:7D6206D8F7DA57BC2E4A69804CC5796A146AF98C920BB6801BBEBE4335B09E32
                                                          SHA-512:58524DAB052147CA5162F0992ED030FEC1203726DB1634FAFB0B92802787374EFCD0F5E4D2F20DD7A58C38F49D01A98E9C00FDA03E6370BA73F83A922BB54F14
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......xwwwwwwwwwwww.wxw.........@...@....@....w.......................w.......................w...............................................w........~......~.......w.....................w............................................w........~.............w.......................w.......................w......................w...............................~..............w.......................w.......................w.......................w.......................w...............................................w.......................w.......................w.......................w.......................w.......................w.......................w..............................wwwwxwwwwwxw.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\is-NE78S.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):15086
                                                          Entropy (8bit):5.750409332348987
                                                          Encrypted:false
                                                          SSDEEP:96:VFv6swSQHlNxbFlswv1EhGRjI5iMGgqexHw3eugeEeNesDeP4eTe02eVtVe7eEDu:tOzVFlssuIlvMvQwXeuD0Udl47m6zk
                                                          MD5:423CA0B47B073150089226A3E616702E
                                                          SHA1:62C33784525890C31C6AC65E29D22E4D304025B3
                                                          SHA-256:1732898BCCE38FC7724677F884C7643BBA1CA690302831557A134E18035C4718
                                                          SHA-512:A9E94F8F9376DC3D736D9AB458A2F3DCBC753311849B69A927ABA969874A2B4CC78648247D4D44B407140FB884BDE69F3DFEE6B6AC0622B4C949B85642E59416
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................wwwwwwwwwwwwwwwwwwwwww...wGf|gVvvtwgegegggggg.p.~f..gf.f~^f.~.nv..v.v.p.lxh~.......~.....w.h.p.h....~.x..w.~~..~.p..~...~..lw.l~~~..~...p.h.h.~x..............p.f~.x.........N..h..p.h...g..........n..~x.p.l........vVGg.....~...p.h~~~x...d|G.G...~...p.|....l|fvtvV....xg..p.n~....|gGD.LlfV...n..p.g.....Gdl....GgG....~.p.l.h...|e......Lv.....p.v....teh......vdw.....p.n.....l...fW...|d..~|.p.|~x..lg..ltv...FV....p.h...vGH..VG.V..Glx..~.p.|~..|v...g.Gd..leh....p.g..dt..vGF|gGlvV....p.^w..V...G.|el|V|dg..~.p.n~...d..FGFVGfFGG.....p.|...d|..vV.lv.g.dv....p.g..GF....dteg.V.....P..~..lg..vVV.ddefVW..~.p.g....Fx..fGd|x.V.h....p.|...vV...tt|v..dg....p.g....fW.....H...F..~x.p.h....el...wH...Vl.....p.n~...Lth......G.X...x.p.hh....gFx.....vG...h.p.l.x...|v.x...g.F...x.p.h....td|GlvVVF...v...p.g
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\ABOUT-NLS (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):76502
                                                          Entropy (8bit):2.4185965872860735
                                                          Encrypted:false
                                                          SSDEEP:384:cvXuypQc+jWYla0GOtQBknkYVM/kLR78k/RPfkRr06uUxKQH6k+9i:c2aEWyZztmknkeM/kd78k5Pfk086kl
                                                          MD5:B5A080B27B5B4C1A160D2BED1FCFAF9F
                                                          SHA1:B50287B75A3B098301455E34C8D8E52A09FA8938
                                                          SHA-256:4C825530CA79E944B63C56ED30BE58EF792B4ADAB6F7F38ABAB8C054432F4A86
                                                          SHA-512:4EFCE9472E21B052B8FE8113DD3B5480586C06CD27C8535712B10BAE2F7E32F33530A9E8C8DA6F6D8FEAD682EE556EAEC0CDA2525CE9121EC95B6E25F3075696
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1 Notes on the Free Translation Project.***************************************..Free software is going international! The Free Translation Project is.a way to get maintainers of free software, translators, and users all.together, so that free software will gradually become able to speak many.languages. A few packages already provide translations for their.messages... If you found this `ABOUT-NLS' file inside a distribution, you may.assume that the distributed package does use GNU `gettext' internally,.itself available at your nearest GNU archive site. But you do _not_.need to install GNU `gettext' prior to configuring, installing or using.this package with messages translated... Installers will find here some useful hints. These notes also.explain how users should proceed for getting the programs to use the.available translations. They tell how people wanting to contribute and.work on translations can contact the appropriate team... When reporting bugs in the `intl/' direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\AUTHORS (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):4390
                                                          Entropy (8bit):5.0878631480288785
                                                          Encrypted:false
                                                          SSDEEP:48:bGKA1YUK6lqGCNsdksZXnA2TZUIZABZpA5DtDVr36ko18dpeQqCvQ48SN7N3kPCz:KKA1HCNsdk5QpvRqCvaw1kPC3flcL+
                                                          MD5:4B8E4F960D80B0458ACBEEA70D025895
                                                          SHA1:8222D99B7F2CC775471BF0B55502627A457202B5
                                                          SHA-256:37D3194DBD584985C5544E805E293C3F2A8833D7CCAF0935AC8678895665DCB3
                                                          SHA-512:E7CCBDFD356A67B757C7B119189AC2C5A4707017AFA589644C9B43EBD72640C73182353EEE74267F9CDB7C66C59EB4FC0E821147A34E16EEE0A347106B915C80
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing Original Author:.----------.Sam Hart <hart@geekcomix.com>..Current Maintainer and Lead Coder:.-------.David Bruce <davidstuartbruce@gmail.com>..Coders:.-------.David Bruce <davidstuartbruce@gmail.com>.Jesse Andrews <jdandr2@uky.edu>.Calvin Arndt <calarndt@tux4kids.org>.Sam Hart <hart@geekcomix.com>.Jacob Greig <bombastic@firstlinux.net>.Sreyas Kurumanghat.<k.sreyas@gmail.com>.Sreerenj Balachandran <bsreerenj@gmail.com>.Vimal Ravi <vimal_ravi@rediff.com>.Prince K. Antony <prince.kantony@gmail.com>.Mobin Mohan <mobinmohan@gmail.com>.Matthew Trey <tux4kids@treyhome.com>.Sarah Frisk <ssfrisk@gmail.com>..Packaging & Ports:.------------------.Holger Levsen <holger@debian.org> - (Debian packager).David Bruce <davidstuartbruce@gmail.com> - (Windows crossbuild using Linux host, OpenSUSE Build Service rpm packages, MacPorts build).Alex Shorthouse <ashorthouse@rsd13.org> - (more recent Mac OSX port).Luc Shrivers <Begasus@skynet.be> - (BeOS/Haiku port)..(previous packagers:).David Mar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\COPYING (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):15131
                                                          Entropy (8bit):4.682434970392502
                                                          Encrypted:false
                                                          SSDEEP:384:AEUwi5rRL67cyV12rPd34FomzM2/R+qWG:A7FCExGFzeqt
                                                          MD5:CBBD794E2A0A289B9DFCC9F513D1996E
                                                          SHA1:2D29C273FDA30310211BBF6A24127D589BE09B6C
                                                          SHA-256:67F82E045CF7ACFEF853EA0F426575A8359161A0A325E19F02B529A87C4B6C34
                                                          SHA-512:C1D6AA39A08542C0C92057946FA1E6A65759575DE1C446B0D11CDF922B2F41EB088B7DC007CD3858FF4AC8C22D6F02E4FAA94FF6A697064613F073C432FB1EF1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .. GNU GENERAL PUBLIC LICENSE... Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.. 675 Mass Ave, Cambridge, MA 02139, USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Library General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, not.price. Our General Public Licenses are de
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\ChangeLog (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):29717
                                                          Entropy (8bit):4.7846516544735325
                                                          Encrypted:false
                                                          SSDEEP:384:smHYO2QyLSEN5KmtCVtaMmy8dnMQxWMW0bbyyuE1T0+bTh1qWBHXYzI1W5L4V8Gd:1aQHej26aWvm6cC0WFmPY
                                                          MD5:DD4E1B9708EF55F30D06198198AD2B03
                                                          SHA1:34092F4338FD69E66F8C4525201BCF760FD55019
                                                          SHA-256:07DEC805477121755D2C4309547017BBF6AE4A439C8D3925B7D928CAB2FFEEA7
                                                          SHA-512:71A3423F3F68B99ECBAD311C00BBD00D9806037D71DDC5378D91D6E01EE64EF44DA8569DA027498D4F94CD0293C5DD504A042B64DEDF875DF92D9D96CE450352
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 04 Apr 2010 (git.debian.org/tux4kids/tuxtype.git - tag = "version-1.8.1".[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.1..- Several minor enhancements - git commit messages now serving as..primary documentation of development, rather than this changelog...- Fish cascade backgrounds now selected randomly...- Fish cascade graphics now use true alpha channel rather than SDL..colorkey...- Some fixes related to file location of custom word lists...09 Nov 2009 (svn.debian.org/tux4kids - revision 1640) .[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.0. - Sarah Frisk's word list editor from GSoC 2009 has been merged in as. a new, somewhat "beta" feature...12 Sep 2009 (svn.debian.org/tux4kids - revision 1532) .[ David Bruce <davidstuartbruce@gmail.com> ]. - Media - new music files and backgrounds contributed by Caroline Ford,. some old sounds (the ones with suboptimal free licensing) removed - Tux. Typing is now 100% DFSG-compliant. Re
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\INSTALL (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):10644
                                                          Entropy (8bit):4.801280319778263
                                                          Encrypted:false
                                                          SSDEEP:192:ZwDpWkkNH3WhWdWjPpAcWaprsKtFd2W7688zIOKBRqB:ZwDpWkCXWhWdWbp7WapTtyW7n0oRqB
                                                          MD5:8FB227C6E1B6375D0AFD0DEED289E0B4
                                                          SHA1:8C30D1E996821D2BA9E84E86214F24CBC094A005
                                                          SHA-256:C4ADD274C0889E61F7F6B591C601842F9F9C3E7C17D36E4374AFEF4E1F899A50
                                                          SHA-512:6BC7638BE91AFD98E0DC37B91007C1997B32CAFDFF524A6B4C06BC5DD61E28E9D184A2B662DBF55765F88CA3BB2DF3C7EBB00CA6287A011001C2D1AF1FA279AF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing 1.8.1.04 Apr 2010..NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows. For GNU/Linux users, you.need the "*dev" files for the SDL libs listed below, and should have the.dev file for SDL_Pango if you want to display non-Western text. TuxType.will build successfully, but without SDL_Pango support, if this header/lib.is not found...Most GNU/Linux users can install Tux Typing with their distribution's .package manager (such as apt or yum). To build from source, you can grab.the tuxtype_w_fonts*tar.gz, untar it, and build with "./configure; make;.make install". You do not need Autotools unless you are building from.a Subversion repository checkout. MacOSX users and Windows users can.install with very user-friendly binary installer packages - DSB...The current web site is http://www.tux4kids.com..The developer mailing list is tux4kids-tuxtype-dev@lists.alioth.debian.org..Feel free to email with any feedback or
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\OFL (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4599
                                                          Entropy (8bit):4.991877820151237
                                                          Encrypted:false
                                                          SSDEEP:96:rmgAmgnPUibMxxUDfGkKnjfRU88f+BktjVKvR1wyQeQHDZoN:yiXsMPZW88f+XvR9QHtE
                                                          MD5:969851E3A70122069A4D9EE61DD5A2ED
                                                          SHA1:C450C836DB375B12AB7A4C10B09375513D905A68
                                                          SHA-256:CE243FD4A62B1B76C959FFBA6EC16A7A3146B2362D441AE4F9F7F32FC3750D6C
                                                          SHA-512:54B335554F88E01EF0B07ED5F20C7FBC86EDE2E6395BA53AFC7B5DDF8C7DA728309A70E178ACD5AA8AFD16BCDF64527A1ACBB54D51D693A2966D34218F963DCE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Copyright (c) <dates>, <Copyright Holder> (<URL|email>),.with Reserved Font Name <Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>),.with Reserved Font Name <additional Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>)...This Font Software is licensed under the SIL Open Font License, Version 1.1..This license is copied below, and is also available with a FAQ at:.http://scripts.sil.org/OFL...-----------------------------------------------------------.SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007.-----------------------------------------------------------..PREAMBLE.The goals of the Open Font License (OFL) are to stimulate worldwide.development of collaborative font projects, to support the font creation.efforts of academic and linguistic communities, and to provide a free and.open framework in which fonts may be shared and improved in partnership.with others...The OFL allows the licensed fonts to be used,
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\README (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):3612
                                                          Entropy (8bit):4.707814791494116
                                                          Encrypted:false
                                                          SSDEEP:96:PxyP+cp7u0m7yLhA5hnmQi+8Eea67yrzb4GeC3xLGRLyynj:Pwmw7uh95fiEeVOP41EEyo
                                                          MD5:F5E6311A96B7BD0715FFDD86CF1E1553
                                                          SHA1:BB80358A88F84F8E6A310D9920B92D8F30FF4C14
                                                          SHA-256:F5259F91C0D622D456FA99BE940184BD1EEB8EBD9D4EC28B44669BDD98176B45
                                                          SHA-512:2ED6167B6227A83DC361B175E7ACB0FB23B126E782153B76758D54748AC396D0C19BC6E54E1659A6F4F6B5AE36891EBFAE075D8BBC8C992FAA01388F990D096B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows - DSB...Tux Typing:.An Educational Typing Tutor Game Starring Tux, the Linux Penguin.----------------------------------------------------------------..(To install the game on your system, please read the INSTALL file.).. If you are interested in Translation/moving this game to another . language, please send a mail to .. David Bruce <davidstuartbruce@gmail.com>, . Holger Levsen <debian@layer-acht.org>, or to:.. <tux4kids-tuxtype-dev@lists.alioth.debian.org>.. Additional information on this subject is covered in "HowToTheme.html". in the "doc/en" directory of this package...(Updated 04 Apr 2010)..This is version 1.8.1 of Tux Typing...In Fish Cascade you control Tux as he searches for fish to eat. Fish fall.from the top of the screen. These fish have letters on them. Unforunately.for Tux, eating a fish with a letter on it will cause his stomach to.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\TODO (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1043
                                                          Entropy (8bit):4.6860266698980135
                                                          Encrypted:false
                                                          SSDEEP:24:NPVQRBFhBOKsV1+BBMKXOweWYK8dcxTJtXiwyfhpk:NuhBOKM1+BBMKdeLaJRr
                                                          MD5:4D1B4BFAD0C4D377505C3C14B7B60EBB
                                                          SHA1:07CBB76C647E8334506D1D63855689D4D001C4E2
                                                          SHA-256:D00691DE52A7961695100061C9717E57CFFAA2D390A9A25311FB6775122830D5
                                                          SHA-512:83D9BD9811EDFF42ACC72AEDB6DF95C28ABFFC197CC9521F3B3B62CD03B9A577F63E537FD8A6D941E61E6E24C6BE00977B3C98DC6608DBDF302ED6C28AE24449
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Updated 04 Apr 2010..Briefly, here are some current issues:..Tuxtype:..- Code: still needs a lot of cleanup. Tuxtype could benefit markedly from the reorganization using libt4k-common...- Build: mingw-cross-env crossbuild not ready for general consumption....- SDL_mixer 1.2.11 exits unexpectedly on initial call to Mix_OpenAudio(), reason not yet clear....- SDL_Pango builds successfully, but resultant program does not display any text when run under Windows....- If SDL_Pango disabled, configure script fails to link to SDL_ttf...- Build: need current binary build for Mac OS-X..- Input methods: tuxtype does not correctly handle keyboard input that uses more than one keypress for each character (such as Asian languages). The input methods code from tuxpaint has been added to the source tree, but is not yet actually used...- "Content" - could use better lessons to actually teach touch typing in a systematic fashion...- Should display lesson names rather than simply file names, and would b
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\TuxType_port_Mac.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):4056
                                                          Entropy (8bit):4.947683257149111
                                                          Encrypted:false
                                                          SSDEEP:96:88AMGX2Jjro4obNTSdO7BUz6pZRgrKGTg:tApGJHoZtSw7arTTg
                                                          MD5:12CD9A17B7741CB9989FEA8AEBF82C6F
                                                          SHA1:B321C8B0122548853C9FCEDE1DCA4640C13711DD
                                                          SHA-256:685964CBDA0311A79D10B315C503B15A7CE3EF9EC60C62AD8CE73DBA21A5986B
                                                          SHA-512:488C19FE3D911FA5A8EC15E3712550BD1F6A2F3BEAF0A98E4432F86C77B891E044E724426F322FCA70B4D88E929F094454FCF890D2EEEC25B209447B95193FE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: How I Ported Tuxtype to Mac OS X:..**Note** I am writing this from memory. These steps should work, but if they do not, contact the tuxtype developer team and search google for answers. That is how I was able to port Tuxtype...**Note** My tuxtye.xcodeproj should exist in the Tuxtype SVN. Open that to see my settings for the project...Requirements: .1. Mac OS 10.4 or higher (10.3, SDL, and Quicktime causes an error, so use 10.4).2. Xcode 2.5 [a free download from Apple's website] (or Xcode 3 should work but has not been tested)...Steps to get Tuxtype working on a Mac:..1. Download the following source codes:. a. SDL (I used version 1.2.12) [http://www.libsdl.org/download-1.2.php]. b. SDL_image (I used version 1.2.6) [http://www.libsdl.org/projects/SDL_image/]. c. SDL_mixer (I used version 1.2.8) [http://www.libsdl.org/projects/SDL_mixer/]. d. SDL_ttf (I used version 2.0.9) [http://www.libsdl.org/projects/SDL_ttf/]..2. Once you have SDL, open the SDL direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\howtotheme.html (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):12081
                                                          Entropy (8bit):4.803085884480498
                                                          Encrypted:false
                                                          SSDEEP:192:GJJ6dzAFbjDECAUYMfPCpBjUipqr6n1LcVm+QdmG/x1L5/lNGI7:e6dzAN3/fCnpK6nlc0+gbF7
                                                          MD5:4C5FDDC1BE71C19D6E1AE718916F5878
                                                          SHA1:4F8DF91EBF3DF62F98B4FC92836D1CB36A986DE5
                                                          SHA-256:83BB9EA4E0E5609A959E8ED34D56AB6DD7CBA40D449EC22077ABFD2173A22ED8
                                                          SHA-512:DDC83945B172CF4038E8E7CE97B856FD238E29B8EE05EC1DF196F5B9FD43BC20780B201B8D0438D1A67BD3BF0389BB96A1673C14CB6A722051EC569BF687BA3E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">.<html>.<head>.<title>How to create a theme for Tux Typing 1.5.13</title>.<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">.</head>.<body bgcolor="#ffffff">.<h2>Theming in Tux Typing 1.5.13</h2>.<p><i><b>NOTE (Dec 10, 2008) - this document is not very current. Most importantly, native language support now uses the standard GNU gettext libraries. Also, font selection has been automated by use of SDL_Pango on platforms where is available (GNU/Linux, at this time). The handling of word lists and custom images is unchanged. This document will updated as the maintainer's time allows - DSB</i><b></p>..<p>A "Theme" is a method to change the data which Tuxtyping uses. While this could be used to change the game about Tux and fish, to a game about a Cat and mice, more likely you are interested in making Tuxtyping work in another language. (if you are intersted in creating a new graphical theme like "Racecar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-098P2.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):4390
                                                          Entropy (8bit):5.0878631480288785
                                                          Encrypted:false
                                                          SSDEEP:48:bGKA1YUK6lqGCNsdksZXnA2TZUIZABZpA5DtDVr36ko18dpeQqCvQ48SN7N3kPCz:KKA1HCNsdk5QpvRqCvaw1kPC3flcL+
                                                          MD5:4B8E4F960D80B0458ACBEEA70D025895
                                                          SHA1:8222D99B7F2CC775471BF0B55502627A457202B5
                                                          SHA-256:37D3194DBD584985C5544E805E293C3F2A8833D7CCAF0935AC8678895665DCB3
                                                          SHA-512:E7CCBDFD356A67B757C7B119189AC2C5A4707017AFA589644C9B43EBD72640C73182353EEE74267F9CDB7C66C59EB4FC0E821147A34E16EEE0A347106B915C80
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing Original Author:.----------.Sam Hart <hart@geekcomix.com>..Current Maintainer and Lead Coder:.-------.David Bruce <davidstuartbruce@gmail.com>..Coders:.-------.David Bruce <davidstuartbruce@gmail.com>.Jesse Andrews <jdandr2@uky.edu>.Calvin Arndt <calarndt@tux4kids.org>.Sam Hart <hart@geekcomix.com>.Jacob Greig <bombastic@firstlinux.net>.Sreyas Kurumanghat.<k.sreyas@gmail.com>.Sreerenj Balachandran <bsreerenj@gmail.com>.Vimal Ravi <vimal_ravi@rediff.com>.Prince K. Antony <prince.kantony@gmail.com>.Mobin Mohan <mobinmohan@gmail.com>.Matthew Trey <tux4kids@treyhome.com>.Sarah Frisk <ssfrisk@gmail.com>..Packaging & Ports:.------------------.Holger Levsen <holger@debian.org> - (Debian packager).David Bruce <davidstuartbruce@gmail.com> - (Windows crossbuild using Linux host, OpenSUSE Build Service rpm packages, MacPorts build).Alex Shorthouse <ashorthouse@rsd13.org> - (more recent Mac OSX port).Luc Shrivers <Begasus@skynet.be> - (BeOS/Haiku port)..(previous packagers:).David Mar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-6O94V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):76502
                                                          Entropy (8bit):2.4185965872860735
                                                          Encrypted:false
                                                          SSDEEP:384:cvXuypQc+jWYla0GOtQBknkYVM/kLR78k/RPfkRr06uUxKQH6k+9i:c2aEWyZztmknkeM/kd78k5Pfk086kl
                                                          MD5:B5A080B27B5B4C1A160D2BED1FCFAF9F
                                                          SHA1:B50287B75A3B098301455E34C8D8E52A09FA8938
                                                          SHA-256:4C825530CA79E944B63C56ED30BE58EF792B4ADAB6F7F38ABAB8C054432F4A86
                                                          SHA-512:4EFCE9472E21B052B8FE8113DD3B5480586C06CD27C8535712B10BAE2F7E32F33530A9E8C8DA6F6D8FEAD682EE556EAEC0CDA2525CE9121EC95B6E25F3075696
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1 Notes on the Free Translation Project.***************************************..Free software is going international! The Free Translation Project is.a way to get maintainers of free software, translators, and users all.together, so that free software will gradually become able to speak many.languages. A few packages already provide translations for their.messages... If you found this `ABOUT-NLS' file inside a distribution, you may.assume that the distributed package does use GNU `gettext' internally,.itself available at your nearest GNU archive site. But you do _not_.need to install GNU `gettext' prior to configuring, installing or using.this package with messages translated... Installers will find here some useful hints. These notes also.explain how users should proceed for getting the programs to use the.available translations. They tell how people wanting to contribute and.work on translations can contact the appropriate team... When reporting bugs in the `intl/' direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-71NV9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):12081
                                                          Entropy (8bit):4.803085884480498
                                                          Encrypted:false
                                                          SSDEEP:192:GJJ6dzAFbjDECAUYMfPCpBjUipqr6n1LcVm+QdmG/x1L5/lNGI7:e6dzAN3/fCnpK6nlc0+gbF7
                                                          MD5:4C5FDDC1BE71C19D6E1AE718916F5878
                                                          SHA1:4F8DF91EBF3DF62F98B4FC92836D1CB36A986DE5
                                                          SHA-256:83BB9EA4E0E5609A959E8ED34D56AB6DD7CBA40D449EC22077ABFD2173A22ED8
                                                          SHA-512:DDC83945B172CF4038E8E7CE97B856FD238E29B8EE05EC1DF196F5B9FD43BC20780B201B8D0438D1A67BD3BF0389BB96A1673C14CB6A722051EC569BF687BA3E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">.<html>.<head>.<title>How to create a theme for Tux Typing 1.5.13</title>.<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">.</head>.<body bgcolor="#ffffff">.<h2>Theming in Tux Typing 1.5.13</h2>.<p><i><b>NOTE (Dec 10, 2008) - this document is not very current. Most importantly, native language support now uses the standard GNU gettext libraries. Also, font selection has been automated by use of SDL_Pango on platforms where is available (GNU/Linux, at this time). The handling of word lists and custom images is unchanged. This document will updated as the maintainer's time allows - DSB</i><b></p>..<p>A "Theme" is a method to change the data which Tuxtyping uses. While this could be used to change the game about Tux and fish, to a game about a Cat and mice, more likely you are interested in making Tuxtyping work in another language. (if you are intersted in creating a new graphical theme like "Racecar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-GB5QC.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1043
                                                          Entropy (8bit):4.6860266698980135
                                                          Encrypted:false
                                                          SSDEEP:24:NPVQRBFhBOKsV1+BBMKXOweWYK8dcxTJtXiwyfhpk:NuhBOKM1+BBMKdeLaJRr
                                                          MD5:4D1B4BFAD0C4D377505C3C14B7B60EBB
                                                          SHA1:07CBB76C647E8334506D1D63855689D4D001C4E2
                                                          SHA-256:D00691DE52A7961695100061C9717E57CFFAA2D390A9A25311FB6775122830D5
                                                          SHA-512:83D9BD9811EDFF42ACC72AEDB6DF95C28ABFFC197CC9521F3B3B62CD03B9A577F63E537FD8A6D941E61E6E24C6BE00977B3C98DC6608DBDF302ED6C28AE24449
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Updated 04 Apr 2010..Briefly, here are some current issues:..Tuxtype:..- Code: still needs a lot of cleanup. Tuxtype could benefit markedly from the reorganization using libt4k-common...- Build: mingw-cross-env crossbuild not ready for general consumption....- SDL_mixer 1.2.11 exits unexpectedly on initial call to Mix_OpenAudio(), reason not yet clear....- SDL_Pango builds successfully, but resultant program does not display any text when run under Windows....- If SDL_Pango disabled, configure script fails to link to SDL_ttf...- Build: need current binary build for Mac OS-X..- Input methods: tuxtype does not correctly handle keyboard input that uses more than one keypress for each character (such as Asian languages). The input methods code from tuxpaint has been added to the source tree, but is not yet actually used...- "Content" - could use better lessons to actually teach touch typing in a systematic fashion...- Should display lesson names rather than simply file names, and would b
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-I8QQE.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):3612
                                                          Entropy (8bit):4.707814791494116
                                                          Encrypted:false
                                                          SSDEEP:96:PxyP+cp7u0m7yLhA5hnmQi+8Eea67yrzb4GeC3xLGRLyynj:Pwmw7uh95fiEeVOP41EEyo
                                                          MD5:F5E6311A96B7BD0715FFDD86CF1E1553
                                                          SHA1:BB80358A88F84F8E6A310D9920B92D8F30FF4C14
                                                          SHA-256:F5259F91C0D622D456FA99BE940184BD1EEB8EBD9D4EC28B44669BDD98176B45
                                                          SHA-512:2ED6167B6227A83DC361B175E7ACB0FB23B126E782153B76758D54748AC396D0C19BC6E54E1659A6F4F6B5AE36891EBFAE075D8BBC8C992FAA01388F990D096B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows - DSB...Tux Typing:.An Educational Typing Tutor Game Starring Tux, the Linux Penguin.----------------------------------------------------------------..(To install the game on your system, please read the INSTALL file.).. If you are interested in Translation/moving this game to another . language, please send a mail to .. David Bruce <davidstuartbruce@gmail.com>, . Holger Levsen <debian@layer-acht.org>, or to:.. <tux4kids-tuxtype-dev@lists.alioth.debian.org>.. Additional information on this subject is covered in "HowToTheme.html". in the "doc/en" directory of this package...(Updated 04 Apr 2010)..This is version 1.8.1 of Tux Typing...In Fish Cascade you control Tux as he searches for fish to eat. Fish fall.from the top of the screen. These fish have letters on them. Unforunately.for Tux, eating a fish with a letter on it will cause his stomach to.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-KDGPL.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):15131
                                                          Entropy (8bit):4.682434970392502
                                                          Encrypted:false
                                                          SSDEEP:384:AEUwi5rRL67cyV12rPd34FomzM2/R+qWG:A7FCExGFzeqt
                                                          MD5:CBBD794E2A0A289B9DFCC9F513D1996E
                                                          SHA1:2D29C273FDA30310211BBF6A24127D589BE09B6C
                                                          SHA-256:67F82E045CF7ACFEF853EA0F426575A8359161A0A325E19F02B529A87C4B6C34
                                                          SHA-512:C1D6AA39A08542C0C92057946FA1E6A65759575DE1C446B0D11CDF922B2F41EB088B7DC007CD3858FF4AC8C22D6F02E4FAA94FF6A697064613F073C432FB1EF1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .. GNU GENERAL PUBLIC LICENSE... Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.. 675 Mass Ave, Cambridge, MA 02139, USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Library General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, not.price. Our General Public Licenses are de
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-LH7R9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):4056
                                                          Entropy (8bit):4.947683257149111
                                                          Encrypted:false
                                                          SSDEEP:96:88AMGX2Jjro4obNTSdO7BUz6pZRgrKGTg:tApGJHoZtSw7arTTg
                                                          MD5:12CD9A17B7741CB9989FEA8AEBF82C6F
                                                          SHA1:B321C8B0122548853C9FCEDE1DCA4640C13711DD
                                                          SHA-256:685964CBDA0311A79D10B315C503B15A7CE3EF9EC60C62AD8CE73DBA21A5986B
                                                          SHA-512:488C19FE3D911FA5A8EC15E3712550BD1F6A2F3BEAF0A98E4432F86C77B891E044E724426F322FCA70B4D88E929F094454FCF890D2EEEC25B209447B95193FE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: How I Ported Tuxtype to Mac OS X:..**Note** I am writing this from memory. These steps should work, but if they do not, contact the tuxtype developer team and search google for answers. That is how I was able to port Tuxtype...**Note** My tuxtye.xcodeproj should exist in the Tuxtype SVN. Open that to see my settings for the project...Requirements: .1. Mac OS 10.4 or higher (10.3, SDL, and Quicktime causes an error, so use 10.4).2. Xcode 2.5 [a free download from Apple's website] (or Xcode 3 should work but has not been tested)...Steps to get Tuxtype working on a Mac:..1. Download the following source codes:. a. SDL (I used version 1.2.12) [http://www.libsdl.org/download-1.2.php]. b. SDL_image (I used version 1.2.6) [http://www.libsdl.org/projects/SDL_image/]. c. SDL_mixer (I used version 1.2.8) [http://www.libsdl.org/projects/SDL_mixer/]. d. SDL_ttf (I used version 2.0.9) [http://www.libsdl.org/projects/SDL_ttf/]..2. Once you have SDL, open the SDL direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-MKJK3.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4599
                                                          Entropy (8bit):4.991877820151237
                                                          Encrypted:false
                                                          SSDEEP:96:rmgAmgnPUibMxxUDfGkKnjfRU88f+BktjVKvR1wyQeQHDZoN:yiXsMPZW88f+XvR9QHtE
                                                          MD5:969851E3A70122069A4D9EE61DD5A2ED
                                                          SHA1:C450C836DB375B12AB7A4C10B09375513D905A68
                                                          SHA-256:CE243FD4A62B1B76C959FFBA6EC16A7A3146B2362D441AE4F9F7F32FC3750D6C
                                                          SHA-512:54B335554F88E01EF0B07ED5F20C7FBC86EDE2E6395BA53AFC7B5DDF8C7DA728309A70E178ACD5AA8AFD16BCDF64527A1ACBB54D51D693A2966D34218F963DCE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Copyright (c) <dates>, <Copyright Holder> (<URL|email>),.with Reserved Font Name <Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>),.with Reserved Font Name <additional Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>)...This Font Software is licensed under the SIL Open Font License, Version 1.1..This license is copied below, and is also available with a FAQ at:.http://scripts.sil.org/OFL...-----------------------------------------------------------.SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007.-----------------------------------------------------------..PREAMBLE.The goals of the Open Font License (OFL) are to stimulate worldwide.development of collaborative font projects, to support the font creation.efforts of academic and linguistic communities, and to provide a free and.open framework in which fonts may be shared and improved in partnership.with others...The OFL allows the licensed fonts to be used,
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-NGKMM.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):36160
                                                          Entropy (8bit):4.7594335666742
                                                          Encrypted:false
                                                          SSDEEP:192:n6RclftgswUxW/UJT57VEhtiS06VkndpfZsZKZgZjZo9qR9ILWZUZyZFZaZMZ7ZJ:BTgswUR7VEhGyBN
                                                          MD5:AADCC5C24B7AA66773A82C8DCF90DC3F
                                                          SHA1:35AB43174C9489801E957ED0E19E50ABD6ED655D
                                                          SHA-256:9C8C1508E4255C98C0ECBFFB6184C50711E32B2B150346CE2B53AA58BD5749DC
                                                          SHA-512:5127B56915677B5E1E17C8FB9B8B9B26BCA07B53E9585437B38B1E94F422EDA5ED7B59BA86DFBFE0247E75A8351C61BAE505874AE3D2A3410275AA51154CC6C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <HTML>.<BODY>.<H1>TuxType Custom Scripting Reference</H1>.<h3>Contents</h3>.<a href="#introduction">Introduction</a><BR>.<a href="#locations">File Locations</a><BR>.<a href="#basics">The Basics</a><BR>.<a href="#hierarchy">XML Tag Hierarchy</a><BR>.<a href="#samples">Samples</a><BR>.<a href="#tags">Tag Reference</a><BR>..<BR><BR><BR><BR>.<a name="introduction">.<h4>Introduction</h4>.Tuxtype lessons can be customized with relative ease. It just takes a little<BR>.imagination, and a text editor.<BR>.<BR>.<a name="locations">.<h4>File Locations</h4>.Tuxtype first looks in your language (theme) directory for lesson files<BR>.<B>(Non-English Users Only)</B><BR>.eg: (&lt;TuxType directory&gt;/data/themes/&lt;language&gt;/scripts/),<BR><BR>.or in the default directory if you are using TuxType in english<BR>.(&lt;TuxType directory&gt;/data/scripts/)<BR>.<BR>.If there is not a scripts folder in your language (theme) directory, You may<BR>.safely create it<BR>.<BR>.<a name="basics">.<h4>The Ba
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-Q5V6P.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):29717
                                                          Entropy (8bit):4.7846516544735325
                                                          Encrypted:false
                                                          SSDEEP:384:smHYO2QyLSEN5KmtCVtaMmy8dnMQxWMW0bbyyuE1T0+bTh1qWBHXYzI1W5L4V8Gd:1aQHej26aWvm6cC0WFmPY
                                                          MD5:DD4E1B9708EF55F30D06198198AD2B03
                                                          SHA1:34092F4338FD69E66F8C4525201BCF760FD55019
                                                          SHA-256:07DEC805477121755D2C4309547017BBF6AE4A439C8D3925B7D928CAB2FFEEA7
                                                          SHA-512:71A3423F3F68B99ECBAD311C00BBD00D9806037D71DDC5378D91D6E01EE64EF44DA8569DA027498D4F94CD0293C5DD504A042B64DEDF875DF92D9D96CE450352
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 04 Apr 2010 (git.debian.org/tux4kids/tuxtype.git - tag = "version-1.8.1".[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.1..- Several minor enhancements - git commit messages now serving as..primary documentation of development, rather than this changelog...- Fish cascade backgrounds now selected randomly...- Fish cascade graphics now use true alpha channel rather than SDL..colorkey...- Some fixes related to file location of custom word lists...09 Nov 2009 (svn.debian.org/tux4kids - revision 1640) .[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.0. - Sarah Frisk's word list editor from GSoC 2009 has been merged in as. a new, somewhat "beta" feature...12 Sep 2009 (svn.debian.org/tux4kids - revision 1532) .[ David Bruce <davidstuartbruce@gmail.com> ]. - Media - new music files and backgrounds contributed by Caroline Ford,. some old sounds (the ones with suboptimal free licensing) removed - Tux. Typing is now 100% DFSG-compliant. Re
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-RUFVL.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):10644
                                                          Entropy (8bit):4.801280319778263
                                                          Encrypted:false
                                                          SSDEEP:192:ZwDpWkkNH3WhWdWjPpAcWaprsKtFd2W7688zIOKBRqB:ZwDpWkCXWhWdWbp7WapTtyW7n0oRqB
                                                          MD5:8FB227C6E1B6375D0AFD0DEED289E0B4
                                                          SHA1:8C30D1E996821D2BA9E84E86214F24CBC094A005
                                                          SHA-256:C4ADD274C0889E61F7F6B591C601842F9F9C3E7C17D36E4374AFEF4E1F899A50
                                                          SHA-512:6BC7638BE91AFD98E0DC37B91007C1997B32CAFDFF524A6B4C06BC5DD61E28E9D184A2B662DBF55765F88CA3BB2DF3C7EBB00CA6287A011001C2D1AF1FA279AF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing 1.8.1.04 Apr 2010..NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows. For GNU/Linux users, you.need the "*dev" files for the SDL libs listed below, and should have the.dev file for SDL_Pango if you want to display non-Western text. TuxType.will build successfully, but without SDL_Pango support, if this header/lib.is not found...Most GNU/Linux users can install Tux Typing with their distribution's .package manager (such as apt or yum). To build from source, you can grab.the tuxtype_w_fonts*tar.gz, untar it, and build with "./configure; make;.make install". You do not need Autotools unless you are building from.a Subversion repository checkout. MacOSX users and Windows users can.install with very user-friendly binary installer packages - DSB...The current web site is http://www.tux4kids.com..The developer mailing list is tux4kids-tuxtype-dev@lists.alioth.debian.org..Feel free to email with any feedback or
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\lesson_scripting_reference.html (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):36160
                                                          Entropy (8bit):4.7594335666742
                                                          Encrypted:false
                                                          SSDEEP:192:n6RclftgswUxW/UJT57VEhtiS06VkndpfZsZKZgZjZo9qR9ILWZUZyZFZaZMZ7ZJ:BTgswUR7VEhGyBN
                                                          MD5:AADCC5C24B7AA66773A82C8DCF90DC3F
                                                          SHA1:35AB43174C9489801E957ED0E19E50ABD6ED655D
                                                          SHA-256:9C8C1508E4255C98C0ECBFFB6184C50711E32B2B150346CE2B53AA58BD5749DC
                                                          SHA-512:5127B56915677B5E1E17C8FB9B8B9B26BCA07B53E9585437B38B1E94F422EDA5ED7B59BA86DFBFE0247E75A8351C61BAE505874AE3D2A3410275AA51154CC6C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <HTML>.<BODY>.<H1>TuxType Custom Scripting Reference</H1>.<h3>Contents</h3>.<a href="#introduction">Introduction</a><BR>.<a href="#locations">File Locations</a><BR>.<a href="#basics">The Basics</a><BR>.<a href="#hierarchy">XML Tag Hierarchy</a><BR>.<a href="#samples">Samples</a><BR>.<a href="#tags">Tag Reference</a><BR>..<BR><BR><BR><BR>.<a name="introduction">.<h4>Introduction</h4>.Tuxtype lessons can be customized with relative ease. It just takes a little<BR>.imagination, and a text editor.<BR>.<BR>.<a name="locations">.<h4>File Locations</h4>.Tuxtype first looks in your language (theme) directory for lesson files<BR>.<B>(Non-English Users Only)</B><BR>.eg: (&lt;TuxType directory&gt;/data/themes/&lt;language&gt;/scripts/),<BR><BR>.or in the default directory if you are using TuxType in english<BR>.(&lt;TuxType directory&gt;/data/scripts/)<BR>.<BR>.If there is not a scripts folder in your language (theme) directory, You may<BR>.safely create it<BR>.<BR>.<a name="basics">.<h4>The Ba
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\Kedage-n.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 26 names, Unicode
                                                          Category:dropped
                                                          Size (bytes):100056
                                                          Entropy (8bit):6.938355019015695
                                                          Encrypted:false
                                                          SSDEEP:1536:f2IGmE7hw5dfZZx1NoA/U5c/H4yQcAa+CrSV/DiU+XB6xAY3DG2NLyPGfGT85Sfx:f2xwLZZxb/U5PyQnaZ2ewrDGiLyPv
                                                          MD5:16024BEA0EB7A59995C59EDF5DF20D8F
                                                          SHA1:33710D5CEEA4684CE09C4616DBE03B881058640F
                                                          SHA-256:9AC4C694374E9BDD49C74E5852A990EAF1256D92DE859E6F2CBC42272102C1A5
                                                          SHA-512:C3B7E12D526745B189AA1606B14E950E1F7913491EF105A8264705E699E0352830F541190477403F8FC3616F1DE6CA9CC111D6A9C96505587B3B0BCCFBABEB0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF......z....ZGPOSk.d...z\... GSUB=rS...z|...ZOS/27.i........VPCLT..o...y....6cmap.#..........cvt }.#........:fpgm.3.O...x....glyf.a%.......OHhead.~*........6hhea...^...D...$hmtxF._.........loca.=.........maxp.>.>...h... name.JBF..a....9post.9x|..e.............4m9._.<..........s........8R.....q.9...........................4.q.....................................@.....@.........N.....................P.f...............@..............MS .@. ...r.......H.............................u.f.......d.y.f.....R.........T.;.f.......f...f.F.......=.................................!...!.....=...q...........J...J.T.;.\.J.T.....{.f.....{...{...p...^.).{.u.{...........s...q...d...F...F...F...g.{.}...d...R...F...F...m...F...y...{...m...y...{...{.=.o.......o...o...o...h...{...{...F...F.Z.q.`.m...y...f...q...{...q...m...{...}...^...+.F...F...D.d.................F...y...............;.V.F.m.y.....m.......y...H...T...m...f...T...f...R...j...b.........D.d.......o.).X.V.........o.........y......
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-878RF.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2003, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):64760
                                                          Entropy (8bit):6.514217361307989
                                                          Encrypted:false
                                                          SSDEEP:1536:/JkO5XuoOM3qn3RDWuLHmBET8La0O5dGXwZR:x75Xu5n3BWubmST8ufdGAz
                                                          MD5:2E6070E9B26AC1377F9208C320D62591
                                                          SHA1:A5C6D4AC71748C0979968A40180A575F611C73D4
                                                          SHA-256:9499F3B7446292DC164A7ACDABD8B6B38AE3D94B9D092004C1ED48DCBB83BB44
                                                          SHA-512:06EB42262382E78D83D48D554EA4453AFB36887C57643CED6128139B71D4465544B79689D939DE52F6EB426788153F71B79F1E3D70563D51632A12D743E5714F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.&.%...L....GPOS"v/....l....GSUBlT.....t....LTSHSr.........#OS/2...........VVDMX[zc....t....cmap&.`...T....cvt ......`...xfpgm..^........dgasp.......<....glyf0y.....L...Rhdmx3.>V......Dhead...........6hhea...........$hmtx......@...|loca...E......@maxp........... name............post....... ....prepS0_................................................*.8..taml......ENG ..................abvm.......................|...................................................................................h.........................................u.u...................u.u.................................................2.v..taml......ENG ..........................abvs. akhn.(half..haln.4psts.:...........................................".*.2.:.B.J.......@.......V.......x.................................................................r.r.........4.8.<.@.D.H.L.P.T.X.\.`.d.h.l.p.t.x.|...........\...^...`...b...d...f...h...j...l...n...p...r...t...v...x...z...|...~..................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-DJ1Q7.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 26 names, Unicode
                                                          Category:dropped
                                                          Size (bytes):100056
                                                          Entropy (8bit):6.938355019015695
                                                          Encrypted:false
                                                          SSDEEP:1536:f2IGmE7hw5dfZZx1NoA/U5c/H4yQcAa+CrSV/DiU+XB6xAY3DG2NLyPGfGT85Sfx:f2xwLZZxb/U5PyQnaZ2ewrDGiLyPv
                                                          MD5:16024BEA0EB7A59995C59EDF5DF20D8F
                                                          SHA1:33710D5CEEA4684CE09C4616DBE03B881058640F
                                                          SHA-256:9AC4C694374E9BDD49C74E5852A990EAF1256D92DE859E6F2CBC42272102C1A5
                                                          SHA-512:C3B7E12D526745B189AA1606B14E950E1F7913491EF105A8264705E699E0352830F541190477403F8FC3616F1DE6CA9CC111D6A9C96505587B3B0BCCFBABEB0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF......z....ZGPOSk.d...z\... GSUB=rS...z|...ZOS/27.i........VPCLT..o...y....6cmap.#..........cvt }.#........:fpgm.3.O...x....glyf.a%.......OHhead.~*........6hhea...^...D...$hmtxF._.........loca.=.........maxp.>.>...h... name.JBF..a....9post.9x|..e.............4m9._.<..........s........8R.....q.9...........................4.q.....................................@.....@.........N.....................P.f...............@..............MS .@. ...r.......H.............................u.f.......d.y.f.....R.........T.;.f.......f...f.F.......=.................................!...!.....=...q...........J...J.T.;.\.J.T.....{.f.....{...{...p...^.).{.u.{...........s...q...d...F...F...F...g.{.}...d...R...F...F...m...F...y...{...m...y...{...{.=.o.......o...o...o...h...{...{...F...F.Z.q.`.m...y...f...q...{...q...m...{...}...^...+.F...F...D.d.................F...y...............;.V.F.m.y.....m.......y...H...T...m...f...T...f...R...j...b.........D.d.......o.).X.V.........o.........y......
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-K1NF7.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 14 names, Macintosh
                                                          Category:dropped
                                                          Size (bytes):76600
                                                          Entropy (8bit):6.3178993263494165
                                                          Encrypted:false
                                                          SSDEEP:1536:V6ksURZ3E0fWPnVV9X15POG/EVy0Mft4tb1a7Il/6gbScGTDI1uw44f:VpvPRfWPVXj1EVut4V1a7GygGgr
                                                          MD5:4808DDF3A48DC3B6A4F93DBD3D17EB4E
                                                          SHA1:0629A606CF59C08EBCF53DCD9535AE0D30755903
                                                          SHA-256:5EA6D5AF952385A37B83EB3821253D46542AF509673ADD90075E7FEAF1D8B453
                                                          SHA-512:F48B68DC4F4C90125347A8327F8D5C91636630528B5B033045401C784B088FD00FC812B978D4466779419C3EC1AD726B1DA41308079E86A1DB62FBB7E8CAEE88
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF.(..........GPOS......!.....GSUB...:...,...VOS/2...........Vcmap..F...@....cvt +|Bv...|...$fpgm..^........dglyf8..=...T....head..Rk.......6hhea.......D...$hmtx.=.........`loca*...........maxp...H...h... name.m.....@....postqL.....@...RprepS0_....p.............C.._.<..........c.......c.......4.........................3...:.4.................X.....X.............<.@...D.o.......s.........b.......b.....C.M.................. @........PfEd.@..%......................)...........<...S.d...d...d...d...d.g.d...d...d...d.n.d...d...d...........O.S.d.................w.......`...........................................9.......|.......}...................5...D...w...C.......`.....(.......$.I...I...................C...T.............................................................$...........................a..."...8.......n...8...0.......T...........N.....D...........x...<.......T...r...............n...C.....d.......q.......g...d...x...W...d...t.!.d.............3...`.d...d...d.<.d...d
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-K99HI.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2001, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):58240
                                                          Entropy (8bit):5.620492732134304
                                                          Encrypted:false
                                                          SSDEEP:1536:Q42z0R0cX1S641B6rG+Xp+jPAh7n/pOkfH4r:2QWcXEpX6a+Xp+jo1/pOUHi
                                                          MD5:CC2EE1B756FC72A58C52294854FA35D7
                                                          SHA1:58E6658240C710DD7EB9DE46FDD8515390219196
                                                          SHA-256:B9920211B0E1D19B55FBEF3CB602248FA8F0FF87598878769188209CBB7F6EAC
                                                          SHA-512:1BCC638F7D8901CFE4DCA2983F9C6EFB31C7A5FCAEEEAE06F6252E428111E709F3EDFA55868FFEA412D7BB10F995D81AC7E0C36BA37F8AABB6C985B5B2DC15EF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.......L...NGPOS.D.........tGSUB...........,LTSH&%%....<....OS/2...........VVDMX.......0....cmap*.9.........cvt ~..........Rfpgm..^....D...dgasp............glyfCR+........$hdmx0..%.......Hhead.......$...6hhea.F.....\...$hmtx...X......Tloca.0.T.......Xmaxp.......,... name.......L....post.......h....prepS0_....p.............F........./...0.0...1.a...b.e...f.t...u.v...w......................................guru................abvm...............................B...&.0.....................................0.0.......2.:.....@.\.....:.................................................n.t.....0.0...b.e...u.v.............F.F...N.N.............@...0.8.....H.....X.....X.....P.....`...........p.....................................................................................&.d..guru........................abvs. blwf.&nukt.,psts.2vatu.8.......................................&...X.......R.......................<.........................(.:.L.^.p...............^...B........... ...
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\lohit_hi.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 14 names, Macintosh
                                                          Category:dropped
                                                          Size (bytes):76600
                                                          Entropy (8bit):6.3178993263494165
                                                          Encrypted:false
                                                          SSDEEP:1536:V6ksURZ3E0fWPnVV9X15POG/EVy0Mft4tb1a7Il/6gbScGTDI1uw44f:VpvPRfWPVXj1EVut4V1a7GygGgr
                                                          MD5:4808DDF3A48DC3B6A4F93DBD3D17EB4E
                                                          SHA1:0629A606CF59C08EBCF53DCD9535AE0D30755903
                                                          SHA-256:5EA6D5AF952385A37B83EB3821253D46542AF509673ADD90075E7FEAF1D8B453
                                                          SHA-512:F48B68DC4F4C90125347A8327F8D5C91636630528B5B033045401C784B088FD00FC812B978D4466779419C3EC1AD726B1DA41308079E86A1DB62FBB7E8CAEE88
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF.(..........GPOS......!.....GSUB...:...,...VOS/2...........Vcmap..F...@....cvt +|Bv...|...$fpgm..^........dglyf8..=...T....head..Rk.......6hhea.......D...$hmtx.=.........`loca*...........maxp...H...h... name.m.....@....postqL.....@...RprepS0_....p.............C.._.<..........c.......c.......4.........................3...:.4.................X.....X.............<.@...D.o.......s.........b.......b.....C.M.................. @........PfEd.@..%......................)...........<...S.d...d...d...d...d.g.d...d...d...d.n.d...d...d...........O.S.d.................w.......`...........................................9.......|.......}...................5...D...w...C.......`.....(.......$.I...I...................C...T.............................................................$...........................a..."...8.......n...8...0.......T...........N.....D...........x...<.......T...r...............n...C.....d.......q.......g...d...x...W...d...t.!.d.............3...`.d...d...d.<.d...d
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\lohit_pa.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2001, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):58240
                                                          Entropy (8bit):5.620492732134304
                                                          Encrypted:false
                                                          SSDEEP:1536:Q42z0R0cX1S641B6rG+Xp+jPAh7n/pOkfH4r:2QWcXEpX6a+Xp+jo1/pOUHi
                                                          MD5:CC2EE1B756FC72A58C52294854FA35D7
                                                          SHA1:58E6658240C710DD7EB9DE46FDD8515390219196
                                                          SHA-256:B9920211B0E1D19B55FBEF3CB602248FA8F0FF87598878769188209CBB7F6EAC
                                                          SHA-512:1BCC638F7D8901CFE4DCA2983F9C6EFB31C7A5FCAEEEAE06F6252E428111E709F3EDFA55868FFEA412D7BB10F995D81AC7E0C36BA37F8AABB6C985B5B2DC15EF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.......L...NGPOS.D.........tGSUB...........,LTSH&%%....<....OS/2...........VVDMX.......0....cmap*.9.........cvt ~..........Rfpgm..^....D...dgasp............glyfCR+........$hdmx0..%.......Hhead.......$...6hhea.F.....\...$hmtx...X......Tloca.0.T.......Xmaxp.......,... name.......L....post.......h....prepS0_....p.............F........./...0.0...1.a...b.e...f.t...u.v...w......................................guru................abvm...............................B...&.0.....................................0.0.......2.:.....@.\.....:.................................................n.t.....0.0...b.e...u.v.............F.F...N.N.............@...0.8.....H.....X.....X.....P.....`...........p.....................................................................................&.d..guru........................abvs. blwf.&nukt.,psts.2vatu.8.......................................&...X.......R.......................<.........................(.:.L.^.p...............^...B........... ...
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\lohit_ta.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2003, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):64760
                                                          Entropy (8bit):6.514217361307989
                                                          Encrypted:false
                                                          SSDEEP:1536:/JkO5XuoOM3qn3RDWuLHmBET8La0O5dGXwZR:x75Xu5n3BWubmST8ufdGAz
                                                          MD5:2E6070E9B26AC1377F9208C320D62591
                                                          SHA1:A5C6D4AC71748C0979968A40180A575F611C73D4
                                                          SHA-256:9499F3B7446292DC164A7ACDABD8B6B38AE3D94B9D092004C1ED48DCBB83BB44
                                                          SHA-512:06EB42262382E78D83D48D554EA4453AFB36887C57643CED6128139B71D4465544B79689D939DE52F6EB426788153F71B79F1E3D70563D51632A12D743E5714F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.&.%...L....GPOS"v/....l....GSUBlT.....t....LTSHSr.........#OS/2...........VVDMX[zc....t....cmap&.`...T....cvt ......`...xfpgm..^........dgasp.......<....glyf0y.....L...Rhdmx3.>V......Dhead...........6hhea...........$hmtx......@...|loca...E......@maxp........... name............post....... ....prepS0_................................................*.8..taml......ENG ..................abvm.......................|...................................................................................h.........................................u.u...................u.u.................................................2.v..taml......ENG ..........................abvs. akhn.(half..haln.4psts.:...........................................".*.2.:.B.J.......@.......V.......x.................................................................r.r.........4.8.<.@.D.H.L.P.T.X.\.`.d.h.l.p.t.x.|...........\...^...`...b...d...f...h...j...l...n...p...r...t...v...x...z...|...~..................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\history.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):421792
                                                          Entropy (8bit):5.89089312168092
                                                          Encrypted:false
                                                          SSDEEP:6144:IBv/Y6oqGY2NID1MMf07QxjopowBvBBvm:IBv/Y6oiYIup7QVopowBvBBvm
                                                          MD5:10F4396344E93CE328529A26CC026082
                                                          SHA1:51895B0BE7B772EBE747336E4E0F57D8BBC5D277
                                                          SHA-256:5CA366D8C7102434E6D8E80C30BA3B4FD99AB5082C629C95D7F870DD8F0F8A27
                                                          SHA-512:770A801011E2FCA3052AF437CAE4930A1BCAF2CAE55FFC7A29249196B26AF7599551BDE4C7CEBDB6472E1A400182E711B9590CBAC90A9F28C7F10FBE37FA064D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE. Version 3, 29 June 2007.. Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed... Preamble.. The GNU General Public License is a free, copyleft license for.software and other kinds of works... The licenses for most software and other practical works are designed.to take away your freedom to share and change the works. By contrast,.the GNU General Public License is intended to guarantee your freedom to.share and change all versions of a program--to make sure it remains free.software for all its users. We, the Free Software Foundation, use the.GNU General Public License for most of our software; it applies also to.any other work released this way by its authors. You can apply it to.your programs, too... When we speak of free software, we are referring to
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-0V44S.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):229376
                                                          Entropy (8bit):6.403618531896028
                                                          Encrypted:false
                                                          SSDEEP:3072:hNj+F2PYTwAEbc8NnQPgd/5LV9Saotx2xhz4lzZoIWpJatWCETGBxdxz0dIAJo9o:NBQdgdhLV02m8pJYETywe9sibJZw
                                                          MD5:B7C7BC0C790C4BA8AE2E7C8608710C3E
                                                          SHA1:8CBE580B7D6C67963563ED69495FF6387EDB0F0E
                                                          SHA-256:6C8B148B4A223D9372D7B56A2BFD5AF5DB0AB9BEF74C3423DE8B2D4E335C3E85
                                                          SHA-512:E60381D44D72A61D73E3959FDB2C8857E6130A0C3E5CAEA64EC55B9C4C41B33FFB347585C7B02501BF06F21B699CB8CB2D48DB5A689BD295BDB06E6CE82C7A27
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........|......0........ .....c................................W......... .........................|.......................................D.......................................................p............................text...............................`.P`.data...H.... ......................@.0..rdata...?...0...@..................@.`@.bss.........p........................`..edata..|............P..............@.0@.idata...............R..............@.0..CRT....,............j..............@.0..tls.... ............l..............@.0..rsrc................n..............@.0..reloc..D............r..............@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-GS64B.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50688
                                                          Entropy (8bit):6.258238022202296
                                                          Encrypted:false
                                                          SSDEEP:1536:LBv1ky0ucs9y43wtHs9AjOQ0oHmfFDbJfhSuH:LBq4pyv29wMoHkFDbJfhf
                                                          MD5:B690FDD8FCD1C2700F35388E9B1E5974
                                                          SHA1:51669DD917B3F81B7D4526AF36938DCF8C0AA7D9
                                                          SHA-256:3D5A5623CDEA823A14102A43CAC78902A73840434BA0FE9447AA8F37F887AF4A
                                                          SHA-512:D8F63A1893211D958A47EDDC9CFC5DE7F8FDF7F530662722D2176C8CAF4B8D0791F43BB59048FB075C7F820FB86BD8C79FE96696392A7E336860638A3CEE6B9E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0..............b.........................@............... .........................{.......L.... .......................0.......................................................................................text..............................`.P`.data...D...........................@.0..rdata..`...........................@.`@.bss..................................`..edata..{...........................@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qgif4.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50688
                                                          Entropy (8bit):6.258238022202296
                                                          Encrypted:false
                                                          SSDEEP:1536:LBv1ky0ucs9y43wtHs9AjOQ0oHmfFDbJfhSuH:LBq4pyv29wMoHkFDbJfhf
                                                          MD5:B690FDD8FCD1C2700F35388E9B1E5974
                                                          SHA1:51669DD917B3F81B7D4526AF36938DCF8C0AA7D9
                                                          SHA-256:3D5A5623CDEA823A14102A43CAC78902A73840434BA0FE9447AA8F37F887AF4A
                                                          SHA-512:D8F63A1893211D958A47EDDC9CFC5DE7F8FDF7F530662722D2176C8CAF4B8D0791F43BB59048FB075C7F820FB86BD8C79FE96696392A7E336860638A3CEE6B9E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0..............b.........................@............... .........................{.......L.... .......................0.......................................................................................text..............................`.P`.data...D...........................@.0..rdata..`...........................@.`@.bss..................................`..edata..{...........................@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qjpeg4.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):229376
                                                          Entropy (8bit):6.403618531896028
                                                          Encrypted:false
                                                          SSDEEP:3072:hNj+F2PYTwAEbc8NnQPgd/5LV9Saotx2xhz4lzZoIWpJatWCETGBxdxz0dIAJo9o:NBQdgdhLV02m8pJYETywe9sibJZw
                                                          MD5:B7C7BC0C790C4BA8AE2E7C8608710C3E
                                                          SHA1:8CBE580B7D6C67963563ED69495FF6387EDB0F0E
                                                          SHA-256:6C8B148B4A223D9372D7B56A2BFD5AF5DB0AB9BEF74C3423DE8B2D4E335C3E85
                                                          SHA-512:E60381D44D72A61D73E3959FDB2C8857E6130A0C3E5CAEA64EC55B9C4C41B33FFB347585C7B02501BF06F21B699CB8CB2D48DB5A689BD295BDB06E6CE82C7A27
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........|......0........ .....c................................W......... .........................|.......................................D.......................................................p............................text...............................`.P`.data...H.... ......................@.0..rdata...?...0...@..................@.`@.bss.........p........................`..edata..|............P..............@.0@.idata...............R..............@.0..CRT....,............j..............@.0..tls.... ............l..............@.0..rsrc................n..............@.0..reloc..D............r..............@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-1UL10.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41984
                                                          Entropy (8bit):6.132770955803513
                                                          Encrypted:false
                                                          SSDEEP:768:bgaowTgGpoQHcE4UJmcCqr7/rz/WGc4kedF0emlBQQhpjxH:bgsppvHc1Cb7ldnmlBQkdH
                                                          MD5:4D233A220F91DE3B1510D017B5481942
                                                          SHA1:C59F449B0D09127D18268E7B07DA3F7D749B2720
                                                          SHA-256:08336089E280805C8AC89F7476526F944B5868C014748B6DC29F65167E9E3AB0
                                                          SHA-512:A86A1F9B5D160813C6E2F771962F303428604057B9613021BF7844C1204CFCA0A18571A28D950D7999ACC4ECDE0605095F9A460A9B79FE2BBE02F080C2683923
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....t..........0..............m......................... ................ .........................O...............p.......................@.......................................................p............................text....s.......t..................`.P`.data...T............x..............@.0..rdata..,............z..............@.`@.bss..................................`..edata..O...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...p...........................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-33ENG.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):182365
                                                          Entropy (8bit):6.791628337519772
                                                          Encrypted:false
                                                          SSDEEP:3072:FiP8zpgWMwBsaEcWfsUGPWTSMqqDVw7P3FwBP1ELFy:Fu8NsgsidwxqqDVMFwBaFy
                                                          MD5:854C550450BEDDEBAAFE1DD74F073641
                                                          SHA1:3DB1545773EA7756D6A87B3693148ABCD1CDAB86
                                                          SHA-256:8561D32E30B3DEC9FFD24B1BD87E96444FD6D3D304D64F80C6D99E112411DC48
                                                          SHA-512:42AF4079F184A0F8E22689F55DFA225F10B20FF8C0816D728CE022573E5EF1F1412B87000F0EF375D7DFC2A1D734A2047D539597EA4FE8EF1D5A2895053C50D1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...z.......8.....& ..........................pj.............................@.......I........ .................................................`............................ .............................. ...(....................................................text............................... .P`.data...P...........................@.P..rdata..............................@.`@/4......5............p..............@.0@.pdata...............r..............@.0@.xdata..............................@.0@.bss....0.............................`..edata........... ..................@.0@.idata..`...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B/14..........0......................@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5F8P5.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.027050012874634
                                                          Encrypted:false
                                                          SSDEEP:768:bKZB2wewH8k43RncCqCbj9zAwLc0N+eD5JemQRR5Q7:bKZr5H8VmuECDGmQRR5Q7
                                                          MD5:CF2571C125FA1D2EC55B9977054F380A
                                                          SHA1:91014DD50F0EEB0D3D1FAED77541C76A05B712B8
                                                          SHA-256:02B817B6DB18DB2DFCCEFDD08EED64A696E2BF326F4120EE7E93AE6AA73BCCB3
                                                          SHA-512:A95BF3436EA2FAC443924C5FC31FCD4337A44702EF38CA82D744474301E53F14721EAEB0F21E515CCFF8569E7B7D81107FB5A4CF2AE485CD4A5D2DC95DAE8F9B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....d..........0..............e................................8......... .....................................................................................................................`................................text....b.......d..................`.P`.data...D............h..............@.0..rdata..,............j..............@.`@.bss..................................`..edata...............v..............@.0@.idata...............x..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5P6B9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):120774
                                                          Entropy (8bit):6.037077757732975
                                                          Encrypted:false
                                                          SSDEEP:3072:nPE0Yx2cwD/Dtixvr6FkTwCD4N8FBKd8UR:sMzD/amFE4NQKd8UR
                                                          MD5:082A8171C726E58C1618DA3781AB7833
                                                          SHA1:5D74E7F8F5E14C1A70331A03456C68BB33AC17E2
                                                          SHA-256:AE1A1179289D1AB3B406F4BB347284464123C51BE50C1BCF38F2B5DD691E065C
                                                          SHA-512:837433AA29DFF1BD35AEB800B8DC69FB881BB2C435BF5BBA0AD7E809AD4CEA765B179DB4024A53F92E6B905FC964F23ED79949FA84424F864BBB88F140BD8682
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........o.....& ...........................a.............................P................ .................................................x.... .......................0.............................. ...(.......................P............................text...`........................... .P`.data........ ......................@.`..rdata...h...0...j..................@.`@/4......5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B/14..........@......................@.0B................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-7MTO8.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4910592
                                                          Entropy (8bit):6.572031041695352
                                                          Encrypted:false
                                                          SSDEEP:49152:dYQUcTX0/fq7b81I89fNkiiD3khqwqREQDfqtd4keAG4/lqQNOhw5XlAzmGLateC:5zB7b8O8QZrjwwhw5XlACGm8CtxARti
                                                          MD5:11DD538F1BF5F174834DBA334964A691
                                                          SHA1:3B080FA94C71CFAB65A0CD407EACAC4C2B1B2378
                                                          SHA-256:1BC4B73613228169EF7F57222EF36A6D9B3A2F3347EFA2228C53DC3B83559888
                                                          SHA-512:8E0A0455BDECBA073B06BE610917C71B6082745DF91B34C2663BC8D86361E71EA8FFF3D222E087AA3560A1AEE3455CA1DC7F2957726D86B001F4124DE220F911
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......!...ep.ep.ep.l.A.up.../.ap.7..zp.7..ip.7..bp..-.vp.7..ap.q..ip....tp.ep.9y....dp.3..eq.3.-.dp.epE.dp.3..dp.Richep.9;..N..Rich.N..........PE..L.....Ra.................T6.........dQ(......p6...@..........................@K.......J.......................................G.P....pH.H.............................D.p.....................D.....@.D.@............p6..............................text....S6......T6................. ....rdata.......p6......X6.............@..@.data....4...0G.......G.............@....rsrc...H....pH......(H.............@..@........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-AFSCM.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):46592
                                                          Entropy (8bit):6.294286952115658
                                                          Encrypted:false
                                                          SSDEEP:768:BZIF0ff+vrzUHQH/E4zR2cCqz7iDz3Kocq8eeIKKem+nH3g/i3/:BWFsf+vrzUwH/15EzFeIWm+H3R3
                                                          MD5:84E8E72572D53558D52403011FA0D388
                                                          SHA1:865160DA7DBFAAEA224541EB44E9430E1A7B7B20
                                                          SHA-256:CA717B5CF2A7B0E047AABAD985C631278941C58F16E2E9650CA12C3A331FCD4F
                                                          SHA-512:47EE932BFA4EE3C51C3828EF8C6923E5B946966AD8E255BC2C53A60443AA2D4AB17521F21912A6F0469C7898D6543DC4B1783A86DDB5A84568818A7B37EC3992
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0.............hp......................... ................ .................................P...............................,...................................................4................................text...d...........................`.P`.data...D...........................@.0..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..P...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..,...........................@.0B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-B5IQO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.9471839268980276
                                                          Encrypted:false
                                                          SSDEEP:1536:1qkfBMFLAlVQtlJR5E7kGJasMaooupW51+SXKl6U22Ol2B:RZ4LRa7ksasM3f4C6d2Ol2B
                                                          MD5:8E8285AAC0EF77A6CEDE53EAFE9C5298
                                                          SHA1:8A4715C1C8591B83B925282AF5BA72832C1CA0FC
                                                          SHA-256:3A94A8E5F9AB0ECA82611F95DC78C07C5093574C772B9C19D590F8E959191973
                                                          SHA-512:04F24CFA4F187FBE897033359EB3A2DA19C4225B514E0D6EE269D741C8BF86D9F7A5860AE2DE676DF1748C0D64CCB9DD58758CBE1524FF938C99224AFD30997F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z^su>?.&>?.&>?.&.q.&??.&QI.&??.&QI.&5?.&QI.&:?.&QI.&8?.&7G.&=?.&>?.&v?.&%..&:?.&%..&??.&%..&??.&Rich>?.&........PE..d....M.U.........." .........N...............................................P............@.........................................@...........P....0....... ...............@..h...0................................................................................text............................... ..`.rdata...;.......<..................@..@.data... ...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-FCT1V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):80653
                                                          Entropy (8bit):5.935029812256724
                                                          Encrypted:false
                                                          SSDEEP:1536:K7jqZI3jgg9IJgo+wrcKl8l2gdejHL8jT7x8ZKQi3uh:yUojggfo+wgl2gGHLYXx80T3uh
                                                          MD5:266FA5BAC8FAB45A57B3EB68495334F4
                                                          SHA1:C845B88A5F2279E348886E4D6246F855ACAA85B9
                                                          SHA-256:C8A3B86D6E930B21F428A3CAC3CC8FB432716D16043824DF886731565BFE8A23
                                                          SHA-512:EF8CAEF0A926865D4B1FE0CE51DC9542B814EB76392F85895A042AC514C529426519C83BCEC2EB976848D174D504E2852FA854C06A70D21F4E16DEBD533E3D0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........2..?.....& .........V.................e....................................;......... ......................................p..6.......(............@.......................0...................... ...(....................................................text............................... .P`.data...`...........................@.P..rdata..@,..........................@.`@/4......5....0......................@.0@.pdata.......@......................@.0@.xdata.......P......................@.0@.bss.........`........................`..edata..6....p......................@.0@.idata..(............ ..............@.0..CRT....X............*..............@.@..tls....h............,..............@.`..reloc..............................@.0B/14..................0..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-HRO44.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):232976
                                                          Entropy (8bit):6.644092741800531
                                                          Encrypted:false
                                                          SSDEEP:6144:VBx0S/dXV86pr06/oG5NMR2jzm1YunTcUmAe0I70s0cYJyUqQmoUjW2v4ZzuFdA:hldXVjTD/m1YunTcZAe0I70s0cYQUqoX
                                                          MD5:A80D629D6329DC31D5CB1157D853AFAB
                                                          SHA1:A2FA781452106CDF17A83E3E59C6FE50D557E62C
                                                          SHA-256:500EE04865DBB7BEB9474E0C2AEBD6713DF4407C849EC134457C7D0CA289FAF0
                                                          SHA-512:4E0253615D4C3C418B93547370F416EDF5326BF66E3A5872C687B129E65E5967DC3D4AE97CF524CA5E77327B0CE07D93BA63470D541614A6685EBD26E0C7427B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gSg.#2.,#2.,#2.,*J.,.2.,*J.,:2.,..r,'2.,*J., 2.,#2.,.2.,*J.,.2.,*J.,"2.,*J.,"2.,Rich#2.,........PE..L.....{Y...........!................X................................................3...............................+... ......P....................x..................................................@............... ............................text...p........................... ..`.rdata..c...........................@..@.data...D2...P.......<..............@....reloc...$.......&...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-JEA3R.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):15099
                                                          Entropy (8bit):4.490145322936716
                                                          Encrypted:false
                                                          SSDEEP:192:s4HVPM3N2zi6547iYOE6k+jLPv4IdQQXyAOiDaoL8HZwM3fxEq/Sl4eAxjf+6:s4Hmv7iE6kY4I9yAO2NL8OMBI4eAxTV
                                                          MD5:D13ADE1829C8B1A1621DB24D91F2D082
                                                          SHA1:A7BD24E809EF9BE6A37EF2BD01D23D4465E979DD
                                                          SHA-256:079952DC637DBAA9806C40A001BF5837079ADE9066F8AA18C80D23507B7E3DA3
                                                          SHA-512:33FCD64FB4881801AC269A4065C2223C0A02EEDD1132EDC0E92EF35CDCC96DB669676681C26FBF3605DD1E8982919BECA1E644935F0C2B39537CD8D2886F41BC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE....Version 2, June 1991....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth..Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute..verbatim copies of this license document, but changing it is not allowed.....Preamble....The licenses for most software are designed to take away your freedom to share..and change it. By contrast, the GNU General Public License is intended to..guarantee your freedom to share and change free software--to make sure the..software is free for all its users. This General Public License applies to most..of the Free Software Foundation's software and to any other program whose..authors commit to using it. (Some other Free Software Foundation software is..covered by the GNU Library General Public License instead.) You can apply it to..your programs, too.....When we speak of free software, we are referring to freedom, not price. Our..General Public Licenses are designed to make sure tha
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-KTI9L.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32585
                                                          Entropy (8bit):5.416596489081668
                                                          Encrypted:false
                                                          SSDEEP:384:5735N1fmZFO+S2uCtA2ostKbKSGQWlVsMb9XaVuXYA4iYG+mbe3FhEKoafNDhwrc:+6AuBOgPW3dasqiYGxq3FmKhrh
                                                          MD5:F68C187D209127BB0A4487B23EC29A25
                                                          SHA1:54726179BDDE7A6BD341B2BA3464E3B79CEA08C7
                                                          SHA-256:23FD4DAAB07107BFB9FD0950C0490BA65DF2FBC21680E46D9B93800E38BD1943
                                                          SHA-512:7364E67CBE7449C35930649C1B1360B88448893CCC207D1DCF5D3216F6C9CE33C9F4B0873A1E6AAC8C151A76F9D082B4C5C1E42DBA5800B789B72F74C9065540
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x..0.....& .....L...&................tk............................. ................ .................................................x...............................H........................... ...(.......................`............................text...@K.......L.................. .P`.data...P....`.......P..............@.P..rdata.......p.......R..............@.P@/4......5............Z..............@.0@.pdata...............\..............@.0@.xdata..T............`..............@.0@.bss..................................`..edata...............d..............@.0@.idata..x............h..............@.0..CRT....X............p..............@.@..tls....h............r..............@.`..reloc..H............t..............@.0B/14..................v..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-L6ITB.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):53248
                                                          Entropy (8bit):4.571289360851901
                                                          Encrypted:false
                                                          SSDEEP:384:Lo5zW/Z0L39rAzRdjfNnCuYE0myI+Stu1OooEoZj1ofV5dkn67vc6ea3bKyEeJPG:LorLSpl2HJ3orWB3F9JUsm/n
                                                          MD5:253BC53169AD46B1EAFB92982BA7268E
                                                          SHA1:3F2F8C6324480B1F39C7BC06B8503FEEDFE5DEF4
                                                          SHA-256:CA513F09B64F8E3DC8EE09663854ADF7E4E84544133D07A3A2EF55701ABFAD4C
                                                          SHA-512:AB6847F2B7E07E85D555B313D63F74D4E74E50EA09EF32FE427822A25ECA12264A49347428D32F42ED65C669C28DAC426310BBD401A21C03177BD9729CFB5E08
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...YA1G...........!......... ........... ........... ....................................@.....................................S.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-MMNOC.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.049364088538635
                                                          Encrypted:false
                                                          SSDEEP:384:RHKAwDe/yMw0U0GuOI+KDYZ1EWsLKkSqPmMmg2oes9yzCuFYh3oDqLjBISO0IqMU:RHKAm0UsO76WsxDmELsCDIMiH3YN
                                                          MD5:928C9EEA653311AF8EFC155DA5A1D6A5
                                                          SHA1:27300FCD5C22245573F5595ECBD64FCE89C53750
                                                          SHA-256:6DC4BEE625A2C5E3499E36FE7C6FF8EAD92ADF6AAE40C4099FDC8EF82E85B387
                                                          SHA-512:0541D706BB53F8A04C78FCF327C4557553FA901D645AD2FD446E79753B4729F1E36793F42FBDD9B5E92073A30ED9A3DD853773A06EBEA8E9302ECE91A6C5362C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....f.........................a.................................Y........ .........................................d............................................................................................................text....e.......f..................`.0`.data................j..............@.0..bss....p.............................0..edata...............l..............@.0@.idata...............|..............@.0..rsrc...d...........................@.0..reloc..............................@.0B........................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-N95UU.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):147456
                                                          Entropy (8bit):5.132194016685221
                                                          Encrypted:false
                                                          SSDEEP:3072:Ju6aJX0iugleTtmPzeLmQlV9MxSh356/JwQ3QklkuSmpKFb4NbkR2:9aJX0i9PaLmQlVxhw53w5bsbk
                                                          MD5:D817A6EC84CC47899F249B2C03B5F985
                                                          SHA1:5EBF96041A694C85BAD7F71F0679F64700EE272E
                                                          SHA-256:0A5DC4026BCEEB4AFDDDD73E3E16CC7224B2640E86A379D9AFE6E5A81CE1ECDC
                                                          SHA-512:96D161C7844304D4466384F5A25E27E54F0A79FEFC51E0656746837D31772EB84AB203E13686391B5FA0126F0F3C705876C1C1AE8EEF4E4F0EC67C8C379918A2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9..F...........!......... ......n-... ...@....... .......................................................................-..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-OSEV1.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):183312
                                                          Entropy (8bit):6.740673842072804
                                                          Encrypted:false
                                                          SSDEEP:3072:8vvDF1nexZZNNi2k7EBSh2BL5BvgjTSxUCwb5bL8Bu1A5d:8nDF1nexZZBk7Rhi8jTnLMu1A/
                                                          MD5:E9644E54C403DD5C0EF89C85ADA3E295
                                                          SHA1:A42708B2837DBA534E4CB866266E4959B28DA452
                                                          SHA-256:72ECD276B372487AF75C67877ECCC0ED4D15F2C07FFA7F631D8056038D0E8122
                                                          SHA-512:22411A9E8A9F7082B4CF90C3C906E414B62B4BD2B9B10EA1694EC5651E3DEC8D2E4716354F5B09D6396F4C094555F5F08B26534647A98DFA7B3039D6C1E219F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f|..f|..f|..o.<.E|..o.-..|..f|..8|..A..c|..o.;..|..o.*.g|..o.).g|..Richf|..........................PE..L.....{Y...........!.................?..............................................(................................`..V...|Y..<....................................................................T..@...............@............................text............................... ..`.rdata...e.......f..................@..@.data....B.......&...h..............@....reloc...&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-Q7NRR.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4506112
                                                          Entropy (8bit):6.845537378265025
                                                          Encrypted:false
                                                          SSDEEP:98304:FNk4pd+tbCY0HAYYid0wHYNkzi5bbTGksCWj:Yud+tWYOYezi5rGkn6
                                                          MD5:BD67B10210CEE1EC1F07A6CFD1954C77
                                                          SHA1:6DF09D5D96BF13F7A1515031AC5DF116F1159A48
                                                          SHA-256:EC6C0F1448E3C2A27BC67C354E1315A1E9088E4E517D099F87036E728B084AD2
                                                          SHA-512:BE053FB03C6123F6DB7FA4E3024A5C632007D516CF430ECA221387A77A2EA91A36976DA38467B5CAD4331E3ED7034E6D0686E323BD56CF2C439378A76288ED34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>.f.zz..zz..zz..(...xz..(...qz..(...rz..(...~z..n...yz..s...jz..n...oz..zz..3{..,....z..,...{z..,...{z..,...{z..Richzz..ty......tyN.....ty......Rich............PE..L...u.Ra...........!.....b2..\................2..............................@E......QC...@......................... .?.L...l.?.......A.......................B.TR..`.=.p.....................=......=.@.............2..............................text...Ua2......b2................. ..`.rdata..2{....2..|...f2.............@..@.data.........@.......?.............@....rsrc.........A.......@.............@..@.reloc..TR....B..T...nB.............@..B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-RSFVI.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):421792
                                                          Entropy (8bit):5.89089312168092
                                                          Encrypted:false
                                                          SSDEEP:6144:IBv/Y6oqGY2NID1MMf07QxjopowBvBBvm:IBv/Y6oiYIup7QVopowBvBBvm
                                                          MD5:10F4396344E93CE328529A26CC026082
                                                          SHA1:51895B0BE7B772EBE747336E4E0F57D8BBC5D277
                                                          SHA-256:5CA366D8C7102434E6D8E80C30BA3B4FD99AB5082C629C95D7F870DD8F0F8A27
                                                          SHA-512:770A801011E2FCA3052AF437CAE4930A1BCAF2CAE55FFC7A29249196B26AF7599551BDE4C7CEBDB6472E1A400182E711B9590CBAC90A9F28C7F10FBE37FA064D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE. Version 3, 29 June 2007.. Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed... Preamble.. The GNU General Public License is a free, copyleft license for.software and other kinds of works... The licenses for most software and other practical works are designed.to take away your freedom to share and change the works. By contrast,.the GNU General Public License is intended to guarantee your freedom to.share and change all versions of a program--to make sure it remains free.software for all its users. We, the Free Software Foundation, use the.GNU General Public License for most of our software; it applies also to.any other work released this way by its authors. You can apply it to.your programs, too... When we speak of free software, we are referring to
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-TECE4.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7182
                                                          Entropy (8bit):3.851683776363626
                                                          Encrypted:false
                                                          SSDEEP:96:AT0nsNJmBwoCtrOEhXpOITI151ihv2idiG:83KwoCtrOESITI151ihvtp
                                                          MD5:A5A239C980D6791086B7FE0E2CA38974
                                                          SHA1:DBD8E70DB07AC78E007B13CC8AE80C9A3885A592
                                                          SHA-256:FB33C708C2F83C188DC024B65CB620D7E2C3939C155BC1C15DC73DCCEBE256B7
                                                          SHA-512:8667904DDA77C994F646083EF39B1F69C2961758C3DA60CECADFE6D349DD99934C4D8784F8E38AE8B8C9EB9762EDD546F2A7B579F02612578F8049E9D10E8DA7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#......................... .....o......................................... ......................`..x....p.......................................................................................................................text...`...........................`.P`.data........ ......................@.0..rdata.......0......................@.0@/4...........@......................@.0@.bss.........P........................@..edata..x....`......................@.0@.idata.......p......................@.0..reloc..............................@.0B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-VO510.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):95232
                                                          Entropy (8bit):6.030616936830931
                                                          Encrypted:false
                                                          SSDEEP:1536:2LUkWfOuFIGlk4dltwXg2/y8fN3SOpynIS9384xZLr0alK3TVzVf1JJKDo7wvaJT:2LVWfOuSItk3/hZS1d/04CTpVf1JJKDC
                                                          MD5:8C72FC2D0C83E1698B0FC50775310B16
                                                          SHA1:D8C49BB33E9239CFBD76FFCCE8A95485A90A46BF
                                                          SHA-256:31A3DDED0E009827E09BE2B2BEC6FC033CB06C147AF67FBE818EA82FD5541BE2
                                                          SHA-512:B9630C7B6E53B276FC0C101E054530E51493989870AEAD05207BA4CE36BCEA946DDDB0B130EF5A2379F10930DCA4AF2036E32AF75FF38D6430145D89AE9E0B37
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.+T...........".........p................ld.............................................. .........................................................l....`..h...............p........................... ...(...................@................................text...............................`.P`.data...............................@.`..rdata.. 5... ...6..................@.`@.pdata..h....`.......4..............@.0@.xdata.......p.......B..............@.0@.bss....0.............................`..edata...............N..............@.0@.idata...............Z..............@.0..CRT....X............h..............@.@..tls....h............j..............@.`..rsrc...l............l..............@.0..reloc..p............r..............@.0B................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libbson-1.0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):183312
                                                          Entropy (8bit):6.740673842072804
                                                          Encrypted:false
                                                          SSDEEP:3072:8vvDF1nexZZNNi2k7EBSh2BL5BvgjTSxUCwb5bL8Bu1A5d:8nDF1nexZZBk7Rhi8jTnLMu1A/
                                                          MD5:E9644E54C403DD5C0EF89C85ADA3E295
                                                          SHA1:A42708B2837DBA534E4CB866266E4959B28DA452
                                                          SHA-256:72ECD276B372487AF75C67877ECCC0ED4D15F2C07FFA7F631D8056038D0E8122
                                                          SHA-512:22411A9E8A9F7082B4CF90C3C906E414B62B4BD2B9B10EA1694EC5651E3DEC8D2E4716354F5B09D6396F4C094555F5F08B26534647A98DFA7B3039D6C1E219F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f|..f|..f|..o.<.E|..o.-..|..f|..8|..A..c|..o.;..|..o.*.g|..o.).g|..Richf|..........................PE..L.....{Y...........!.................?..............................................(................................`..V...|Y..<....................................................................T..@...............@............................text............................... ..`.rdata...e.......f..................@..@.data....B.......&...h..............@....reloc...&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libffi-6.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32585
                                                          Entropy (8bit):5.416596489081668
                                                          Encrypted:false
                                                          SSDEEP:384:5735N1fmZFO+S2uCtA2ostKbKSGQWlVsMb9XaVuXYA4iYG+mbe3FhEKoafNDhwrc:+6AuBOgPW3dasqiYGxq3FmKhrh
                                                          MD5:F68C187D209127BB0A4487B23EC29A25
                                                          SHA1:54726179BDDE7A6BD341B2BA3464E3B79CEA08C7
                                                          SHA-256:23FD4DAAB07107BFB9FD0950C0490BA65DF2FBC21680E46D9B93800E38BD1943
                                                          SHA-512:7364E67CBE7449C35930649C1B1360B88448893CCC207D1DCF5D3216F6C9CE33C9F4B0873A1E6AAC8C151A76F9D082B4C5C1E42DBA5800B789B72F74C9065540
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x..0.....& .....L...&................tk............................. ................ .................................................x...............................H........................... ...(.......................`............................text...@K.......L.................. .P`.data...P....`.......P..............@.P..rdata.......p.......R..............@.P@/4......5............Z..............@.0@.pdata...............\..............@.0@.xdata..T............`..............@.0@.bss..................................`..edata...............d..............@.0@.idata..x............h..............@.0..CRT....X............p..............@.@..tls....h............r..............@.`..reloc..H............t..............@.0B/14..................v..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgmodule-2.0-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41984
                                                          Entropy (8bit):6.132770955803513
                                                          Encrypted:false
                                                          SSDEEP:768:bgaowTgGpoQHcE4UJmcCqr7/rz/WGc4kedF0emlBQQhpjxH:bgsppvHc1Cb7ldnmlBQkdH
                                                          MD5:4D233A220F91DE3B1510D017B5481942
                                                          SHA1:C59F449B0D09127D18268E7B07DA3F7D749B2720
                                                          SHA-256:08336089E280805C8AC89F7476526F944B5868C014748B6DC29F65167E9E3AB0
                                                          SHA-512:A86A1F9B5D160813C6E2F771962F303428604057B9613021BF7844C1204CFCA0A18571A28D950D7999ACC4ECDE0605095F9A460A9B79FE2BBE02F080C2683923
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....t..........0..............m......................... ................ .........................O...............p.......................@.......................................................p............................text....s.......t..................`.P`.data...T............x..............@.0..rdata..,............z..............@.`@.bss..................................`..edata..O...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...p...........................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgpg-error6-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):95232
                                                          Entropy (8bit):6.030616936830931
                                                          Encrypted:false
                                                          SSDEEP:1536:2LUkWfOuFIGlk4dltwXg2/y8fN3SOpynIS9384xZLr0alK3TVzVf1JJKDo7wvaJT:2LVWfOuSItk3/hZS1d/04CTpVf1JJKDC
                                                          MD5:8C72FC2D0C83E1698B0FC50775310B16
                                                          SHA1:D8C49BB33E9239CFBD76FFCCE8A95485A90A46BF
                                                          SHA-256:31A3DDED0E009827E09BE2B2BEC6FC033CB06C147AF67FBE818EA82FD5541BE2
                                                          SHA-512:B9630C7B6E53B276FC0C101E054530E51493989870AEAD05207BA4CE36BCEA946DDDB0B130EF5A2379F10930DCA4AF2036E32AF75FF38D6430145D89AE9E0B37
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.+T...........".........p................ld.............................................. .........................................................l....`..h...............p........................... ...(...................@................................text...............................`.P`.data...............................@.`..rdata.. 5... ...6..................@.`@.pdata..h....`.......4..............@.0@.xdata.......p.......B..............@.0@.bss....0.............................`..edata...............N..............@.0@.idata...............Z..............@.0..CRT....X............h..............@.@..tls....h............j..............@.`..rsrc...l............l..............@.0..reloc..p............r..............@.0B................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgthread-2.0-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.027050012874634
                                                          Encrypted:false
                                                          SSDEEP:768:bKZB2wewH8k43RncCqCbj9zAwLc0N+eD5JemQRR5Q7:bKZr5H8VmuECDGmQRR5Q7
                                                          MD5:CF2571C125FA1D2EC55B9977054F380A
                                                          SHA1:91014DD50F0EEB0D3D1FAED77541C76A05B712B8
                                                          SHA-256:02B817B6DB18DB2DFCCEFDD08EED64A696E2BF326F4120EE7E93AE6AA73BCCB3
                                                          SHA-512:A95BF3436EA2FAC443924C5FC31FCD4337A44702EF38CA82D744474301E53F14721EAEB0F21E515CCFF8569E7B7D81107FB5A4CF2AE485CD4A5D2DC95DAE8F9B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....d..........0..............e................................8......... .....................................................................................................................`................................text....b.......d..................`.P`.data...D............h..............@.0..rdata..,............j..............@.`@.bss..................................`..edata...............v..............@.0@.idata...............x..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libintl-8.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):120774
                                                          Entropy (8bit):6.037077757732975
                                                          Encrypted:false
                                                          SSDEEP:3072:nPE0Yx2cwD/Dtixvr6FkTwCD4N8FBKd8UR:sMzD/amFE4NQKd8UR
                                                          MD5:082A8171C726E58C1618DA3781AB7833
                                                          SHA1:5D74E7F8F5E14C1A70331A03456C68BB33AC17E2
                                                          SHA-256:AE1A1179289D1AB3B406F4BB347284464123C51BE50C1BCF38F2B5DD691E065C
                                                          SHA-512:837433AA29DFF1BD35AEB800B8DC69FB881BB2C435BF5BBA0AD7E809AD4CEA765B179DB4024A53F92E6B905FC964F23ED79949FA84424F864BBB88F140BD8682
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........o.....& ...........................a.............................P................ .................................................x.... .......................0.............................. ...(.......................P............................text...`........................... .P`.data........ ......................@.`..rdata...h...0...j..................@.`@/4......5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B/14..........@......................@.0B................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libmongoc-1.0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):232976
                                                          Entropy (8bit):6.644092741800531
                                                          Encrypted:false
                                                          SSDEEP:6144:VBx0S/dXV86pr06/oG5NMR2jzm1YunTcUmAe0I70s0cYJyUqQmoUjW2v4ZzuFdA:hldXVjTD/m1YunTcZAe0I70s0cYQUqoX
                                                          MD5:A80D629D6329DC31D5CB1157D853AFAB
                                                          SHA1:A2FA781452106CDF17A83E3E59C6FE50D557E62C
                                                          SHA-256:500EE04865DBB7BEB9474E0C2AEBD6713DF4407C849EC134457C7D0CA289FAF0
                                                          SHA-512:4E0253615D4C3C418B93547370F416EDF5326BF66E3A5872C687B129E65E5967DC3D4AE97CF524CA5E77327B0CE07D93BA63470D541614A6685EBD26E0C7427B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gSg.#2.,#2.,#2.,*J.,.2.,*J.,:2.,..r,'2.,*J., 2.,#2.,.2.,*J.,.2.,*J.,"2.,*J.,"2.,Rich#2.,........PE..L.....{Y...........!................X................................................3...............................+... ......P....................x..................................................@............... ............................text...p........................... ..`.rdata..c...........................@..@.data...D2...P.......<..............@....reloc...$.......&...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libnettle-4-6.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):182365
                                                          Entropy (8bit):6.791628337519772
                                                          Encrypted:false
                                                          SSDEEP:3072:FiP8zpgWMwBsaEcWfsUGPWTSMqqDVw7P3FwBP1ELFy:Fu8NsgsidwxqqDVMFwBaFy
                                                          MD5:854C550450BEDDEBAAFE1DD74F073641
                                                          SHA1:3DB1545773EA7756D6A87B3693148ABCD1CDAB86
                                                          SHA-256:8561D32E30B3DEC9FFD24B1BD87E96444FD6D3D304D64F80C6D99E112411DC48
                                                          SHA-512:42AF4079F184A0F8E22689F55DFA225F10B20FF8C0816D728CE022573E5EF1F1412B87000F0EF375D7DFC2A1D734A2047D539597EA4FE8EF1D5A2895053C50D1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...z.......8.....& ..........................pj.............................@.......I........ .................................................`............................ .............................. ...(....................................................text............................... .P`.data...P...........................@.P..rdata..............................@.`@/4......5............p..............@.0@.pdata...............r..............@.0@.xdata..............................@.0@.bss....0.............................`..edata........... ..................@.0@.idata..`...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B/14..........0......................@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libogg-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):46592
                                                          Entropy (8bit):6.294286952115658
                                                          Encrypted:false
                                                          SSDEEP:768:BZIF0ff+vrzUHQH/E4zR2cCqz7iDz3Kocq8eeIKKem+nH3g/i3/:BWFsf+vrzUwH/15EzFeIWm+H3R3
                                                          MD5:84E8E72572D53558D52403011FA0D388
                                                          SHA1:865160DA7DBFAAEA224541EB44E9430E1A7B7B20
                                                          SHA-256:CA717B5CF2A7B0E047AABAD985C631278941C58F16E2E9650CA12C3A331FCD4F
                                                          SHA-512:47EE932BFA4EE3C51C3828EF8C6923E5B946966AD8E255BC2C53A60443AA2D4AB17521F21912A6F0469C7898D6543DC4B1783A86DDB5A84568818A7B37EC3992
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0.............hp......................... ................ .................................P...............................,...................................................4................................text...d...........................`.P`.data...D...........................@.0..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..P...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..,...........................@.0B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libssl-40.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4506112
                                                          Entropy (8bit):6.845537378265025
                                                          Encrypted:false
                                                          SSDEEP:98304:FNk4pd+tbCY0HAYYid0wHYNkzi5bbTGksCWj:Yud+tWYOYezi5rGkn6
                                                          MD5:BD67B10210CEE1EC1F07A6CFD1954C77
                                                          SHA1:6DF09D5D96BF13F7A1515031AC5DF116F1159A48
                                                          SHA-256:EC6C0F1448E3C2A27BC67C354E1315A1E9088E4E517D099F87036E728B084AD2
                                                          SHA-512:BE053FB03C6123F6DB7FA4E3024A5C632007D516CF430ECA221387A77A2EA91A36976DA38467B5CAD4331E3ED7034E6D0686E323BD56CF2C439378A76288ED34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>.f.zz..zz..zz..(...xz..(...qz..(...rz..(...~z..n...yz..s...jz..n...oz..zz..3{..,....z..,...{z..,...{z..,...{z..Richzz..ty......tyN.....ty......Rich............PE..L...u.Ra...........!.....b2..\................2..............................@E......QC...@......................... .?.L...l.?.......A.......................B.TR..`.=.p.....................=......=.@.............2..............................text...Ua2......b2................. ..`.rdata..2{....2..|...f2.............@..@.data.........@.......?.............@....rsrc.........A.......@.............@..@.reloc..TR....B..T...nB.............@..B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libtasn1-6.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):80653
                                                          Entropy (8bit):5.935029812256724
                                                          Encrypted:false
                                                          SSDEEP:1536:K7jqZI3jgg9IJgo+wrcKl8l2gdejHL8jT7x8ZKQi3uh:yUojggfo+wgl2gGHLYXx80T3uh
                                                          MD5:266FA5BAC8FAB45A57B3EB68495334F4
                                                          SHA1:C845B88A5F2279E348886E4D6246F855ACAA85B9
                                                          SHA-256:C8A3B86D6E930B21F428A3CAC3CC8FB432716D16043824DF886731565BFE8A23
                                                          SHA-512:EF8CAEF0A926865D4B1FE0CE51DC9542B814EB76392F85895A042AC514C529426519C83BCEC2EB976848D174D504E2852FA854C06A70D21F4E16DEBD533E3D0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........2..?.....& .........V.................e....................................;......... ......................................p..6.......(............@.......................0...................... ...(....................................................text............................... .P`.data...`...........................@.P..rdata..@,..........................@.`@/4......5....0......................@.0@.pdata.......@......................@.0@.xdata.......P......................@.0@.bss.........`........................`..edata..6....p......................@.0@.idata..(............ ..............@.0..CRT....X............*..............@.@..tls....h............,..............@.`..reloc..............................@.0B/14..................0..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\mingwm10.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7182
                                                          Entropy (8bit):3.851683776363626
                                                          Encrypted:false
                                                          SSDEEP:96:AT0nsNJmBwoCtrOEhXpOITI151ihv2idiG:83KwoCtrOESITI151ihvtp
                                                          MD5:A5A239C980D6791086B7FE0E2CA38974
                                                          SHA1:DBD8E70DB07AC78E007B13CC8AE80C9A3885A592
                                                          SHA-256:FB33C708C2F83C188DC024B65CB620D7E2C3939C155BC1C15DC73DCCEBE256B7
                                                          SHA-512:8667904DDA77C994F646083EF39B1F69C2961758C3DA60CECADFE6D349DD99934C4D8784F8E38AE8B8C9EB9762EDD546F2A7B579F02612578F8049E9D10E8DA7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#......................... .....o......................................... ......................`..x....p.......................................................................................................................text...`...........................`.P`.data........ ......................@.0..rdata.......0......................@.0@/4...........@......................@.0@.bss.........P........................@..edata..x....`......................@.0@.idata.......p......................@.0..reloc..............................@.0B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\pthreadGC2.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.049364088538635
                                                          Encrypted:false
                                                          SSDEEP:384:RHKAwDe/yMw0U0GuOI+KDYZ1EWsLKkSqPmMmg2oes9yzCuFYh3oDqLjBISO0IqMU:RHKAm0UsO76WsxDmELsCDIMiH3YN
                                                          MD5:928C9EEA653311AF8EFC155DA5A1D6A5
                                                          SHA1:27300FCD5C22245573F5595ECBD64FCE89C53750
                                                          SHA-256:6DC4BEE625A2C5E3499E36FE7C6FF8EAD92ADF6AAE40C4099FDC8EF82E85B387
                                                          SHA-512:0541D706BB53F8A04C78FCF327C4557553FA901D645AD2FD446E79753B4729F1E36793F42FBDD9B5E92073A30ED9A3DD853773A06EBEA8E9302ECE91A6C5362C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....f.........................a.................................Y........ .........................................d............................................................................................................text....e.......f..................`.0`.data................j..............@.0..bss....p.............................0..edata...............l..............@.0@.idata...............|..............@.0..rsrc...d...........................@.0..reloc..............................@.0B........................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\is-DDSCO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):340
                                                          Entropy (8bit):4.329376027112529
                                                          Encrypted:false
                                                          SSDEEP:6:uCohGf+wnvVEk6ubLCG3jOQU4uDCpN+ODaJ/CMt1lyvYs1vyQ:Ah7qvVR+aOeuDeNNaZ/wvB1vn
                                                          MD5:2E5417F883E221DAD966C8C7851294C2
                                                          SHA1:AB1B82343073A226CD8D12875E2ABAB05249C6A9
                                                          SHA-256:440E0557C735D1AF2DC425C5FB095F3DF4B3A12BB95F65CE04CAD9CCDD5FCA2D
                                                          SHA-512:2E2326391189FC0B98F727A6EAC5211F600C4D9A2BD7A986C696AD6220DC2AB33D28D4AFC2F551D1F68FFC5DFA5C73FAADA067BD13C5333DC3B9B3A9E99E1E7E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 0|A.0|a.3|B.3|b.2|C.2|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Z.6|Z.0|Y.0|y.9|!.9|..9|".9|..9|/.9|..5| .0|1.0|+.1|2.1|..1|3.1|..2|4.2|..3|5.3|..3|6.3|..6|7.6|..6|8.6|..7|9.7|..9|0.9|..8|,.0|;.9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\is-J58EF.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):61
                                                          Entropy (8bit):4.502287699697848
                                                          Encrypted:false
                                                          SSDEEP:3:U96Q+ALu3LRRDJNtfEFju9m/LJ:UYQ+WGRxEFqWt
                                                          MD5:97C705D1301F982E0010876C8FDA614E
                                                          SHA1:ACDB1D10A6B7AEA47932A100D36A6F9D867C40C1
                                                          SHA-256:DB42C3BC77F54B145D013C395509A5496DA3B5A8D4730C5F593E2835F1F2D7F5
                                                          SHA-512:170CD69F3CF93EB7315390A569D4D03BB9CB1D606D8DE8B63B267BC2E1E8B45E8683BAF929016E0F45840C68A221E0C3B58B7A6A48E89715234E450D5D3F2377
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_font_name=DoulosSILR.ttf.theme_locale_name=cs_CZ.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\keyboard.lst (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):340
                                                          Entropy (8bit):4.329376027112529
                                                          Encrypted:false
                                                          SSDEEP:6:uCohGf+wnvVEk6ubLCG3jOQU4uDCpN+ODaJ/CMt1lyvYs1vyQ:Ah7qvVR+aOeuDeNNaZ/wvB1vn
                                                          MD5:2E5417F883E221DAD966C8C7851294C2
                                                          SHA1:AB1B82343073A226CD8D12875E2ABAB05249C6A9
                                                          SHA-256:440E0557C735D1AF2DC425C5FB095F3DF4B3A12BB95F65CE04CAD9CCDD5FCA2D
                                                          SHA-512:2E2326391189FC0B98F727A6EAC5211F600C4D9A2BD7A986C696AD6220DC2AB33D28D4AFC2F551D1F68FFC5DFA5C73FAADA067BD13C5333DC3B9B3A9E99E1E7E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 0|A.0|a.3|B.3|b.2|C.2|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Z.6|Z.0|Y.0|y.9|!.9|..9|".9|..9|/.9|..5| .0|1.0|+.1|2.1|..1|3.1|..2|4.2|..3|5.3|..3|6.3|..6|7.6|..6|8.6|..7|9.7|..9|0.9|..8|,.0|;.9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\settings.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):61
                                                          Entropy (8bit):4.502287699697848
                                                          Encrypted:false
                                                          SSDEEP:3:U96Q+ALu3LRRDJNtfEFju9m/LJ:UYQ+WGRxEFqWt
                                                          MD5:97C705D1301F982E0010876C8FDA614E
                                                          SHA1:ACDB1D10A6B7AEA47932A100D36A6F9D867C40C1
                                                          SHA-256:DB42C3BC77F54B145D013C395509A5496DA3B5A8D4730C5F593E2835F1F2D7F5
                                                          SHA-512:170CD69F3CF93EB7315390A569D4D03BB9CB1D606D8DE8B63B267BC2E1E8B45E8683BAF929016E0F45840C68A221E0C3B58B7A6A48E89715234E450D5D3F2377
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_font_name=DoulosSILR.ttf.theme_locale_name=cs_CZ.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\abeceda.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):78
                                                          Entropy (8bit):3.899829828948582
                                                          Encrypted:false
                                                          SSDEEP:3:O81Y5qTivtvmfBy7UlWf2vxvwvzv8N+nPyn:ONCilmZiOa2Bw7OKPyn
                                                          MD5:CA1D4315A55A43CE742942BD35034034
                                                          SHA1:5149927E633B4320D00600FDD5A12A367956D49E
                                                          SHA-256:77891560CAC7B7F2ED6AE01E7BFC979EFC1AF6AB686C534F03CFBCAEAB002A3B
                                                          SHA-512:18C88C698B33AC6312BE9ED7EB8D8840605AD33D3AB87650F643E964871EA7171DDD4C69FC121D64548CF5B192BEC5D634A3059DCC876227F7702AF201643823
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Abeceda.A.B.C.D.E.F.G.H.CH.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z...........
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-60AQ9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):78
                                                          Entropy (8bit):3.899829828948582
                                                          Encrypted:false
                                                          SSDEEP:3:O81Y5qTivtvmfBy7UlWf2vxvwvzv8N+nPyn:ONCilmZiOa2Bw7OKPyn
                                                          MD5:CA1D4315A55A43CE742942BD35034034
                                                          SHA1:5149927E633B4320D00600FDD5A12A367956D49E
                                                          SHA-256:77891560CAC7B7F2ED6AE01E7BFC979EFC1AF6AB686C534F03CFBCAEAB002A3B
                                                          SHA-512:18C88C698B33AC6312BE9ED7EB8D8840605AD33D3AB87650F643E964871EA7171DDD4C69FC121D64548CF5B192BEC5D634A3059DCC876227F7702AF201643823
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Abeceda.A.B.C.D.E.F.G.H.CH.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z...........
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-6IOGQ.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):260
                                                          Entropy (8bit):4.444810843100335
                                                          Encrypted:false
                                                          SSDEEP:6:FIGhr9/b0Qy/vnpgWaKkptUWdLWM5FH6sg5HUdvJlkvrpoLSv/c:nX/b0f/vIQMJgCv+2SvE
                                                          MD5:EDBBE4CB460F6E0BD02EEC2116198725
                                                          SHA1:94ED9A1BCDDB42E62B0290093D3ABA073645E5F0
                                                          SHA-256:73E6EC11601E300184A19A15BF2D123E46EE98966B9A49F4AEACE731B941DF13
                                                          SHA-512:1C87B451C2471B5AA99C7829B769B7CCAC358FC85270E134F45CBB0F14CDF4FE7C72DE4A3E1DDDF3838605C69EA4CB9E12EB367CE8BD7372A0D03B8FBABEE9DF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 3 p.smena.ABY.ACH.ALE.ALT.ANO.B.J.B.L.BAR.BAS.BIL.BUK.B.K.CAR.CHA.C.L.DEJ.DUB.D.L.ESO.EVA.F.N.HAD.H.J.H.K.IVA.J.L.KAT.K.V.KAZ.KDE.KDO.KDY.KEL.LED.LEH.L.K.LEM.LEN.LEP.LES.LET.LEV.MED.NIT.NOC.NOS.OSA.R.J.RAK.S.L.SUP.TRH.TRN.TUK.VEN.VES.ZOB
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-6M9NV.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):189
                                                          Entropy (8bit):4.354970599038016
                                                          Encrypted:false
                                                          SSDEEP:3:FTExsuIPA5vBUJhJYzn+vuqx8y7MwpK0Dq1vXm10OW28xpKEWMhyQj:FIGvA5gyzQ3ZpKSq1vXC0D2gkEWMv
                                                          MD5:339977CA0C3B1C337D71A31DFA04834F
                                                          SHA1:647A92DC735F8F3E400B859A919A0F1940A6D099
                                                          SHA-256:01C5B4A09727217F99997B5E9E19EE81F26346315426E9781E80D71C2A3ED1C2
                                                          SHA-512:CF2EDD7D15DC92658424D1A4371B87E04A727C53931446488BF5E2CA47B13DB8629F9E65E20EDC38E508F43003D8A18E1EDADA250ADB9D62151D53DB38FE4020
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 2 p.smena.AD.AP.AU.CO.D..DO.DR.EC.ES.HW.J..JE.JI.KE.KS.KU.KV.M..M..MI.MU.NA.NF.NV.OD.OK.ON.OP.OS.PA.PC.P..PO.SE.SI.SK.ST.SW.TA.T..TI.TJ.TO.TU.TY.UK..L.UM.VE.V..VY.WC.ZA.ZE
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-C75PA.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):4.567882392336099
                                                          Encrypted:false
                                                          SSDEEP:6:FIGexCy/fnIjb19vCAzTA8Iy47jWfOoOxvwNwEFLB7HxVV3n77:neBm/zE8Iye6fOo8YNpBFL377
                                                          MD5:1E9E1243C3EAE2633D21725160F452F9
                                                          SHA1:CE5FC2CC98D90DF0510A3C928224E3D2DF6062A1
                                                          SHA-256:7EDC11F8A650E4B1BDB28BC352E43D4609C82BBD04A5C1BBD4B10691AE0B114F
                                                          SHA-512:D3DD07851155124656D6EEE8B5FEFC81D6882F6BD3B239AA94FF611B5A28C42DEB7692E5E08D7E149D062982DDDA48E38C9B643FDD137F72153ACC06182A2488
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 4 p.smena.ALFA.AUTO.BRAK.BRAL.COSI.CUKL.CUKR.D.KY.DR.B.EL.N.EMIL.GONG.HLAD.HLAS.HROB.HROM.KLID.KOP..KR.L.KR.M.KR.M.M.SA.M.TO.NUDA.N.TY.O.ZA.OSEL.P.RA.PRAK.ROSA.ROPA.R.HA.RYT..S.TO.SLZA.SN.H.SVAL.T.TA.T.HA.TRN..TYGR.UCHO.UM.T..TOK.V.HA.VATA.VINA.V.TR.VLNA.VRBA.ZIMA.ZNAK.ZVUK.ZVYK

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.896187341178987
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 98.04%
                                                          • Inno Setup installer (109748/4) 1.08%
                                                          • InstallShield setup (43055/19) 0.42%
                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                          File name:br4Cu3BycW.exe
                                                          File size:5124457
                                                          MD5:ec72a93f6279b16006f2196f330166ee
                                                          SHA1:74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
                                                          SHA256:4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
                                                          SHA512:3c0b595d905e8d6f83b82d769415bc257eaf514832575674179720b8486dccd5df24c0ff9a789498f76c388bfc5048fa56c0569d2342277c159262ca58ecf0ad
                                                          SSDEEP:98304:8SiwHhbbp/qa7irrDRcLAs6EOZ354tnteHOBQNnPcMa:Np/qRv9qAzEPttRmcd
                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                          File Icon

                                                          Icon Hash:5030d06cecec80aa

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4b5eec
                                                          Entrypoint Section:.itext
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:1
                                                          File Version Major:6
                                                          File Version Minor:1
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:1
                                                          Import Hash:5a594319a0d69dbc452e748bcf05892e

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          add esp, FFFFFFA4h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          xor eax, eax
                                                          mov dword ptr [ebp-3Ch], eax
                                                          mov dword ptr [ebp-40h], eax
                                                          mov dword ptr [ebp-5Ch], eax
                                                          mov dword ptr [ebp-30h], eax
                                                          mov dword ptr [ebp-38h], eax
                                                          mov dword ptr [ebp-34h], eax
                                                          mov dword ptr [ebp-2Ch], eax
                                                          mov dword ptr [ebp-28h], eax
                                                          mov dword ptr [ebp-14h], eax
                                                          mov eax, 004B10F0h
                                                          call 00007F760498B055h
                                                          xor eax, eax
                                                          push ebp
                                                          push 004B65E2h
                                                          push dword ptr fs:[eax]
                                                          mov dword ptr fs:[eax], esp
                                                          xor edx, edx
                                                          push ebp
                                                          push 004B659Eh
                                                          push dword ptr fs:[edx]
                                                          mov dword ptr fs:[edx], esp
                                                          mov eax, dword ptr [004BE634h]
                                                          call 00007F7604A2D77Fh
                                                          call 00007F7604A2D2D2h
                                                          lea edx, dword ptr [ebp-14h]
                                                          xor eax, eax
                                                          call 00007F76049A0AC8h
                                                          mov edx, dword ptr [ebp-14h]
                                                          mov eax, 004C1D84h
                                                          call 00007F7604985C47h
                                                          push 00000002h
                                                          push 00000000h
                                                          push 00000001h
                                                          mov ecx, dword ptr [004C1D84h]
                                                          mov dl, 01h
                                                          mov eax, dword ptr [004237A4h]
                                                          call 00007F76049A1B2Fh
                                                          mov dword ptr [004C1D88h], eax
                                                          xor edx, edx
                                                          push ebp
                                                          push 004B654Ah
                                                          push dword ptr fs:[edx]
                                                          mov dword ptr fs:[edx], esp
                                                          call 00007F7604A2D807h
                                                          mov dword ptr [004C1D90h], eax
                                                          mov eax, dword ptr [004C1D90h]
                                                          cmp dword ptr [eax+0Ch], 01h
                                                          jne 00007F7604A33DEAh
                                                          mov eax, dword ptr [004C1D90h]
                                                          mov edx, 00000028h
                                                          call 00007F76049A2424h
                                                          mov edx, dword ptr [004C1D90h]

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x10e00.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000xb361c0xb3800False0.344863934105data6.35605820433IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .itext0xb50000x16880x1800False0.544921875data5.97275005522IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .data0xb70000x37a40x3800False0.360979352679data5.04440056201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .bss0xbb0000x6de80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .idata0xc20000xf360x1000False0.3681640625data4.89870464796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .didata0xc30000x1a40x200False0.345703125data2.75636286825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .edata0xc40000x9a0x200False0.2578125data1.87222286659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rdata0xc60000x5d0x200False0.189453125data1.38389437522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rsrc0xc70000x10e000x10e00False0.188628472222data3.71218064983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0xc76780xa68dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0xc80e00x668dataEnglishUnited States
                                                          RT_ICON0xc87480x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0xc8a300x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_ICON0xc8b580x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 0, next used block 101056512EnglishUnited States
                                                          RT_ICON0xca1800xea8dataEnglishUnited States
                                                          RT_ICON0xcb0280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0xcb8d00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_ICON0xcbe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                          RT_ICON0xcd1200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4244635647, next used block 4294967295EnglishUnited States
                                                          RT_ICON0xd13480x25a8dataEnglishUnited States
                                                          RT_ICON0xd38f00x10a8dataEnglishUnited States
                                                          RT_ICON0xd49980x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_STRING0xd4e000x360data
                                                          RT_STRING0xd51600x260data
                                                          RT_STRING0xd53c00x45cdata
                                                          RT_STRING0xd581c0x40cdata
                                                          RT_STRING0xd5c280x2d4data
                                                          RT_STRING0xd5efc0xb8data
                                                          RT_STRING0xd5fb40x9cdata
                                                          RT_STRING0xd60500x374data
                                                          RT_STRING0xd63c40x398data
                                                          RT_STRING0xd675c0x368data
                                                          RT_STRING0xd6ac40x2a4data
                                                          RT_RCDATA0xd6d680x10data
                                                          RT_RCDATA0xd6d780x2c4data
                                                          RT_RCDATA0xd703c0x2cdata
                                                          RT_GROUP_ICON0xd70680xbcdataEnglishUnited States
                                                          RT_VERSION0xd71240x584dataEnglishUnited States
                                                          RT_MANIFEST0xd76a80x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                          comctl32.dllInitCommonControls
                                                          version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                          netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                          advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                          Exports

                                                          NameOrdinalAddress
                                                          TMethodImplementationIntercept30x454060
                                                          __dbk_fcall_wrapper20x40d0a0
                                                          dbkFCallWrapperAddr10x4be63c

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyright
                                                          FileVersion1.8.3.7
                                                          CompanyNameXiliumHQ
                                                          CommentsThis installation was built with Inno Setup.
                                                          ProductNameCrystal Reports Extra
                                                          ProductVersion1.8.3.7
                                                          FileDescriptionCrystal Reports Extra Setup
                                                          OriginalFileName
                                                          Translation0x0000 0x04b0

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 28, 2021 09:32:03.917289972 CEST4975080192.168.2.3147.135.170.166
                                                          Sep 28, 2021 09:32:06.927512884 CEST4975080192.168.2.3147.135.170.166
                                                          Sep 28, 2021 09:32:12.936220884 CEST4975080192.168.2.3147.135.170.166

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 28, 2021 09:31:43.347387075 CEST5391053192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:31:43.367719889 CEST53539108.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:08.785919905 CEST6402153192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:08.813378096 CEST53640218.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:29.751260996 CEST6078453192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:29.773773909 CEST53607848.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:30.270999908 CEST5114353192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:30.336164951 CEST53511438.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:30.596394062 CEST5600953192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:30.623931885 CEST53560098.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:30.881433964 CEST5902653192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:30.914977074 CEST53590268.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:31.243544102 CEST4957253192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:31.263808012 CEST53495728.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:31.678868055 CEST6082353192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:31.737932920 CEST53608238.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:32.226489067 CEST5213053192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:32.249679089 CEST53521308.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:32.736107111 CEST5510253192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:32.755748987 CEST53551028.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:33.424153090 CEST5623653192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:33.444708109 CEST53562368.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:34.276308060 CEST5652753192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:34.294154882 CEST53565278.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:34.813617945 CEST4955953192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:34.849782944 CEST53495598.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:35.501328945 CEST5265053192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:35.522119045 CEST53526508.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:37.255181074 CEST6329753192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:37.272469997 CEST53632978.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:41.634762049 CEST5836153192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:41.655853987 CEST53583618.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:45.977813005 CEST5361553192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:45.998599052 CEST53536158.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:54.818727016 CEST5072853192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:54.841602087 CEST53507288.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:33:09.431212902 CEST5377753192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:33:09.450710058 CEST53537778.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:33:30.291225910 CEST5710653192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:33:30.311527014 CEST53571068.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:33:58.339514971 CEST6035253192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:33:58.359219074 CEST53603528.8.8.8192.168.2.3

                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: br4Cu3BycW.exe PID: 4352 Parent PID: 4476

                                                          General

                                                          Start time:09:31:48
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\br4Cu3BycW.exe'
                                                          Imagebase:0x400000
                                                          File size:5124457 bytes
                                                          MD5 hash:EC72A93F6279B16006F2196F330166EE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Analysis Process: br4Cu3BycW.tmp PID: 5816 Parent PID: 4352

                                                          General

                                                          Start time:09:31:50
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe'
                                                          Imagebase:0x400000
                                                          File size:3194368 bytes
                                                          MD5 hash:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Analysis Process: br4Cu3BycW.exe PID: 5092 Parent PID: 5816

                                                          General

                                                          Start time:09:31:51
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
                                                          Imagebase:0x400000
                                                          File size:5124457 bytes
                                                          MD5 hash:EC72A93F6279B16006F2196F330166EE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Analysis Process: br4Cu3BycW.tmp PID: 5636 Parent PID: 5092

                                                          General

                                                          Start time:09:31:53
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
                                                          Imagebase:0x400000
                                                          File size:3194368 bytes
                                                          MD5 hash:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Analysis Process: CrystalReports.exe PID: 6532 Parent PID: 5636

                                                          General

                                                          Start time:09:31:58
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe'
                                                          Imagebase:0x400000
                                                          File size:4910592 bytes
                                                          MD5 hash:11DD538F1BF5F174834DBA334964A691
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.562826054.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >